Edit tour

Windows Analysis Report
5dFLJyS86S.ps1

Overview

General Information

Sample name:	5dFLJyS86S.ps1 renamed because original name is a hash value
Original sample name:	6ebd2fb6a88cb521599a78a195d811d2.ps1
Analysis ID:	1586505
MD5:	6ebd2fb6a88cb521599a78a195d811d2
SHA1:	0c8037f536b4d34681822c3441445db542df72b7
SHA256:	c721e2fbcea8e812a6af76f1201514e007e7387b82eb45d2bcc18f7d250c307c
Tags:	ps1user-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Powershell creates an autostart link

Powershell drops PE file

Sample is not signed and drops a device driver

Binary contains a suspicious time stamp

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Process Tree

System is w10x64

powershell.exe (PID: 1776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 4832 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.me/bypassblock MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 2072 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2524,i,17522185104263954872,595179964274981035,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

winws.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\russia-youtube-rtmps.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeQ.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=4 --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_3.bin" --dpi-desync-cutoff=n3 --dpi-desync-repeats=2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtube_v2.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld+1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeGV.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\other.txt" --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-ttl=2 --new --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\ipset-discord.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_3.bin" --dpi-desync-autottl --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-fooling=badseq --dpi-desync-repeats=10 --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=5 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_2.bin" --dpi-desync-repeats=7 --dpi-desync-cutoff=n2 --new --filter-udp=50000-50090 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=n3 --new --filter-tcp=443 --ipset-ip=XXX.XXX.XXX.XXX/XX,XXX.XXX.XXX.XXX/XX --wssize=1:6 --hostlist-domains=googlevideo.com --dpi-desync=multidisorder --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=1,host+2,sld+2,sld+5,sniext+1,sniext+2,endhost-2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\faceinsta.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --new MD5: 7824C819BD3C98BF7890D92FD3EF3785)

conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 1600 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1", ProcessId: 1776, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1776, TargetFilename: C:\Users\user\Desktop\bin\WinDivert.dll

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1", ProcessId: 1776, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1600, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:39:19.604519+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	217.197.91.145	443	TCP
2025-01-09T08:39:24.125325+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49706	217.197.91.145	443	TCP
2025-01-09T08:39:27.940142+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49714	217.197.91.145	443	TCP

Joe Security ANOMALY Windows PowerShell HTTP PE File Download

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:39:15.531166+0100	1810003	2	Potentially Bad Traffic	217.197.91.145	443	192.168.2.5	49704	TCP
2025-01-09T08:39:19.701432+0100	1810003	2	Potentially Bad Traffic	217.197.91.145	443	192.168.2.5	49705	TCP
2025-01-09T08:39:24.130355+0100	1810003	2	Potentially Bad Traffic	217.197.91.145	443	192.168.2.5	49706	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:39:15.465479+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	49704	217.197.91.145	443	TCP
2025-01-09T08:39:19.604519+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	49705	217.197.91.145	443	TCP
2025-01-09T08:39:24.125325+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	49706	217.197.91.145	443	TCP
2025-01-09T08:39:27.940142+0100	1810000	2	Potentially Bad Traffic	192.168.2.5	49714	217.197.91.145	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.8% probability

Source: unknown

HTTPS traffic detected: 217.197.91.145:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:

Binary string: C:\WinDivert\install\MSVC\amd64\WinDivert64.pdb source: WinDivert64.sys.0.dr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: WinDivert64.sys.0.dr

Static PE information: Found NDIS imports: FwpmTransactionAbort0, FwpmTransactionBegin0, FwpmEngineClose0, FwpmEngineOpen0, FwpsQueryPacketInjectionState0, FwpmProviderAdd0, FwpmProviderDeleteByKey0, FwpsInjectNetworkReceiveAsync0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutAdd0, FwpmCalloutDeleteByKey0, FwpmFilterAdd0, FwpmFilterDeleteByKey0, FwpmTransactionCommit0, FwpsCalloutRegister0, FwpsCalloutUnregisterByKey0, FwpsFlowAssociateContext0, FwpsFlowRemoveContext0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsAllocateNetBufferAndNetBufferList0, FwpsFreeNetBufferList0, FwpsInjectNetworkSendAsync0, FwpsInjectForwardAsync0

Source: Joe Sandbox View	IP Address: 217.197.91.145 217.197.91.145
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49704 -> 217.197.91.145:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49706 -> 217.197.91.145:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49714 -> 217.197.91.145:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 217.197.91.145:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 217.197.91.145:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49705 -> 217.197.91.145:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 217.197.91.145:443
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 217.197.91.145:443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 217.197.91.145:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 217.197.91.145:443 -> 192.168.2.5:49705

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\bin\winws.exe

Code function: 8_2_00000001004153F0 SetServiceStatus,strdup,free,StartServiceCtrlDispatcherA,time,srandom,printf,getopt_long_only,free,wordfree,snprintf,snprintf,snprintf,strlen,strlen,fopen,fwrite,fclose,fclose,snprintf,CreateMutexA,GetLastError,CloseHandle,exit,chdir,close,close,close,open,dup,dup,fopen,getpid,fprintf,fclose,time,signal,signal,signal,CoInitialize,CoCreateInstance,CoUninitialize,__errno,__getreent,fflush,__getreent,fflush,GetLastError,GetLastError,WaitForSingleObject,WinDivertOpen,GetLastError,ReleaseMutex,CloseHandle,SetLastError,FormatMessageA,LocalFree,CreateEventW,GetLastError,__getreent,__getreent,fflush,usleep,WinDivertRecvEx,GetLastError,__errno,usleep,WaitForSingleObject,__errno,__errno,GetOverlappedResult,__errno,__errno,__errno,__errno,__errno,snprintf,WinDivertSend,GetLastError,__getreent,fflush,__getreent,fflush,ReleaseMutex,CloseHandle,

8_2_00000001004153F0

Source: global traffic	HTTP traffic detected: GET /censorliber/zapret/raw/branch/main/WinDivert.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: codeberg.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /censorliber/zapret/raw/branch/main/WinDivert64.sys HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: codeberg.org
Source: global traffic	HTTP traffic detected: GET /censorliber/zapret/raw/branch/main/winws.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: codeberg.org
Source: global traffic	HTTP traffic detected: GET /bypassblock HTTP/1.1Host: t.meConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /censorliber/zapret/raw/branch/main/version.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: codeberg.org
Source: global traffic	HTTP traffic detected: GET /file/s3vCUVV1oFSCO-dE5CqAY7IgPiKpdP2z8zxQN72D_TT9z56ahyE0msKqmuM_tk2PSEmQvnQwUvZb1H5LTpaO8JEmhF-5-DzRJn0IlgPUduazk5LN5P7paldIt115IoTuBIfpLYc9IcyeP_A6RfZJrgNinKpPj_KVprinZI2XeGxYV-Oc0kv7FigdkzDmuIUo82gNjtBCwxGg4jGao68ygfD4hQmU5yHjzaetNKqe2slF0f4nvrf0N7_9vCVoXLLhOJ2zVr1x-Jyq6PLsYys0HxH7NN2KH5LN_sO1jucDXW-MlsW7Iv6_BhYjfO3Mc2eDr_gKM9-O3DknTg7q8Q2omQ.jpg HTTP/1.1Host: cdn4.cdn-telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://t.me/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/font-roboto.css?1 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://t.me/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/bootstrap.min.css?3 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://t.me/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /css/telegram.css?242 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://t.me/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/tgwallpaper.min.js?3 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://t.me/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /file/s3vCUVV1oFSCO-dE5CqAY7IgPiKpdP2z8zxQN72D_TT9z56ahyE0msKqmuM_tk2PSEmQvnQwUvZb1H5LTpaO8JEmhF-5-DzRJn0IlgPUduazk5LN5P7paldIt115IoTuBIfpLYc9IcyeP_A6RfZJrgNinKpPj_KVprinZI2XeGxYV-Oc0kv7FigdkzDmuIUo82gNjtBCwxGg4jGao68ygfD4hQmU5yHjzaetNKqe2slF0f4nvrf0N7_9vCVoXLLhOJ2zVr1x-Jyq6PLsYys0HxH7NN2KH5LN_sO1jucDXW-MlsW7Iv6_BhYjfO3Mc2eDr_gKM9-O3DknTg7q8Q2omQ.jpg HTTP/1.1Host: cdn4.cdn-telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /js/tgwallpaper.min.js?3 HTTP/1.1Host: telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/tgme/pattern.svg?1 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://telegram.org/css/telegram.css?242Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Roboto/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://t.mesec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://telegram.org/css/font-roboto.css?1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Roboto/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://t.mesec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://telegram.org/css/font-roboto.css?1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Roboto/KFOlCnqEu92Fr1MmWUlfABc4AMP6lbBP.woff2 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://t.mesec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://telegram.org/css/font-roboto.css?1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fonts/Roboto/KFOmCnqEu92Fr1Mu5mxKKTU1Kvnz.woff2 HTTP/1.1Host: telegram.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://t.mesec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://telegram.org/css/font-roboto.css?1Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /img/tgme/pattern.svg?1 HTTP/1.1Host: telegram.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: "31.13.72.36 www.facebook.com", equals www.facebook.com (Facebook)
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: Check-Availability -Url "www.youtube.com" -IPAddresses $youtubeIPs equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: 142.250.186.110 www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: 31.13.72.36 www.facebook.com equals www.facebook.com (Facebook)
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: codeberg.org
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: telegram.org
Source: global traffic	DNS traffic detected: DNS query: cdn4.cdn-telegram.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: powershell.exe, 00000000.00000002.4498106588.000001F5D6865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7F1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://codeberg.org
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000005.00000002.4498565832.000001D671400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: svchost.exe, 00000005.00000002.4499004275.000001D6714F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000002.4498782058.000001D671460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4498721911.000001D67144F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4498721911.000001D671457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2816925871.000001D671332000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4497858683.000001D66C702000.00000004.00000020.00020000.00000000.sdmp, edb.log.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adm5fg7myczym5ugfpmw2lireirq_2024.11.8.0/
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.5.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000005.00000002.4498782058.000001D671485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: edb.log.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: chromecache_84.6.dr	String found in binary or memory: http://getbootstrap.com)
Source: chromecache_84.6.dr	String found in binary or memory: http://getbootstrap.com/customize/?id=92d2ac1b31978642b6b6)
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E61D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: WinDivert64.sys.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	String found in binary or memory: http://ocsp.sectigo.com0H
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D6121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.4524003437.000001F5EE330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co_E
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D6121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D7BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7F4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D804F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://codeberg.org
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D8065000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7F4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://codeberg.org/
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: https://codeberg.org/censorliber/zapret/raw/branch/main/WinDivert.dll
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7F4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: https://codeberg.org/censorliber/zapret/raw/branch/main/WinDivert64.sys
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6865000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: https://codeberg.org/censorliber/zapret/raw/branch/main/version.txt
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D804F000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: https://codeberg.org/censorliber/zapret/raw/branch/main/winws.exe
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000005.00000003.2192605111.000001D671330000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: chromecache_84.6.dr	String found in binary or memory: https://gist.github.com/92d2ac1b31978642b6b6
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: https://github.com/censorliber/youtube_unblock
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: https://github.com/notepad-plus-plus/notepad-plus-plus/releases)
Source: chromecache_84.6.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D748F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: 5dFLJyS86S.ps1	String found in binary or memory: https://jnn-pa.googleapis.com
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E61D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.5.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: chromecache_85.6.dr	String found in binary or memory: https://osx.telegram.org/updates/site/artboard.png)
Source: chromecache_85.6.dr	String found in binary or memory: https://osx.telegram.org/updates/site/artboard_2x.png);
Source: WinDivert64.sys.0.dr	String found in binary or memory: https://reqrypt.org/windivert.html
Source: powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: 5dFLJyS86S.ps1	String found in binary or memory: https://t.me/bypassblock
Source: powershell.exe, 00000000.00000002.4524081444.000001F5EE444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bypassblock$
Source: powershell.exe, 00000000.00000002.4524081444.000001F5EE444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bypassblock(
Source: powershell.exe, 00000000.00000002.4524081444.000001F5EE444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bypassblockd
Source: powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	String found in binary or memory: https://zapret.now.sh/script.user.js

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 217.197.91.145:443 -> 192.168.2.5:49704 version: TLS 1.2

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\bin\WinDivert.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\bin\winws.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\bin\WinDivert64.sys	Jump to dropped file

Source: C:\Users\user\Desktop\bin\winws.exe

Code function: 8_2_62801A05: DeviceIoControl,

8_2_62801A05

Source: C:\Users\user\Desktop\bin\winws.exe

Code function: 8_2_62807BB6 HeapCreate,HeapAlloc,GetLastError,HeapDestroy,SetLastError,HeapDestroy,CreateFileW,GetLastError,GetLastError,SetLastError,HeapDestroy,HeapDestroy,SetLastError,SetLastError,CreateMutexW,WaitForSingleObject,OpenSCManagerW,OpenServiceW,GetModuleFileNameW,SetLastError,CreateServiceW,OpenServiceW,StartServiceW,GetLastError,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,ReleaseMutex,CloseHandle,SetLastError,SetLastError,GetLastError,HeapDestroy,CreateFileW,HeapDestroy,SetLastError,HeapDestroy,CloseHandle,HeapDestroy,GetLastError,CloseHandle,HeapDestroy,SetLastError,HeapDestroy,RegCreateKeyExA,RegSetValueExW,RegSetValueExA,RegCloseKey,

8_2_62807BB6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\bin\WinDivert64.sys

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F39EF3	0_2_00007FF848F39EF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F39890	0_2_00007FF848F39890
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_6280466E	8_2_6280466E
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_6280466E	8_2_6280466E
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_62801B91	8_2_62801B91
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_62807BB6	8_2_62807BB6
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_628067DC	8_2_628067DC
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_628069B9	8_2_628069B9
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100401426	8_2_0000000100401426
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_00000001004153F0	8_2_00000001004153F0
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100401000	8_2_0000000100401000
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_000000010040DC04	8_2_000000010040DC04
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_00000001004134E0	8_2_00000001004134E0
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100416D3A	8_2_0000000100416D3A
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100401CE7	8_2_0000000100401CE7
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100411118	8_2_0000000100411118
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_000000010040D996	8_2_000000010040D996
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100405E0C	8_2_0000000100405E0C
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100410A10	8_2_0000000100410A10
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_00000001004012C8	8_2_00000001004012C8
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_000000010040BB60	8_2_000000010040BB60
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100412EF0	8_2_0000000100412EF0
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100413B70	8_2_0000000100413B70
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100411380	8_2_0000000100411380
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_000000010040478A	8_2_000000010040478A
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_000000010040DF95	8_2_000000010040DF95
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: 8_2_0000000100409396	8_2_0000000100409396

Source: C:\Users\user\Desktop\bin\winws.exe	Code function: String function: 628111E4 appears 87 times
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: String function: 000000010040C49E appears 55 times
Source: C:\Users\user\Desktop\bin\winws.exe	Code function: String function: 000000010040C43D appears 129 times

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2443
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2443			Jump to behavior

Source: WinDivert64.sys.0.dr

Binary string: \Device\WinDivert

Source: classification engine

Classification label: mal64.troj.evad.winPS1@22/41@13/7

Source: C:\Users\user\Desktop\bin\winws.exe

8_2_00000001004153F0

Source: C:\Users\user\Desktop\bin\winws.exe

Code function: HeapCreate,HeapAlloc,GetLastError,HeapDestroy,SetLastError,HeapDestroy,CreateFileW,GetLastError,GetLastError,SetLastError,HeapDestroy,HeapDestroy,SetLastError,SetLastError,CreateMutexW,WaitForSingleObject,OpenSCManagerW,OpenServiceW,GetModuleFileNameW,SetLastError,CreateServiceW,OpenServiceW,StartServiceW,GetLastError,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,ReleaseMutex,CloseHandle,SetLastError,SetLastError,GetLastError,HeapDestroy,CreateFileW,HeapDestroy,SetLastError,HeapDestroy,CloseHandle,HeapDestroy,GetLastError,CloseHandle,HeapDestroy,SetLastError,HeapDestroy,RegCreateKeyExA,RegSetValueExW,RegSetValueExA,RegCloseKey,

8_2_62807BB6

Source: C:\Users\user\Desktop\bin\winws.exe

8_2_00000001004153F0

Source: C:\Users\user\Desktop\bin\winws.exe

8_2_62807BB6

Source: C:\Users\user\Desktop\bin\winws.exe

8_2_00000001004153F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\bin

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2y53av2.wey.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: winws.exe	String found in binary or memory: invalid desync-start value
Source: winws.exe	String found in binary or memory: desync-start reached (mode %c): %llu/%u
Source: winws.exe	String found in binary or memory: not desyncing. desync-start is set but conntrack entry is missing
Source: winws.exe	String found in binary or memory: desync-start not reached (mode %c): %llu/%u . not desyncing
Source: winws.exe	String found in binary or memory: not desyncing. desync-start is set but conntrack entry is missing
Source: winws.exe	String found in binary or memory: desync-start reached (mode %c): %llu/%u
Source: winws.exe	String found in binary or memory: desync-start not reached (mode %c): %llu/%u . not desyncing
Source: winws.exe	String found in binary or memory: invalid desync-start value

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.me/bypassblock
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2524,i,17522185104263954872,595179964274981035,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\bin\winws.exe "C:\Users\user\Desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\russia-youtube-rtmps.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeQ.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=4 --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_3.bin" --dpi-desync-cutoff=n3 --dpi-desync-repeats=2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtube_v2.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld+1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeGV.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\other.txt" --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-ttl=2 --new --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\ipset-discord.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_3.bin" --dpi-desync-autottl --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-fooling=badseq --dpi-desync-repeats=10 --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=5 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_2.bin" --dpi-desync-repeats=7 --dpi-desync-cutoff=n2 --new --filter-udp=50000-50090 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=n3 --new --filter-tcp=443 --ipset-ip=XXX.XXX.XXX.XXX/XX,XXX.XXX.XXX.XXX/XX --wssize=1:6 --hostlist-domains=googlevideo.com --dpi-desync=multidisorder --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=1,host+2,sld+2,sld+5,sniext+1,sniext+2,endhost-2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\faceinsta.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --new
Source: C:\Users\user\Desktop\bin\winws.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.me/bypassblock	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\bin\winws.exe "C:\Users\user\Desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\russia-youtube-rtmps.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeQ.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=4 --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_3.bin" --dpi-desync-cutoff=n3 --dpi-desync-repeats=2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtube_v2.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld+1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeGV.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\other.txt" --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-ttl=2 --new --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\ipset-discord.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_3.bin" --dpi-desync-autottl --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-fooling=badseq --dpi-desync-repeats=10 --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=5 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_2.bin" --dpi-desync-repeats=7 --dpi-desync-cutoff=n2 --new --filter-udp=50000-50090 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=n3 --new --filter-tcp=443 --ipset-ip=XXX.XXX.XXX.XXX/XX,XXX.XXX.XXX.XXX/XX --wssize=1:6 --hostlist-domains=googlevideo.com --dpi-desync=multidisorder --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=1,host+2,sld+2,sld+5,sniext+1,sniext+2,endhost-2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\faceinsta.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --new	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2524,i,17522185104263954872,595179964274981035,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bin\winws.exe	Section loaded: cygwin1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bin\winws.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bin\winws.exe	Section loaded: windivert.dll	Jump to behavior
Source: C:\Users\user\Desktop\bin\winws.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.3.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: C:\WinDivert\install\MSVC\amd64\WinDivert64.pdb source: WinDivert64.sys.0.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: DEADBEEF --dpi-desync-fake-quic=""$BIN\quic_test_00.bin"" --dpi-desync-cutoff=n2 --new"$DISUDP2 = "--filter-udp=443 --hostlist=""$LISTS\discord.txt"" --dpi-desync=fake --dpi-desync-repeats=6 --dpi-des

Source: WinDivert.dll.0.dr

Static PE information: 0xAFD0AFC0 [Thu Jun 21 22:08:00 2063 UTC]

Source: WinDivert.dll.0.dr	Static PE information: section name: .xdata
Source: winws.exe.0.dr	Static PE information: section name: .buildid
Source: winws.exe.0.dr	Static PE information: section name: .xdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F3BC50 push eax; ret	0_2_00007FF848F3BC93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F3BC95 push eax; ret	0_2_00007FF848F3BC93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F36B78 push E95C7D39h; ret	0_2_00007FF848F36B99
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F3B87A push eax; retf	0_2_00007FF848F3B87B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FF848F378C2 push ebx; retf	0_2_00007FF848F3796A

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Desktop\bin\WinDivert64.sys

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\bin\WinDivert.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\bin\winws.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Desktop\bin\WinDivert64.sys	Jump to dropped file

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: .lnk" } catch { Write-Host "??????? ?? ??????????." }}function Set-GoogleDNS { $PrimaryDNS = "8.8.8.8" $SecondaryDNS = "8.8.4.4" Write-Host "????????? DNS ??? ???????? ???????????..." # ???????? ?????? ???????? ??????? ??????????? try { $interfaces = Get-NetAdapter | Where-Object {$_.Status -eq "Up"} -ErrorAction Stop } catch { Write-Error "?????? ??? ????????? ?????? ??????? ???????????: $_" return } # ?????????, ??????? ?? ???????? ?????????? if ($interfaces.Count -eq 0) { Write-Warning "?? ??????? ???????? ??????? ???????????." return } # ????????????? DNS-??????? ??? ??????? ?????????? foreach ($interface in $interfaces) { try { Write-Host "????????? DNS ??? ?????????? $($interface.InterfaceAlias)..." Set-DnsClientServerAddress -InterfaceAlias $interface.InterfaceAlias -ServerAddresses ($primaryDNS, $secondaryDNS) -ErrorAction Stop Write-Host "DNS ??? ?????????? $($interface.InterfaceAlias) ??????? ??????????." } catch { Write-Error "?????? ??? ????????? DNS ??? ?????????? $($interface.InterfaceAlias): $_" } } # ??????? ??? DNS Write-Host "??????? ???? DNS..." ipconfig /flushdns | Out-Null Write-Host "??? DNS ??????? ??????."}function Set-ZapretDNS { $PrimaryDNS = "185.222.222.222" $SecondaryDNS = "45.11.45.11" Write-Host "????????? DNS ??? ???????? ???????????..." # ???????? ?????? ???????? ??????? ??????????? try { $interfaces = Get-NetAdapter | Where-Object {$_.Status -eq "Up"} -ErrorAction Stop } catch { Write-Error "?????? ??? ????????? ?????? ??????? ???????????: $_" return } # ?????????, ??????? ?? ???????? ?????????? if ($interfaces.Count -eq 0) { Write-Warning "?? ??????? ???????? ??????? ???????????." return } # ????????????? DNS-??????? ??? ??????? ?????????? foreach ($interface in $interfaces) { try { Write-Host "????????? DNS ??? ?????????? $($interface.InterfaceAlias)..." Set-DnsClientServerAddress -InterfaceAlias $interface.InterfaceAlias -ServerAddresses ($primaryDNS, $secondaryDNS) -ErrorAction Stop Write-Host "DNS ??? ?????????? $($interface.InterfaceAlias) ??????? ??????????." } catch { Write-Error "?????? ??? ????????? DNS ??? ?????????? $($interface.InterfaceAlias): $_" } } # ??????? ??? DNS Write-Host "??????? ???? DNS..." ipconfig /flushdns | Out-Null Write-Host "??? DNS ??????? ??????."}function Reset-DNS { Write-Host "????? DNS ??? ???????? ??????????? ?? ???????? ?? ?????????..." try { $interfaces = Get-NetAdapter | Where-Object {$_.Status -eq "Up"} -ErrorAction Stop } catch { Write-Error "?????? ??? ????????? ?????? ??????? ???????????: $_" return } if ($interfaces.Count -eq 0) { Write-Warning "?? ??????? ???????? ??????? ???????????." return } foreach

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\bin\winws.exe

8_2_62807BB6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4429			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5430			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\bin\WinDivert64.sys

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1080	Thread sleep time: -9223372036854770s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7440	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: svchost.exe, 00000005.00000002.4497297841.000001D66BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.4498721911.000001D671457000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000000.00000002.4524081444.000001F5EE444000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaa

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.me/bypassblock			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\bin\winws.exe "C:\Users\user\Desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\russia-youtube-rtmps.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeQ.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=4 --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_3.bin" --dpi-desync-cutoff=n3 --dpi-desync-repeats=2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtube_v2.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld+1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeGV.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\other.txt" --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-ttl=2 --new --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\ipset-discord.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_3.bin" --dpi-desync-autottl --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-fooling=badseq --dpi-desync-repeats=10 --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=5 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_2.bin" --dpi-desync-repeats=7 --dpi-desync-cutoff=n2 --new --filter-udp=50000-50090 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=n3 --new --filter-tcp=443 --ipset-ip=XXX.XXX.XXX.XXX/XX,XXX.XXX.XXX.XXX/XX --wssize=1:6 --hostlist-domains=googlevideo.com --dpi-desync=multidisorder --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=1,host+2,sld+2,sld+5,sniext+1,sniext+2,endhost-2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\faceinsta.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --new			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\bin\winws.exe "c:\users\user\desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-tcp=443 --ipset="c:\users\user\desktop\lists\\russia-youtube-rtmps.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="c:\users\user\desktop\bin\\tls_clienthello_4.bin" --dpi-desync-autottl --new --filter-udp=443 --hostlist="c:\users\user\desktop\lists\\youtubeq.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=4 --dpi-desync-fake-quic="c:\users\user\desktop\bin\\quic_3.bin" --dpi-desync-cutoff=n3 --dpi-desync-repeats=2 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\youtube_v2.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld+1 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\youtubegv.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\other.txt" --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls="c:\users\user\desktop\bin\\tls_clienthello_4.bin" --dpi-desync-ttl=2 --new --filter-tcp=443 --ipset="c:\users\user\desktop\lists\\ipset-discord.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="c:\users\user\desktop\bin\\tls_clienthello_3.bin" --dpi-desync-autottl --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\discord.txt" --dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-fooling=badseq --dpi-desync-repeats=10 --dpi-desync-autottl --new --filter-udp=443 --hostlist="c:\users\user\desktop\lists\\discord.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=5 --dpi-desync-udplen-pattern=0xdeadbeef --dpi-desync-fake-quic="c:\users\user\desktop\bin\\quic_2.bin" --dpi-desync-repeats=7 --dpi-desync-cutoff=n2 --new --filter-udp=50000-50090 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=n3 --new --filter-tcp=443 --ipset-ip=xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx --wssize=1:6 --hostlist-domains=googlevideo.com --dpi-desync=multidisorder --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=1,host+2,sld+2,sld+5,sniext+1,sniext+2,endhost-2 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\faceinsta.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="c:\users\user\desktop\bin\\tls_clienthello_4.bin" --new
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Desktop\bin\winws.exe "c:\users\user\desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-tcp=443 --ipset="c:\users\user\desktop\lists\\russia-youtube-rtmps.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="c:\users\user\desktop\bin\\tls_clienthello_4.bin" --dpi-desync-autottl --new --filter-udp=443 --hostlist="c:\users\user\desktop\lists\\youtubeq.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=4 --dpi-desync-fake-quic="c:\users\user\desktop\bin\\quic_3.bin" --dpi-desync-cutoff=n3 --dpi-desync-repeats=2 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\youtube_v2.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld+1 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\youtubegv.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\other.txt" --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls="c:\users\user\desktop\bin\\tls_clienthello_4.bin" --dpi-desync-ttl=2 --new --filter-tcp=443 --ipset="c:\users\user\desktop\lists\\ipset-discord.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="c:\users\user\desktop\bin\\tls_clienthello_3.bin" --dpi-desync-autottl --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\discord.txt" --dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-fooling=badseq --dpi-desync-repeats=10 --dpi-desync-autottl --new --filter-udp=443 --hostlist="c:\users\user\desktop\lists\\discord.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=5 --dpi-desync-udplen-pattern=0xdeadbeef --dpi-desync-fake-quic="c:\users\user\desktop\bin\\quic_2.bin" --dpi-desync-repeats=7 --dpi-desync-cutoff=n2 --new --filter-udp=50000-50090 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=n3 --new --filter-tcp=443 --ipset-ip=xxx.xxx.xxx.xxx/xx,xxx.xxx.xxx.xxx/xx --wssize=1:6 --hostlist-domains=googlevideo.com --dpi-desync=multidisorder --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=1,host+2,sld+2,sld+5,sniext+1,sniext+2,endhost-2 --new --filter-tcp=443 --hostlist="c:\users\user\desktop\lists\\faceinsta.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="c:\users\user\desktop\bin\\tls_clienthello_4.bin" --new			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	22 Command and Scripting Interpreter	24 Windows Service	24 Windows Service	11 Masquerading	1 Network Sniffing	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Service Execution	11 Registry Run Keys / Startup Folder	11 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 Network Sniffing	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	21 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5dFLJyS86S.ps1	2%	Virustotal		Browse
5dFLJyS86S.ps1	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\Desktop\bin\WinDivert.dll	0%	ReversingLabs
C:\Users\user\Desktop\bin\WinDivert64.sys	0%	ReversingLabs
C:\Users\user\Desktop\bin\winws.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://reqrypt.org/windivert.html	0%	Avira URL Cloud	safe
http://www.microsoft.co_E	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0H	0%	Avira URL Cloud	safe
https://zapret.now.sh/script.user.js	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
codeberg.org	217.197.91.145	true	false	high
telegram.org	149.154.167.99	true	false	high
t.me	149.154.167.99	true	false	high
www.google.com	142.250.186.68	true	false	high
cdn4.cdn-telegram.org	34.111.35.152	true	false	high

Contacted URLs

Name	Malicious	Reputation
https://codeberg.org/censorliber/zapret/raw/branch/main/winws.exe	false	high
https://telegram.org/css/bootstrap.min.css?3	false	high
https://telegram.org/css/font-roboto.css?1	false	high
https://cdn4.cdn-telegram.org/file/s3vCUVV1oFSCO-dE5CqAY7IgPiKpdP2z8zxQN72D_TT9z56ahyE0msKqmuM_tk2PSEmQvnQwUvZb1H5LTpaO8JEmhF-5-DzRJn0IlgPUduazk5LN5P7paldIt115IoTuBIfpLYc9IcyeP_A6RfZJrgNinKpPj_KVprinZI2XeGxYV-Oc0kv7FigdkzDmuIUo82gNjtBCwxGg4jGao68ygfD4hQmU5yHjzaetNKqe2slF0f4nvrf0N7_9vCVoXLLhOJ2zVr1x-Jyq6PLsYys0HxH7NN2KH5LN_sO1jucDXW-MlsW7Iv6_BhYjfO3Mc2eDr_gKM9-O3DknTg7q8Q2omQ.jpg	false	high
https://telegram.org/img/tgme/pattern.svg?1	false	high
https://codeberg.org/censorliber/zapret/raw/branch/main/WinDivert64.sys	false	high
https://codeberg.org/censorliber/zapret/raw/branch/main/WinDivert.dll	false	high
https://telegram.org/js/tgwallpaper.min.js?3	false	high
https://telegram.org/fonts/Roboto/KFOmCnqEu92Fr1Mu5mxKKTU1Kvnz.woff2	false	high
https://telegram.org/fonts/Roboto/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2	false	high
https://t.me/bypassblock	false	high
https://telegram.org/fonts/Roboto/KFOlCnqEu92Fr1MmWUlfABc4AMP6lbBP.woff2	false	high
https://telegram.org/fonts/Roboto/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2	false	high
https://telegram.org/css/telegram.css?242	false	high
https://codeberg.org/censorliber/zapret/raw/branch/main/version.txt	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://osx.telegram.org/updates/site/artboard_2x.png);	chromecache_85.6.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	WinDivert64.sys.0.dr	false		high
http://ocsp.sectigo.com0	WinDivert64.sys.0.dr	false		high
https://osx.telegram.org/updates/site/artboard.png)	chromecache_85.6.dr	false		high
https://gist.github.com/92d2ac1b31978642b6b6	chromecache_84.6.dr	false		high
https://reqrypt.org/windivert.html	WinDivert64.sys.0.dr	false	Avira URL Cloud: safe	unknown
https://t.me/bypassblockd	powershell.exe, 00000000.00000002.4524081444.000001F5EE444000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000005.00000003.2192605111.000001D671330000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.dr	false		high
https://github.com/notepad-plus-plus/notepad-plus-plus/releases)	powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	WinDivert64.sys.0.dr	false		high
https://codeberg.org	powershell.exe, 00000000.00000002.4498106588.000001F5D7BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7F4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D804F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.4519498169.000001F5E61D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	false		high
http://getbootstrap.com)	chromecache_84.6.dr	false		high
http://www.microsoft.co_E	powershell.exe, 00000000.00000002.4524003437.000001F5EE330000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.4498106588.000001F5D6121000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.4519498169.000001F5E61D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.4498106588.000001F5D748F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/bypassblock$	powershell.exe, 00000000.00000002.4524081444.000001F5EE444000.00000004.00000020.00020000.00000000.sdmp	false		high
http://getbootstrap.com/customize/?id=92d2ac1b31978642b6b6)	chromecache_84.6.dr	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.4519498169.000001F5E6325000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.4498565832.000001D671400000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/bypassblock(	powershell.exe, 00000000.00000002.4524081444.000001F5EE444000.00000004.00000020.00020000.00000000.sdmp	false		high
http://codeberg.org	powershell.exe, 00000000.00000002.4498106588.000001F5D6865000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7F1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/censorliber/youtube_unblock	powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	WinDivert64.sys.0.dr	false		high
https://g.live.com/odclientsettings/Prod/C:	edb.log.5.dr	false		high
https://codeberg.org/	powershell.exe, 00000000.00000002.4498106588.000001F5D8065000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7F4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	WinDivert64.sys.0.dr	false		high
https://github.com/twbs/bootstrap/blob/master/LICENSE)	chromecache_84.6.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.4498106588.000001F5D6121000.00000004.00000800.00020000.00000000.sdmp	false		high
https://zapret.now.sh/script.user.js	powershell.exe, 00000000.00000002.4519498169.000001F5E6190000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.4498106588.000001F5D6349000.00000004.00000800.00020000.00000000.sdmp, 5dFLJyS86S.ps1	true	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0H	powershell.exe, 00000000.00000002.4498106588.000001F5D7FEF000.00000004.00000800.00020000.00000000.sdmp, WinDivert64.sys.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
34.111.35.152	cdn4.cdn-telegram.org	United States	15169	GOOGLEUS	false
217.197.91.145	codeberg.org	Germany	29670	IN-BERLIN-ASIndividualNetworkBerlineVDE	false
149.154.167.99	telegram.org	United Kingdom	62041	TELEGRAMRU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586505
Start date and time:	2025-01-09 08:38:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5dFLJyS86S.ps1 renamed because original name is a hash value
Original Sample Name:	6ebd2fb6a88cb521599a78a195d811d2.ps1
Detection:	MAL
Classification:	mal64.troj.evad.winPS1@22/41@13/7
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 142.250.186.67, 142.250.184.206, 64.233.167.84, 217.20.57.19, 192.229.221.95, 142.250.185.142, 142.250.185.206, 23.56.254.164, 142.250.186.78, 142.250.186.110, 172.217.18.110, 172.217.18.14, 34.104.35.123, 142.250.181.238, 199.232.210.172, 216.58.212.174, 142.250.184.238, 142.250.185.238, 142.250.186.174, 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, edgedl.me.gvt1.com, e16604.g.akamaiedge.net, update.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 1776 because it is empty
Execution Graph export aborted for target winws.exe, PID 7464 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:39:10	API Interceptor	11354060x Sleep call for process: powershell.exe modified
02:39:25	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
239.255.255.250	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse
	https://qr.me-qr.com/PVhBu5SR	Get hash	malicious	Unknown	Browse
	http://join.grass-io.cc	Get hash	malicious	Unknown	Browse
	https://qr.me-qr.com/pt/E9k76ew	Get hash	malicious	Unknown	Browse
	e-Invoice.html	Get hash	malicious	Unknown	Browse
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse
	Condenast eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse
	https://mail.voipmessage.uk/XZmNVMGRWSjAyR3hxcDF0LzhSdGt1ZFZjdG0vUU9uWWRDQXI2eXJwbnNYd0FnNE9TWjhBNncyakhQSlRKa0poSEVkY09KRzlaVG9SSGM4NSt2bHh3M0h4eHpwKzZNZlpMUU9rWklrRlg2R0R3ak9qbVA4T21TZXpzYUxJazlsaVo0ODNubmNtS1ZuQTdWL1dLa3kvZVpKeU5WOUJWUVRFMHcxRWhsODJKQTdVV2NSUmloaFBtRWdiL1lGQ0VCOTNUUjVmSE1nPT0tLVpvYUVQQVVmdkNSZmR3ZUItLWhoMjNyU1ZFSWhzclZVc0cwdTEwS0E9PQ==?cid=305193241	Get hash	malicious	KnowBe4	Browse
	http://indyhumane.org	Get hash	malicious	Unknown	Browse
217.197.91.145	HaPJ2rPP6w.exe	Get hash	malicious	SmokeLoader	Browse
	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse
	6Y8CXBW7P6AR.JS	Get hash	malicious	Unknown	Browse
	Techspan Statement.xlsm	Get hash	malicious	Unknown	Browse
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
codeberg.org	HaPJ2rPP6w.exe	Get hash	malicious	SmokeLoader	Browse	217.197.91.145
	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	6Y8CXBW7P6AR.JS	Get hash	malicious	Unknown	Browse	217.197.91.145
	Techspan Statement.xlsm	Get hash	malicious	Unknown	Browse	217.197.91.145
t.me	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	46.105.202.207
	http://t.me/hhackplus	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	104.26.12.222
	ZT0KQ1PC.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	RisingStrip.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegra.ph/Clarkson-122025-01-02	Get hash	malicious	Unknown	Browse	149.154.167.99
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
telegram.org	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PO.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	BgroUcYHpy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	oagkiAhXgZ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	proforma invoice pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	random.exe	Get hash	malicious	CStealer	Browse	149.154.167.220
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	149.154.167.220
IN-BERLIN-ASIndividualNetworkBerlineVDE	HaPJ2rPP6w.exe	Get hash	malicious	SmokeLoader	Browse	217.197.91.145
	LisectAVT_2403002B_286.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	CNWSFY59Z6S1D.JS	Get hash	malicious	WSHRAT	Browse	217.197.91.145
	6Y8CXBW7P6AR.JS	Get hash	malicious	Unknown	Browse	217.197.91.145
	Techspan Statement.xlsm	Get hash	malicious	Unknown	Browse	217.197.91.145
	index	Get hash	malicious	Unknown	Browse	185.177.206.72

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	Purchase Order A2409002.scr.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	Ref#103052.exe	Get hash	malicious	XWorm	Browse	217.197.91.145
	NEW PURCHASE INQUIRY.scr.exe	Get hash	malicious	Unknown	Browse	217.197.91.145
	https://redduppgh.com/	Get hash	malicious	Unknown	Browse	217.197.91.145
	https://minia.n1tab.com/	Get hash	malicious	Unknown	Browse	217.197.91.145
	http://topmarktingplace.com/4vfVEJ42616owhy1324yhmrkkdpck110EVYGTFUNAFUPGFT22589MFQQ17548D10	Get hash	malicious	Unknown	Browse	217.197.91.145
	http://topmarktingplace.com/4KCrhO42616HeLs1324axlafysauc110UGQLALGLNEZCHJM22589XDWY17548d10	Get hash	malicious	Unknown	Browse	217.197.91.145
	PO.exe	Get hash	malicious	MassLogger RAT	Browse	217.197.91.145

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8587811623702916
Encrypted:	false
SSDEEP:	3072:gJjJGtpTq2yv1AuNZRY3diu8iBVqF/pLp2cM:hpezNZQd58ikLp2cM
MD5:	F7201BF041AFE029AD231EDB02B8424E
SHA1:	CBF4797458B399F0F7ED32CE5EE41B24AAC718FE
SHA-256:	99A9B5CC3FECBB3091251082DBC8FB44868FB3DA0F347B10DF68F96E14B978C9
SHA-512:	F2D062DE6D86C796AF782AC00AF9673677551FDFD71C71DC7F9D41AEEB4816022BDE880364C717EDB51AB1053E67C05EF2DFA7AB5755C69BC52F6E5DF03AF8F9
Malicious:	false
Reputation:	low
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x922428bd, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585482976052116
Encrypted:	false
SSDEEP:	1536:xSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:xaza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	3906A8607E553DAA6F9DD92B818F515C
SHA1:	E8AEE4042660B3E0B76D629AFCBF015B1C1D3EAC
SHA-256:	2C9BAB42A5EC9F522CD44AC986501AD8D2F24B32A30C71E13A7C408C39548144
SHA-512:	D436DC568EE437FDB99E432DAADE76882CDC5BE22391EF2840EA0C8E951450007F43A6318239B210B48CF05CFDB018DB5016673157EAA0C87EF0CE5E07B62557
Malicious:	false
Reputation:	low
Preview:	.$(.... ...............X\...;...{......................0.z..........{...'...}..h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................m..o.'...}..................&].~.'...}...........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08011511163784857
Encrypted:	false
SSDEEP:	3:we6ll/EYeI9wk5ekGuAJkhvekl1fl/lAllrekGltll/SPj:we6l6z0wytrxlNtlAJe3l
MD5:	3D45570287C42F3F979736FADD16A055
SHA1:	DDBB8CDAE611F2368B47016AF30DE6477ACC455F
SHA-256:	83FB4FE414D4B712435775E164484DF890AF64341B255F0E0F884A72704F788B
SHA-512:	C5142E6B38CBBA3B72B82CCF59F23E608613B5A8F63FF3FB9D7571ABEBD39AA8C31D7C48ACBB84C629D40F100EDFD5BA83FAEE725BD9D35B73F8D1579B83D4C4
Malicious:	false
Reputation:	low
Preview:	........................................;...{...'...}.......{...............{.......{...XL......{..................&].~.'...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11608
Entropy (8bit):	4.890472898059848
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
MD5:	8A4B02D8A977CB929C05D4BC2942C5A9
SHA1:	F9A6426CAF2E8C64202E86B07F1A461056626BEA
SHA-256:	624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
SHA-512:	38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g5pr2tm.u0e.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2y53av2.wey.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7137897851079407
Encrypted:	false
SSDEEP:	48:GxyIcTCtbU2K+BpvqukvhkvklCywPn2Rn0l+lz/vCSogZoWxn0l+lW/vCSogZoC1:cy7TCOoXrkvhkvCCtG0l+JDH10l+MDHd
MD5:	417FBF9684CA94EBA157FE9730EA7DC6
SHA1:	457EFCF4ED6B57679FCFCB82D048BF87BB286692
SHA-256:	0FB2517E82B6488C90052065C6947351898E7229BF145A1F7CA62382B0BC1DDD
SHA-512:	E58BBCD0061587215E4636EFE748FC746D60B00C438FEF58C5B2C2F4942CF53349635D98B60F25E15B0292F615B3C512183AA7E395195C374161B2A4349384B4
Malicious:	false
Preview:	...................................FL..................F.".. ...d.........ib..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......o..ib..y...ib......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl)Z.<....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....)Z.<..Roaming.@......DWSl)Z.<....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl)Z.<....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl)Z.<....E.....................<...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl)Z.<....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl)Z.<....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl)Z.<....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7DM9BFLGQYKYOPG3GMN.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7137897851079407
Encrypted:	false
SSDEEP:	48:GxyIcTCtbU2K+BpvqukvhkvklCywPn2Rn0l+lz/vCSogZoWxn0l+lW/vCSogZoC1:cy7TCOoXrkvhkvCCtG0l+JDH10l+MDHd
MD5:	417FBF9684CA94EBA157FE9730EA7DC6
SHA1:	457EFCF4ED6B57679FCFCB82D048BF87BB286692
SHA-256:	0FB2517E82B6488C90052065C6947351898E7229BF145A1F7CA62382B0BC1DDD
SHA-512:	E58BBCD0061587215E4636EFE748FC746D60B00C438FEF58C5B2C2F4942CF53349635D98B60F25E15B0292F615B3C512183AA7E395195C374161B2A4349384B4
Malicious:	false
Preview:	...................................FL..................F.".. ...d.........ib..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M......o..ib..y...ib......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl)Z.<....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....)Z.<..Roaming.@......DWSl)Z.<....C.........................R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl)Z.<....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl)Z.<....E.....................<...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl)Z.<....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl)Z.<....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl)Z.<....q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 9 06:39:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.986926211314537
Encrypted:	false
SSDEEP:	48:8JdVT9JtAHVvcidAKZdA19ehwiZUklqehLy+3:8Rbgq8y
MD5:	D20DB8F55D550FC5CACA59B7C6F4EE7B
SHA1:	5D42D8D7211E0AE1F81D7845305F6EBEC38115EA
SHA-256:	48ACE411E02A9F22DE6BFF12E85D5A54AA20F1B450FFD3789E288BCDBB724660
SHA-512:	C0296AD5D6B09F437AE7542F8236B4C5E41E48720230A309C85A8B9C7CAAFC5B85A32AD21EC135C12DE1DC904EED9592A34EC2CBDEFC9BF57F00AB7B7F78957E
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......ib..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I)Z.<....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V)Z.<....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V)Z.<....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V)Z.<..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V)Z.<...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 9 06:39:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.0033133648675765
Encrypted:	false
SSDEEP:	48:8CdVT9JtAHVvcidAKZdA1weh/iZUkAQkqehsy+2:80bgg9Qly
MD5:	F5DDC081CC1A644FA8E1FBD82D51912B
SHA1:	539238A9C42D52E5E825F89990A43D39623897EC
SHA-256:	D2988E5C6D7EEC9257D5E31E2F05F01CDD0B8C646429752EA3F284A66430B6B7
SHA-512:	9BC85193AA5DED1BADF3DA70C117F6B63435232ABC63B325FED41DAB9F2B32C1DBBB93B0520D0054B382E7CF9178221FD0025D20FB9B1D125440A5A59CE29F21
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......ib..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I)Z.<....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V)Z.<....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V)Z.<....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V)Z.<..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V)Z.<...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.0156008017115825
Encrypted:	false
SSDEEP:	48:8xydVT9JsHVvcidAKZdA14tseh7sFiZUkmgqeh7s+y+BX:8xkbe4nwy
MD5:	6ACEE5F0CCFE61050A5759398B736A2F
SHA1:	93C6E0A9EBD150A0D7496FE1FCAE19F5A0159597
SHA-256:	4577E8829B528A3163EA028087BC1C47246638AD2F2A44A82BD8A6451F42EFF7
SHA-512:	B9BC7524C27DD7B584DF20671FA7857C6EE490A6564FCFC9DB9C33C58D95401141D96FB945D09B98423491A6FD1CE0F56CEB147E97D14867F460E58B6FE451DF
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I)Z.<....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V)Z.<....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V)Z.<....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V)Z.<..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 9 06:39:27 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.001969101161276
Encrypted:	false
SSDEEP:	48:8/dVT9JtAHVvcidAKZdA1vehDiZUkwqeh4y+R:8rbgrGy
MD5:	ABF87C25E0082ACF690E6D7051E9D1CC
SHA1:	57CB680AD3B94D8C2E3CC4F362134A9F8C6C3A09
SHA-256:	F084548AD500958F4E8F31F5106AB3895399B182E824094E8A06ED5E7EB41474
SHA-512:	B55889701987F991A62576F2964F1C2BCAAEC9CE303A4FBC6238CBFE7EA2E750ADD3D7AE4B8A9763F5B0E695B7EB2D46827B9BFB34498CB7C61BC80156CEAEA4
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......ib..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I)Z.<....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V)Z.<....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V)Z.<....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V)Z.<..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V)Z.<...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 9 06:39:28 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.990323272831462
Encrypted:	false
SSDEEP:	48:8TAydVT9JtAHVvcidAKZdA1hehBiZUk1W1qehyy+C:8Mkbgr9Sy
MD5:	EE5C4EA6AC8F47C85EFDDBE81942AB67
SHA1:	E5A8292270E163A025F10BC5235F710A36E07A51
SHA-256:	CDB65C29C95F918F7CED530D0F3D3ACD06B92DF374EC0FB55570951744D3ABEA
SHA-512:	05BADAE0E4ADB850F013CA8628D68CDBBA3675090CCA1D28930382B2AB7B4DAD3329248F64671CEE759A999F0F298E05AF0A83FA61502D6F2FFE683092050353
Malicious:	false
Preview:	L..................F.@.. ...$+.,.......ib..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I)Z.<....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V)Z.<....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V)Z.<....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V)Z.<..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V)Z.<...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Jan 9 06:39:27 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.001231874318961
Encrypted:	false
SSDEEP:	48:8CdVT9JtAHVvcidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbwy+yT+:80bgLT/TbxWOvTbwy7T
MD5:	728F853E9014D5D5F2F05941CEEE80ED
SHA1:	FA5E222BCA88DAF099E5DEFCE8C22CAC74C6F44D
SHA-256:	BBEACC06DE0A86069730ECC000D8C48D15E67DD0494AF67ED790847104D0DD31
SHA-512:	4087C9C0278B126875E4445B82F3DB611593B079E35EF5E12DA41D29B861D9497235F0C4EB895B2245A4B911BA5D3BDCDE603DF1EE05F60F1096D58BA387DADF
Malicious:	false
Preview:	L..................F.@.. ...$+.,....S..ib..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I)Z.<....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V)Z.<....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V)Z.<....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V)Z.<..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V)Z.<...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Desktop\bin\WinDivert.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	5.723935988890196
Encrypted:	false
SSDEEP:	768:Kjf2rf/kxpxI+JEw2VWHDDjQSQX4zTtllgwBqWocHTicI:muT/CXHDvVQatoATic
MD5:	8FB2ED69551488BA889F5D813D8937DA
SHA1:	BC0AE3E22C8EAA0EC228EF74DA8577B358CCE305
SHA-256:	4B0BDD875D02DF084D87D1573BCECF393D67DA4AB3DDCCE725AF2F477B90D87E
SHA-512:	579ECF2AA7704B55E094DC9E3F40AF3FE40CF591E15C5E6001B315443BABA22249BD388087F1F54BB56E47A8CB6FD790E9245899DBB008AB2F8A32A779697DE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................".....z...<.......{.........b.............................0................ .........................................0.......t...............H............ ......................................................,................................text....x.......z.................. .P`.data... ............~..............@.P..rdata...".......$..................@.`@.pdata..H...........................@.0@.xdata.. ...........................@.0@.bss..................................P..edata..0...........................@.0@.idata..t...........................@.0..reloc....... ......................@.0B........................................................................................................................................................................................................................................................

C:\Users\user\Desktop\bin\WinDivert64.sys

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	94664
Entropy (8bit):	6.443453506124819
Encrypted:	false
SSDEEP:	1536:Y8yC9gMLoKh//0x/DxtAxVaQtaqJdsAtixJpfd0WZzf:YGvopDxix0yaqJdsAtopN7
MD5:	EB187D171359A5BB1C754107F18CF8BB
SHA1:	96E6FCE6833EA0F2C81BFE0363393AA3302D6916
SHA-256:	8248306BCC5FAE20FD4F3D5C44F962C85CDDBE020B34A1799350CE2034154B7D
SHA-512:	E75383E919F0C2842F4CFB54E44A5F968E37911EB10C02676671126575B7D3231C39DFAF3570B5EEE3B0FFDD19E4BFE9A5DFA60B91FC90997D54D6B60038B457
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S...........5........6......-..........5......5......5.............A..........Rich...................PE..d...x$Rb.........."............................@....................................U.....`.................................................d...x.......x....p...........S..............8............................................................................text............................... ..h.rdata.. F.......H..................@..H.data...8@... ......................@....pdata.......p......................@..H.gfids..............................@..HINIT................................ ..b.rsrc...x...........................@..B.reloc..............................@..B........................................................................................................................................................................

C:\Users\user\Desktop\bin\winws.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	159744
Entropy (8bit):	6.43340426693412
Encrypted:	false
SSDEEP:	3072:8fJZKfSQWqghXUSTRO8op+bV/D+BY+6wUivFh2JP:8fifCqp+bBy4wfvFkP
MD5:	7824C819BD3C98BF7890D92FD3EF3785
SHA1:	3DD4873B965F24EC3156F7081A03256931694256
SHA-256:	28604CD5B40E42DEF61986E39D59B94F48CD40B615ED711DB799A8E89C856EDD
SHA-512:	C8DACD931D186C7A56BDE931CEF5059EE3BE06EE751AF50A1D1B5D527A022D541657D59434E2A72239E035E6EF53E76BE6A26F1B24B9ADE0E7C36A7E91405964
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...%.mg...............).v...l...B............@............................................... .........................................................P....P..................4....@..............................................h................................text....u.......v..................`..`.data................z..............@....rdata..H...........................@..@.buildid5....@.......&..............@..@.pdata.......P.......(..............@..@.xdata.......`.......4..............@..@.bss.....@...p...........................idata...............@..............@....rsrc...P.......P....R..............@..@.reloc..4............n..............@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 320x320, components 3
Category:	dropped
Size (bytes):	24842
Entropy (8bit):	7.939984046854116
Encrypted:	false
SSDEEP:	384:AN29Mql1TxShG9boh4ZKlJ3Utbtzu9wnTxRWcKjQkIJL2SacHPYC5aWJ++M8Ol:q21l/T9boh4UlJ6agTWcfkYL2u1/hOl
MD5:	C5C5FC45D00AD36B48B8E7CD559A052D
SHA1:	B987E5CB371B55E55999A714738CC7B32E4EE810
SHA-256:	A4AC3315C0468E5C2CB17BF436D13048A0945BE4C06FA7158F7F4EE700406D5A
SHA-512:	7D69AA41A19E2AC15E6A46D87968CB415A89C503B0DB4A14960524132F38ED4D216054D3E51A1B8DB8BF954E4F00A349E030F4D956B013C2BBADE8A52508CF04
Malicious:	false
Preview:	......JFIF.....`.`......ICC_PROFILE............@..mntrRGB XYZ ............acsp.......................................-Qt..................................................rXYZ........gXYZ........bXYZ........wtpt...,....cprt...@....rTRC...L... gTRC...L... bTRC...L... desc...l..._XYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ .......O........text....N/A.para..........ff......Y.......[desc........sRGB..................................................................................C....................................................................C.......................................................................@.@.."..........................................D.........................!..1A..Qa"2q.....#BR...3br...$..4C%...Sc..................................8.......................!..1.A."Qa.2q.B.....#$R..%3r...............?...qV....1=.. ....F...j..;"...v.W.......f.1A.(P.A.(P.A.*..Z.....b._.(`zPA...P..8.f.w...!.x\|.....)]....n,qSO..A.p.IJ.-.E...1j.q..^.....

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 6460, version 1.0
Category:	downloaded
Size (bytes):	6460
Entropy (8bit):	7.967122559934462
Encrypted:	false
SSDEEP:	192:3U5ZGOjmVC7408/bU8UAstH+/HJ4nV72XGuFZJXsGdnund:3OI6mX08/biuc23FZlsGYnd
MD5:	491A7A9678C3CFD4F86C092C68480F23
SHA1:	32E18AE407D782ADFD54C78C6259C7BE52DB6BF3
SHA-256:	41B5C3B25F4258190937DEB900FA57A6DB6D450CE7DD2AF2259AF760119A1C41
SHA-512:	BF89C2CECB09F56B6EC271AEDE7DD0BAE6C0B9C88ABA6A59E0E0C3F50C5F22E25178E766754D1C495866E76C00C8B413612B3516C75AD731ECB4F38B79D15E01
Malicious:	false
URL:	https://telegram.org/fonts/Roboto/KFOmCnqEu92Fr1Mu5mxKKTU1Kvnz.woff2
Preview:	wOF2.......<......1..............................j..V.6.`.......P.v.....6.$.... ..t. ..)..0c... ...b0........A]..G.bQ.....D..m.pLY.T\|{.^.g..'...#4.I.._k......>.D..b....tT.eV.Q....v.`.9.... (......`R...e...Q....0.60...{b..y.@..pA.B@......R.oW{...\....5.."....$. ....\|.l..f..p....F..n.jl[.e0'K..Qb....,[...s..v7..B.%.vT.._...o....!... Ta..C...).i..j.U6.OQ.Q..H.[D...t1.....\|!...ut""r.O....^..e}..5..E....f..IC(P.P...I.B......C.A..p....."P.D.\..........d.E..k.9....h......r...cA.rd_b,.!x..$...U . @.....c...../O..[.....;.xb<.s..._.0...?.A..1D."~$(.L.....2.U.&q!.Q...,....ITe.g.s..D6q..N......>......8..#R..b?.S\|.1.E`...W...1....5M.y..}...u...XM.....+..[..p.X.,.Fn.{..3.+........X..q)..{1{..s...{.'..s".....MM..+.C...OJ4pT.b..V:.62ry .7.Q..A..3..t.K....N?.H\|%..l..Jm....W.6....c..-...].._b<.K.y.:..q..r...@#.z....R,..!v..YI\|)..]...G..Q(M.....j.'...I.....&O..{)R.B..u.4i.C..}.LX.b.l....w.\|...(H.P."E..'^.D.R..)..Rv6A....S...^.j.~..[b.8..5.q...l.u..7..`.;r..A}.

Chrome Cache Entry: 83

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	231706
Entropy (8bit):	4.593328315871064
Encrypted:	false
SSDEEP:	1536:XVU9J794HJ4E7mwNUiRPt5jmU7LxmMS2S1J7g8tEqcqMWKB5v:Xew7ePc
MD5:	D0C22C6A97023D85BA6E644A41C44A5D
SHA1:	4284EFB616C182DA4450C123174CE0E81A322845
SHA-256:	118ADD53487C02AAF5B5AB9F69380FA06717DEB10492E14AAA487E3C62806AD4
SHA-512:	DA96462F4F999BB65509D32E4D5D2E1FD74555CE78D43E5F80FC350155BCE59250337CD1796B17D2132F39429B5E3FD95D05101EE9F9B29BCE2BB7B44B6E4EB8
Malicious:	false
URL:	https://telegram.org/img/tgme/pattern.svg?1
Preview:	<?xml version="1.0" encoding="utf-8"?>. Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->.<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px".. viewBox="0 0 1440 2960" style="enable-background:new 0 0 1440 2960;" xml:space="preserve">.<style type="text/css">...st0{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st1{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10.0001;}...st2{fill:none;stroke:#000000;stroke-width:2.9998;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9995;}...st3{stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st4{fill:none;stroke:#000000;stroke-width:2.9999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9998;}...st5{fill:none;stroke:#000000;stroke-width:3.0001

Chrome Cache Entry: 84

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (42164)
Category:	downloaded
Size (bytes):	42523
Entropy (8bit):	5.082709528800747
Encrypted:	false
SSDEEP:	384:6RvBBVkrJxvcwYBUQ7X85AUfvDUNeFUBOgBmjeYP4PSvSdlb1bGjpXJNNRyIrOM:2k0p38OBmjeYP4xb1bG/bRyIH
MD5:	C2656E265EF58A9CC9F4B70B15DA5FB9
SHA1:	85C5EBDB89D4574D72688C2650D4B84B9B09770A
SHA-256:	F1D083FFAA644C708F11DB29707AA57C19246E6D32643B03FEE3F82C17B224B3
SHA-512:	6417AADEBEEF4EE35381BFC7034148D57FD061D84DE9974D798468C6426C24A6BD1C9913CF517ACCF3E349FA06CBDD546D2883EA8391C595285FE0C6127E26E8
Malicious:	false
URL:	https://telegram.org/css/bootstrap.min.css?3
Preview:	/!. Bootstrap v3.2.0 (http://getbootstrap.com). * Copyright 2011-2014 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). /../!. * Generated using the Bootstrap Customizer (http://getbootstrap.com/customize/?id=92d2ac1b31978642b6b6). * Config saved to config.json and https://gist.github.com/92d2ac1b31978642b6b6. //! normalize.css v3.0.1 \| MIT License \| git.io/normalize */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:bold}dfn{font-style:italic}h1{font-size:2em;margin:0.67em 0}mark{background:#ff0;color:#000}small{font-size:80%}sub,sup{fo

Chrome Cache Entry: 85

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (1267)
Category:	downloaded
Size (bytes):	115228
Entropy (8bit):	5.153154679556378
Encrypted:	false
SSDEEP:	1536:xylcfDxYzbJ3iw9vBC2WXdm791WoDYzghw4uJuhwNpfewltog69FjxWDpfxV685u:xylc7xYzwwqrXkC0YzPvL5u
MD5:	5BA28042C5E29474F03B198862B53769
SHA1:	76E2B7D00918F3D343F85ACA69F57FFBD20233FB
SHA-256:	C77769911D5A1089E652C071332E18C5411F60705BA50135C21F267FFE42B642
SHA-512:	DF4DC1A0C2BC43419A0BC801E3FEFBF9850F1EBB3DA8A2748DB0AA0C9B0FD0EDD444AE1554720101EDAE0FCFB7579B5A003431C17EE08E0E13DE9F751633E8B5
Malicious:	false
URL:	https://telegram.org/css/telegram.css?242
Preview:	body {. font: 12px/18px "Lucida Grande", "Lucida Sans Unicode", Arial, Helvetica, Verdana, sans-serif;. /-webkit-font-smoothing: antialiased;/.}.html.native_fonts body {. font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";.}.html.lang_rtl {. direction: rtl;.}..body,.html.theme_dark body.bg_light {. --text-color: #000;. --second-text-color: #7d7f81;. --accent-btn-color: #2481cc;. --accent-color-hover: #1a8ad5;. --body-bg: #fff;. --box-bg: #fff;. --box-bg-blured: rgba(255, 255, 255, .84);. --tme-logo-color: #363b40;. --accent-link-color: #2481cc;.. --icon-verified: url('data:image/svg+xml,%3Csvg%20fill%3D%22none%22%20height%3D%2226%22%20viewBox%3D%220%200%2026%2026%22%20width%3D%2226%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cpath%20d%3D%22m6%206h12v12h-12z%22%20fill%3D%22%23fff%22%2F%3E%3Cpath%20clip-rule%3D%22evenodd%22%20d%3D%22m14.38%201.51%201.82%

Chrome Cache Entry: 86

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2979), with no line terminators
Category:	downloaded
Size (bytes):	2979
Entropy (8bit):	5.648534994584625
Encrypted:	false
SSDEEP:	48:UQEHvIUHtDAYabRP46xcOfRRlUOS3+/fmsghxLU7Suj5OQRSLfctS/6uMMWjfYA1:vaLJByxvS3o6U7PRPM0j
MD5:	2B89D34702716A8AD2CC3977718F53A3
SHA1:	04406EBD6A9E2CE79DBAC5E5048CFE1384E4574A
SHA-256:	2031E418EE10AF8110729B3F327B968462FC0A9D8D1DA095387BB472CCD0DEE6
SHA-512:	E6FBDA1E7D1E24C0DB5A724E4CD30C883CEB5D35DE1CC6AB8851C9B19E202024752E7E42AECC21002F9F9684EA98775F1EBE0EE8DA9BD7562DAC2FE171464242
Malicious:	false
URL:	https://telegram.org/js/tgwallpaper.min.js?3
Preview:	var TWallpaper=function(){function x(a){for(var b=[].concat(G);0<a;)b.push(b.shift()),a--;a=[];for(var c=0;c<b.length;c+=2)a.push(b[c]);return a}function B(a,b){b%=90;var c=x(a%p);if(b){var d=x(++a%p);return[{x:c[0].x+(d[0].x-c[0].x)/90b,y:c[0].y+(d[0].y-c[0].y)/90b},{x:c[1].x+(d[1].x-c[1].x)/90b,y:c[1].y+(d[1].y-c[1].y)/90b},{x:c[2].x+(d[2].x-c[2].x)/90b,y:c[2].y+(d[2].y-c[2].y)/90b},{x:c[3].x+(d[3].x-c[3].x)/90b,y:c[3].y+(d[3].y-c[3].y)/90b}]}return c}function H(a){for(l+=a;90<=l;)l-=90,g++,g>=p&&(g-=p);for(;0>l;)l+=90,g--,0>g&&(g+=p)}function I(a){C+=a.deltaY;D\|\|(requestAnimationFrame(P),D=!0)}function P(){var a=C/50;C%=50;if(a=0<a?Math.floor(a):Math.ceil(a))H(a),a=B(g,l),y(z(a));D=!1}function Q(){if(0<A.length){var a=A.shift();y(a)}else clearInterval(E)}function z(a){for(var b=f._hctx.createImageData(50,50),c=b.data,d=0,q=0;50>q;q++)for(var h=q/50-.5,F=hh,v=0;50>v;v++){var m=v/50-.5,e=.35Math.sqrt(mm+F);e=ee*6.4;var r=Math.sin(e),w=Math.cos(e);e=Math.max(0,Math.min(1,.5

Chrome Cache Entry: 87

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 11028, version 1.0
Category:	downloaded
Size (bytes):	11028
Entropy (8bit):	7.982077315529319
Encrypted:	false
SSDEEP:	192:4oijUxKA0B3BxJPeLrh00JWNhi5A5HWdZ6SfroKthzwbMcYfQKvwpFVX2T+:Nx4bexHAE6STltlwbMcovaET+
MD5:	1F6D3CF6D38F25D83D95F5A800B8CAC3
SHA1:	279F300CA2CBBDF9F5036EF2F438607FBF377DAA
SHA-256:	796DE064B8D80EBA7CCACB8BA67D77FDBCDF4B385C844645D452C24537B3108F
SHA-512:	716305F4D2582683B64C61B5E2390983579EA0FB33C936DD3EA8362872176625FBCB6F5AD18D2ABF85DA82D14C33A9640DFC5749922CB2FC079DDF37864F361F
Malicious:	false
URL:	https://telegram.org/fonts/Roboto/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2
Preview:	wOF2......+.......T(............................d..d..^.`.. ....\.r.....6.$.... ..t. ..EEF....(j....._'pr.X..C.....%I..=..#7fC....y./...z../.d\H...wN.........=.....!GF...uNG`Nd.".....~..a..`.)..R.!5jTH....i@.7TT,0iI;...kv..+.bR.%.3.....;I^..T.T.........4..tZ3.d..J.D5.w...ve...6...HI'%E..E{..G.l........]WY..M........Q.w<.....lu..A.p.v...e.NQ...'i...y...,.FK...=.r......{..].+.K...I.e...?.t...R...R...p....4T+.....!1....A.1...JE.....d./......,.......?..%.p.p..6..!..@..H........)....A3.1? .(`.....D..X.30..gl.b... v..;...u...1.9.......?@..(..@........x.g.L........g..jt..f.........x.....9vB..FM.;U.IS..wf.....O~.RP.,4.x..J./.j.......9h/.....6.....z.f..._..b..........z......r. .C.>j..@D.. :G.2.\|..z.^.[...7.....v9_=.$..G1..=c.dhz..Q,oP....*..[...f.b\.Z.aa....n.u...T..!'[..NC{.o.g.N..Y.F..a}...X..x2...q.X......P.{.n+..'G.o.b.N..6[;5..q..&.r...}k}.O.JVL).y.>..#..[.j.b.OV...[!...<.+.k.}..P..x...y...Q.....A.=.C....y.B+....2}\...f3...U.Sd?l.^7._}].G@..9R.

Chrome Cache Entry: 88

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	231706
Entropy (8bit):	4.593328315871064
Encrypted:	false
SSDEEP:	1536:XVU9J794HJ4E7mwNUiRPt5jmU7LxmMS2S1J7g8tEqcqMWKB5v:Xew7ePc
MD5:	D0C22C6A97023D85BA6E644A41C44A5D
SHA1:	4284EFB616C182DA4450C123174CE0E81A322845
SHA-256:	118ADD53487C02AAF5B5AB9F69380FA06717DEB10492E14AAA487E3C62806AD4
SHA-512:	DA96462F4F999BB65509D32E4D5D2E1FD74555CE78D43E5F80FC350155BCE59250337CD1796B17D2132F39429B5E3FD95D05101EE9F9B29BCE2BB7B44B6E4EB8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>. Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->.<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px".. viewBox="0 0 1440 2960" style="enable-background:new 0 0 1440 2960;" xml:space="preserve">.<style type="text/css">...st0{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st1{fill:none;stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10.0001;}...st2{fill:none;stroke:#000000;stroke-width:2.9998;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9995;}...st3{stroke:#000000;stroke-width:3;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:10;}...st4{fill:none;stroke:#000000;stroke-width:2.9999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:9.9998;}...st5{fill:none;stroke:#000000;stroke-width:3.0001

Chrome Cache Entry: 89

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 11040, version 1.0
Category:	downloaded
Size (bytes):	11040
Entropy (8bit):	7.982229448383992
Encrypted:	false
SSDEEP:	192:4Q49xPa2JiaMac+2d26KTpwgLfdRVH8Hfyj+lGSdVtxejHgwPvuD14CBt/F8bxt:4QcNc+2w6eJcIoGSdVtxoHgU+1B8bxt
MD5:	5E22A46C04D947A36EA0CAD07AFCC9E1
SHA1:	6091D981C2A4EE975C7F6B56186EE698040BB804
SHA-256:	0F53E8B0A717CA4CE313EEC62B90D41DB62C2F4946259A65C93BF8E84C5B0C44
SHA-512:	3E2DCB20C7416160573EA7C7A17BF7250132C5203161B03AEAA3CF065E3CE609DA6D1B317D3739AAD7FC0C092C44CD0C4EA5657A63BFA530C66F9B0ECB9DAF15
Malicious:	false
URL:	https://telegram.org/fonts/Roboto/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2
Preview:	wOF2......+ ......T.............................d.....^.`.. .... .!.....6.$.... ..~. ..E...l..a.[).r1J.(.....u.7...(U.r....=....2....h.F..j..P.).0...]~."Jk5$<...L..S...9s...Qs...y...;....-...~.....RJ0.......$j......1F.H....Pb.M(....(.m ..Y.....,..e.q.H.U.iW.D6'..6L..c.).#h...I...O^.T.m%...@....L..q.5`T=.Z.....mt...i.....:..T..P...!....Nnn^.[Q.......Q..^(.....0{xe.Lw..:..s..#................@{.........==.=I...>2`L..I..7!d.:H(. r..q....3.."......fMS.4...R.~..l...h8...r.(+.....<.is.p..:..A...$,.q>~.a.]..!.L~{.W...5...u~.......P..p..'D.8..).i. 88..!..h...........`.q......in.....p&............' ....;H...........v...:.4..S.T>...3m..j.g..i..#{N.......}un_..g/....8.(]..W..4<.G._."i..x...6.5....r50..j.)...NW...v...@Z.z.bj).k.........*....o..\..a.G.e..).[..[.q^...N).6}h.>u..2..,..G.i.....h.J.m^..N..o'.+..k..g.ro......z............Y=1.M..g.F.=...<P[..U..n@A....X....b.;.FZ{..3'...@d....X...8po.M.....-Y..0.T..:.E.W.8;DI...}........^...[.[.i..+QF..o....

Chrome Cache Entry: 90

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (2979), with no line terminators
Category:	dropped
Size (bytes):	2979
Entropy (8bit):	5.648534994584625
Encrypted:	false
SSDEEP:	48:UQEHvIUHtDAYabRP46xcOfRRlUOS3+/fmsghxLU7Suj5OQRSLfctS/6uMMWjfYA1:vaLJByxvS3o6U7PRPM0j
MD5:	2B89D34702716A8AD2CC3977718F53A3
SHA1:	04406EBD6A9E2CE79DBAC5E5048CFE1384E4574A
SHA-256:	2031E418EE10AF8110729B3F327B968462FC0A9D8D1DA095387BB472CCD0DEE6
SHA-512:	E6FBDA1E7D1E24C0DB5A724E4CD30C883CEB5D35DE1CC6AB8851C9B19E202024752E7E42AECC21002F9F9684EA98775F1EBE0EE8DA9BD7562DAC2FE171464242
Malicious:	false
Preview:	var TWallpaper=function(){function x(a){for(var b=[].concat(G);0<a;)b.push(b.shift()),a--;a=[];for(var c=0;c<b.length;c+=2)a.push(b[c]);return a}function B(a,b){b%=90;var c=x(a%p);if(b){var d=x(++a%p);return[{x:c[0].x+(d[0].x-c[0].x)/90b,y:c[0].y+(d[0].y-c[0].y)/90b},{x:c[1].x+(d[1].x-c[1].x)/90b,y:c[1].y+(d[1].y-c[1].y)/90b},{x:c[2].x+(d[2].x-c[2].x)/90b,y:c[2].y+(d[2].y-c[2].y)/90b},{x:c[3].x+(d[3].x-c[3].x)/90b,y:c[3].y+(d[3].y-c[3].y)/90b}]}return c}function H(a){for(l+=a;90<=l;)l-=90,g++,g>=p&&(g-=p);for(;0>l;)l+=90,g--,0>g&&(g+=p)}function I(a){C+=a.deltaY;D\|\|(requestAnimationFrame(P),D=!0)}function P(){var a=C/50;C%=50;if(a=0<a?Math.floor(a):Math.ceil(a))H(a),a=B(g,l),y(z(a));D=!1}function Q(){if(0<A.length){var a=A.shift();y(a)}else clearInterval(E)}function z(a){for(var b=f._hctx.createImageData(50,50),c=b.data,d=0,q=0;50>q;q++)for(var h=q/50-.5,F=hh,v=0;50>v;v++){var m=v/50-.5,e=.35Math.sqrt(mm+F);e=ee*6.4;var r=Math.sin(e),w=Math.cos(e);e=Math.max(0,Math.min(1,.5

Chrome Cache Entry: 91

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 6620, version 1.0
Category:	downloaded
Size (bytes):	6620
Entropy (8bit):	7.966076174558693
Encrypted:	false
SSDEEP:	192:vwXUbX8XhRIqNzLTduna/MDmRJca5Jjc8Dh:yXcqNDAna/JRJTJt
MD5:	376FFE2CA0B038D08D5E582EC13A310F
SHA1:	EC85284F360BADA79122B5DCA3088103C769CA8A
SHA-256:	2F662599CF4323A18B4F7DA381A998A8873C0277FFF2D866336F7EE943A102D6
SHA-512:	1AC85CEFC94039E2D11E25A2E289369E475558D93D1A9DCE8F9AB11E33DE5F37FFAA590B1E24F412D341D3D17501AE77C016A1EC4451EE42EB91D570862A25AD
Malicious:	false
URL:	https://telegram.org/fonts/Roboto/KFOlCnqEu92Fr1MmWUlfABc4AMP6lbBP.woff2
Preview:	wOF2..............4..............................j..z.6.`.......\.#.....6.$.... ..~. ..3....@<....'...7d......q4S.D)......a.....{...t....c.H.......`..lx/&..7Ghr.V.h.?kf.gv..#V..)"O.@..h}.M..:..~n.oAn0.D..5".d.cD.A..#:.a$i..Q...6F.O....v.#...W.@..../.G.. . ...\........h.....^.;j..rf..Z...64s.......v...{D.k..'...HbC....N....".{.s...U^..7Q..$........-5....J.K..Z...{<..........[.....=].uYi.RJ-...rI)..R....0a..6x(....h.s^QVq.....O...^..<...'"...<v;u.{,..@..<...01!.A..z. `...&L!.q..+W..aC....@a.....d..@...... .......loV.A.M...._4j...K..T!....@..........U..4......Z..rF..;.....X.;w.^z...o..8?....Zv .t..6...9oq[.v.l>.....<......."....{..\|_9H._.p....]....6..f.c.i.\.5....:v..-.r).]..T...w....W.!w....!.6K..e.[5..xZ;%7Vb..=Pv.3........Fm...h .[W..p.&W1.=k...y.#Yo.........&%e...z..T/.DU.B.M..}\....f..M.>.....(.r..P.-..t.......y@....5...}PM...Va.....K.."...AU7T....{VjS...^r.:Xmx..d.'.$..w.............../ ($,"*&....+)...9s..{...xE.z..._4F]CK[W....n....r.qG...

Chrome Cache Entry: 92

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 320x320, components 3
Category:	downloaded
Size (bytes):	24842
Entropy (8bit):	7.939984046854116
Encrypted:	false
SSDEEP:	384:AN29Mql1TxShG9boh4ZKlJ3Utbtzu9wnTxRWcKjQkIJL2SacHPYC5aWJ++M8Ol:q21l/T9boh4UlJ6agTWcfkYL2u1/hOl
MD5:	C5C5FC45D00AD36B48B8E7CD559A052D
SHA1:	B987E5CB371B55E55999A714738CC7B32E4EE810
SHA-256:	A4AC3315C0468E5C2CB17BF436D13048A0945BE4C06FA7158F7F4EE700406D5A
SHA-512:	7D69AA41A19E2AC15E6A46D87968CB415A89C503B0DB4A14960524132F38ED4D216054D3E51A1B8DB8BF954E4F00A349E030F4D956B013C2BBADE8A52508CF04
Malicious:	false
URL:	https://cdn4.cdn-telegram.org/file/s3vCUVV1oFSCO-dE5CqAY7IgPiKpdP2z8zxQN72D_TT9z56ahyE0msKqmuM_tk2PSEmQvnQwUvZb1H5LTpaO8JEmhF-5-DzRJn0IlgPUduazk5LN5P7paldIt115IoTuBIfpLYc9IcyeP_A6RfZJrgNinKpPj_KVprinZI2XeGxYV-Oc0kv7FigdkzDmuIUo82gNjtBCwxGg4jGao68ygfD4hQmU5yHjzaetNKqe2slF0f4nvrf0N7_9vCVoXLLhOJ2zVr1x-Jyq6PLsYys0HxH7NN2KH5LN_sO1jucDXW-MlsW7Iv6_BhYjfO3Mc2eDr_gKM9-O3DknTg7q8Q2omQ.jpg
Preview:	......JFIF.....`.`......ICC_PROFILE............@..mntrRGB XYZ ............acsp.......................................-Qt..................................................rXYZ........gXYZ........bXYZ........wtpt...,....cprt...@....rTRC...L... gTRC...L... bTRC...L... desc...l..._XYZ ......o...8.....XYZ ......b.........XYZ ......$.........XYZ .......O........text....N/A.para..........ff......Y.......[desc........sRGB..................................................................................C....................................................................C.......................................................................@.@.."..........................................D.........................!..1A..Qa"2q.....#BR...3br...$..4C%...Sc..................................8.......................!..1.A."Qa.2q.B.....#$R..%3r...............?...qV....1=.. ....F...j..;"...v.W.......f.1A.(P.A.(P.A.*..Z.....b._.(`zPA...P..8.f.w...!.x\|.....)]....n,qSO..A.p.IJ.-.E...1j.q..^.....

Chrome Cache Entry: 93

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	6166
Entropy (8bit):	5.4227704706263475
Encrypted:	false
SSDEEP:	192:KR6tGVFJ3qFl5p3AkmztIZa+XqtRcalH9:wTY7t8t
MD5:	C706681409217A14A24C7E2DEB8CF423
SHA1:	08B443FE5BC6A223A9DE08FB56282365B1D13857
SHA-256:	84B97B3FA8847B64C6D3833561E4B3146530577171E85AD226578A087DB70974
SHA-512:	2520A5417426CEA58972529B3776713958FF259CC8467EBAFBE291BD040E27195054C4133F4A9518D78DA38DDF4F7CDAC64DA0813DA33BBE707AD13AF5BAA7C1
Malicious:	false
URL:	https://telegram.org/css/font-roboto.css?1
Preview:	/* cyrillic-ext /.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu72xKKTU1Kvnz.woff2') format('woff2');. unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;.}./ cyrillic /.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu5mxKKTU1Kvnz.woff2') format('woff2');. unicode-range: U+0301, U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;.}./ greek-ext /.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu7mxKKTU1Kvnz.woff2') format('woff2');. unicode-range: U+1F00-1FFF;.}./ greek */.@font-face {. font-family: 'Roboto';. font-style: normal;. font-weight: 400;. font-display: swap;. src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu4WxKKTU1Kvnz.woff2') format('woff2');. un

Static File Info

General

File type:	Unicode text, UTF-8 (with BOM) text, with very long lines (311)
Entropy (8bit):	5.5326732014991356
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	5dFLJyS86S.ps1
File size:	64'883 bytes
MD5:	6ebd2fb6a88cb521599a78a195d811d2
SHA1:	0c8037f536b4d34681822c3441445db542df72b7
SHA256:	c721e2fbcea8e812a6af76f1201514e007e7387b82eb45d2bcc18f7d250c307c
SHA512:	00b626fbab253e9abb76cb8539b429b553e5155c906b1f677025b551e5fe6933ccd58a9f1c78cb34ccadff6d63cd0d109970509c455d38a820581e73e8640882
SSDEEP:	768:cKSL5ROmCGy1GR1r9mnkkYSr4eoB0IYUExaYWuyO3:ntaQn8VYUSNgO3
TLSH:	86538372748AD9DBB68DA02FF88DA7043D4B8AFF64D9E541F08C182C7FD94284D4539A
File Content Preview:	...# .......................... .............. ................ UTF-8.[Console]::OutputEncoding = [System.Text.Encoding]::UTF8..# .......................... .......... ........ ........ (.... ................ .. PowerShell 7+).if ($PSVersionTable.PSVersio

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T08:39:15.465479+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.5	49704	217.197.91.145	443	TCP
2025-01-09T08:39:15.531166+0100	1810003	Joe Security ANOMALY Windows PowerShell HTTP PE File Download	2	217.197.91.145	443	192.168.2.5	49704	TCP
2025-01-09T08:39:19.604519+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.5	49705	217.197.91.145	443	TCP
2025-01-09T08:39:19.604519+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49705	217.197.91.145	443	TCP
2025-01-09T08:39:19.701432+0100	1810003	Joe Security ANOMALY Windows PowerShell HTTP PE File Download	2	217.197.91.145	443	192.168.2.5	49705	TCP
2025-01-09T08:39:24.125325+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.5	49706	217.197.91.145	443	TCP
2025-01-09T08:39:24.125325+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49706	217.197.91.145	443	TCP
2025-01-09T08:39:24.130355+0100	1810003	Joe Security ANOMALY Windows PowerShell HTTP PE File Download	2	217.197.91.145	443	192.168.2.5	49706	TCP
2025-01-09T08:39:27.940142+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.5	49714	217.197.91.145	443	TCP
2025-01-09T08:39:27.940142+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49714	217.197.91.145	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:39:04.713123083 CET	49674	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:04.728743076 CET	49675	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:04.869354010 CET	49673	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:14.322390079 CET	49674	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:14.338124990 CET	49675	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:14.478648901 CET	49673	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:14.491808891 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:14.491858006 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:14.491965055 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:14.504981995 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:14.505006075 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.152268887 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.152362108 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.158194065 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.158210993 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.158477068 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.171586990 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.215343952 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.465536118 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.465543985 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.465723991 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.465750933 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.465806007 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.531219006 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.531235933 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.531279087 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.531413078 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.531440973 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.531457901 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.531492949 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.532844067 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.532902956 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.532928944 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.532948971 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.532983065 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.532994032 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.621314049 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.621370077 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.621400118 CET	443	49704	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:15.621583939 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:15.630084991 CET	49704	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:16.124749899 CET	443	49703	23.1.237.91	192.168.2.5
Jan 9, 2025 08:39:16.124922037 CET	49703	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:18.651591063 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:18.651640892 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:18.651757002 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:18.652622938 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:18.652638912 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.300777912 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.306090117 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.306111097 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.604522943 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.604547977 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.604681969 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.604711056 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.604876041 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.701473951 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.701487064 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.701512098 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.701616049 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.701634884 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.701673031 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.701678038 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.701715946 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.703236103 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.703275919 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.703306913 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.703320980 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.703334093 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.703352928 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.797843933 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.797868013 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.797979116 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.797993898 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.798042059 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.799350977 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.799370050 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.799437046 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.799449921 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.799485922 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.800750971 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.800771952 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.800858974 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.800867081 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.800909996 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.801806927 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.801848888 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.801877022 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.801884890 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.801904917 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.801920891 CET	443	49705	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:19.801927090 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.801963091 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:19.874618053 CET	49705	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:22.901563883 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:22.901631117 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:22.901736975 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:22.903239965 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:22.903256893 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:23.553817987 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:23.555579901 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:23.555613041 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.125353098 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.125380039 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.125597954 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.125633001 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.125689983 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.130409002 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.130419016 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.130461931 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.130534887 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.130544901 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.130574942 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.130595922 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.131993055 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.132040024 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.132066965 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.132075071 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.132092953 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.132126093 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.135756969 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.135778904 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.135865927 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.135873079 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.135921955 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.137620926 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.137644053 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.137712002 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.137716055 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.137758017 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.137778044 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.140321970 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.140348911 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.140400887 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.140405893 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.140460014 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.141206980 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.141227961 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.141280890 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.141288042 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.141316891 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.141330004 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.147949934 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.154566050 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.154597044 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.154719114 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.154726028 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.154783964 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.155288935 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.155318975 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.155340910 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.155345917 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.155378103 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.155400038 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.155404091 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.155751944 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.155774117 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.155805111 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.155812025 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.155837059 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.156258106 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.156297922 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.156317949 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.156332016 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.156347990 CET	443	49706	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:24.156349897 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.156363964 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.156395912 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.164479971 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:24.303524017 CET	49706	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:26.442804098 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:26.442842007 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:26.442905903 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:26.451477051 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:26.451483011 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:26.995404005 CET	49714	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:26.995464087 CET	443	49714	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:26.995634079 CET	49714	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:27.002299070 CET	49714	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:27.002327919 CET	443	49714	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:27.072463989 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.072875977 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.072901011 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.073898077 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.073973894 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.090522051 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.090627909 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.092689037 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.092699051 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.134350061 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.334736109 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.334758997 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.334765911 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.334790945 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.334817886 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.334826946 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.334873915 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.339898109 CET	49707	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.339912891 CET	443	49707	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.510554075 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.510616064 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.510684967 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.511188984 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.511234045 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.511300087 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.511529922 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.511563063 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.511780977 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.511935949 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.511975050 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.512029886 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.512658119 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:27.512666941 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:27.512748957 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:27.513777971 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.513797045 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.514244080 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.514256001 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.514420033 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.514426947 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.514777899 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:27.514789104 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:27.514980078 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:27.514986038 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:27.640366077 CET	443	49714	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:27.648540974 CET	49714	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:27.648597002 CET	443	49714	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:27.940136909 CET	443	49714	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:27.940188885 CET	443	49714	217.197.91.145	192.168.2.5
Jan 9, 2025 08:39:27.940295935 CET	49714	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:27.981432915 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.030680895 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.035289049 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.035299063 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.036310911 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.036375046 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.052026987 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.052095890 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.052316904 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.052325010 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.131483078 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.137193918 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.139856100 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.139869928 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.139940977 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.140631914 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.140642881 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.140739918 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.140822887 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.141519070 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.141580105 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.147377014 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.147471905 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.149414062 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.149446011 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.149502993 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.149509907 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.149730921 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.149755955 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.149780989 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.149799109 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.149806023 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.149827957 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.150600910 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.150625944 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.150666952 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.150669098 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.150676966 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.150733948 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.150738955 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.150866985 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.151542902 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.151563883 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.151875973 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.151920080 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.151971102 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.152436018 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.152462006 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.152967930 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.152978897 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.153335094 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.153414965 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.154191017 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.154444933 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.154505968 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.155919075 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.155927896 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.157118082 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.157393932 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.157419920 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.158278942 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.158334017 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.158628941 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.158684015 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.158900976 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.158910990 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.231827021 CET	49714	443	192.168.2.5	217.197.91.145
Jan 9, 2025 08:39:28.237965107 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238039970 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.238049984 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238148928 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238246918 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.238251925 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238312006 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238327980 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238368988 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.238373995 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238416910 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.238568068 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238604069 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.238651991 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.241029978 CET	49722	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.241044998 CET	443	49722	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.255047083 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.255253077 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.258218050 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.258251905 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.258307934 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.258559942 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.258573055 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.270286083 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.270294905 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.392891884 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.392920017 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.392925978 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.392972946 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.392981052 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.393003941 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.393013000 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.393047094 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.401477098 CET	49720	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.401485920 CET	443	49720	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.416151047 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.416172981 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.416224957 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.416265965 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.416305065 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.416609049 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.416646004 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.416731119 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.417480946 CET	49718	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.417496920 CET	443	49718	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.444153070 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.444183111 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.444245100 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.444555998 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.444566965 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.450931072 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.450948954 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.450954914 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.450983047 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.450999022 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.451008081 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.451050043 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.451071024 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.451097012 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.451123953 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.461800098 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.461822987 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.461837053 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.461849928 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.461857080 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.461858988 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.461886883 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.461900949 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.461955070 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.461955070 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.486733913 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.486741066 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.486780882 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.486793041 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.486798048 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.486813068 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.486884117 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.486884117 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.488392115 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.488472939 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.488473892 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.488518000 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.491030931 CET	49719	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.491041899 CET	443	49719	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.544609070 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.544621944 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.544646978 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.544697046 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.544718027 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.544790983 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.544807911 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.546997070 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.547017097 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.547095060 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.547102928 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.547171116 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.636581898 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.636598110 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.636691093 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.636707067 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.636780977 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.637681007 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.637695074 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.637763023 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.637772083 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.637813091 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.638752937 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.638767958 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.638834000 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.638842106 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.638900995 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.646573067 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.646586895 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.646615028 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.646652937 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.646667957 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.646682024 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.646683931 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.646734953 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.740818977 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.777915001 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.777929068 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.779501915 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.779566050 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.783638954 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.783724070 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.784173012 CET	49721	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.784209967 CET	443	49721	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.823296070 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.823302984 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.851613998 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.851639986 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.851732969 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.853300095 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:28.853311062 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:28.923295021 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.924443960 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.924511909 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.924550056 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.924583912 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.924591064 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.925020933 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.925074100 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.925079107 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.925117970 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.925122976 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.925129890 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.925170898 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.925174952 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.925756931 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.925813913 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.925817966 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.929250002 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.929281950 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.929358006 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:28.929363966 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:28.930605888 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:29.016904116 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:29.016988039 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:29.017028093 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:29.017045021 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:29.017059088 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:29.017098904 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:29.017108917 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:29.017178059 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:29.017225981 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:29.065352917 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.065403938 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.065567017 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.072320938 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.072340012 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.072613955 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.074018955 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.074078083 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.074135065 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.075481892 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.075514078 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.076289892 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.076298952 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.076913118 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.076936007 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.077079058 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.077501059 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.077508926 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.078485966 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.078561068 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.080951929 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.081005096 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.084183931 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.084228039 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.084294081 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.084434986 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.084440947 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.084610939 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.084628105 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.095442057 CET	49725	443	192.168.2.5	34.111.35.152
Jan 9, 2025 08:39:29.095459938 CET	443	49725	34.111.35.152	192.168.2.5
Jan 9, 2025 08:39:29.132627010 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.330224037 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.330246925 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.330310106 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.330310106 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.330358028 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.338545084 CET	49727	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.338561058 CET	443	49727	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.480081081 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.481141090 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.481153011 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.481502056 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.481906891 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.481993914 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.482089043 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.523327112 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.681957006 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.683005095 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.684998035 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.685024977 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.685297966 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.685312033 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.686074018 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.686146021 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.686323881 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.686382055 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.687589884 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.688735008 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.690002918 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.690087080 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.690300941 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.690361023 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.690433025 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.690444946 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.690541029 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.690562963 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.690752029 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.690761089 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.690805912 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.690813065 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.691543102 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.691665888 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.691920996 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.691983938 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.701462984 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.701554060 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.701931953 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.702004910 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.702193975 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.702214956 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.702308893 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.702326059 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.755321980 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.755332947 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.755332947 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.784208059 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.784231901 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.784241915 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.784559011 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.784581900 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.784631014 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.825018883 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.825040102 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.825104952 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.825114012 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.826282024 CET	49703	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:29.826423883 CET	49703	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:29.827023029 CET	49740	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:29.827058077 CET	443	49740	23.1.237.91	192.168.2.5
Jan 9, 2025 08:39:29.827331066 CET	49740	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:29.827716112 CET	49740	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:29.827727079 CET	443	49740	23.1.237.91	192.168.2.5
Jan 9, 2025 08:39:29.832320929 CET	443	49703	23.1.237.91	192.168.2.5
Jan 9, 2025 08:39:29.832490921 CET	443	49703	23.1.237.91	192.168.2.5
Jan 9, 2025 08:39:29.834669113 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.862977028 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.863001108 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.863051891 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.863061905 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.863121033 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.912781954 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.912800074 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.912894964 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.912905931 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.914525986 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.914547920 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.914592981 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.914598942 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.914659977 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.916384935 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.916399956 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.916511059 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.916517973 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.930928946 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.930959940 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.930967093 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.930982113 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.930989981 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.931024075 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.931031942 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.931041956 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.931077957 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.931107044 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.931946993 CET	49730	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.931962013 CET	443	49730	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.933048010 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.933070898 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.933077097 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.933089972 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.933099985 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.933156013 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.933167934 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.933202028 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.936144114 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.936167955 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.936175108 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.936223030 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.936256886 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.936256886 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.936316967 CET	49731	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.936336040 CET	443	49731	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.938831091 CET	49732	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.938858986 CET	443	49732	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.952363014 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.952385902 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.952434063 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.952445984 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.952493906 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.961849928 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.961879969 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.961889029 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.961931944 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:29.961941004 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.961982965 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.962568998 CET	49729	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:29.962582111 CET	443	49729	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.004019976 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.004035950 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.004131079 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.004138947 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.004436970 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.004458904 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.004515886 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.004523039 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.004550934 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.005394936 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.005409956 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.005455017 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.005460978 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.005486965 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.006256104 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.006278038 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.006311893 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.006318092 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.006356001 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.007628918 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.007643938 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.007702112 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.007708073 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.008179903 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.008202076 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.008236885 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.008243084 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.008266926 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.042999029 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.043015957 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.043060064 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.043065071 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.043075085 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.043129921 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.043132067 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.043220997 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.043741941 CET	49728	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.043752909 CET	443	49728	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.043998003 CET	49740	443	192.168.2.5	23.1.237.91
Jan 9, 2025 08:39:30.048876047 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.048913002 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.048965931 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.049233913 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.049245119 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.665062904 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.678404093 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.678436041 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.678814888 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.681575060 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.681637049 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.682041883 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.693089008 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:30.693130016 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:30.693185091 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:30.697058916 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:30.697071075 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:30.727319956 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.969588041 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.969614983 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.969630957 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.969662905 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:30.969674110 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:30.969726086 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.013578892 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.013602972 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.013641119 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.013649940 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.013689995 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.016119003 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.016134977 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.016190052 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.016196012 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.102494955 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.102516890 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.102556944 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.102566004 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.102607012 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.103816032 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.103823900 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.103843927 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.103873014 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.103877068 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.103915930 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.104903936 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.104922056 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.104976892 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.104981899 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.146568060 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.146589041 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.146647930 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.146656036 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.191308975 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.191334009 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.191359997 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.191375971 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.191384077 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.191426039 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.192222118 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192229033 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192246914 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192275047 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192281961 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.192286015 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192310095 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.192329884 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.192714930 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192729950 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192768097 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.192775011 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.192796946 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.235188007 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.235208988 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.235240936 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.235246897 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.235289097 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.279745102 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.279758930 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.279782057 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.279808044 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.279813051 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.279876947 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.280196905 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.280213118 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.280253887 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.280258894 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.280281067 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.280891895 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.280914068 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.280946016 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.280958891 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.280965090 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.281012058 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.281022072 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.281066895 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.281318903 CET	49741	443	192.168.2.5	149.154.167.99
Jan 9, 2025 08:39:31.281328917 CET	443	49741	149.154.167.99	192.168.2.5
Jan 9, 2025 08:39:31.339227915 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:31.339446068 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:31.339484930 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:31.340425014 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:31.340500116 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:31.341954947 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:31.342012882 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:31.458352089 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:31.458379984 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:31.644872904 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:41.259376049 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:41.259440899 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:39:41.259514093 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:43.226993084 CET	49748	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:39:43.227032900 CET	443	49748	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:30.693075895 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:30.693131924 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:30.693211079 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:30.693511963 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:30.693522930 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:31.333940029 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:31.375523090 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:31.375608921 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:31.376255035 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:31.376735926 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:31.376822948 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:31.420849085 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:41.252289057 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:41.252373934 CET	443	50009	142.250.186.68	192.168.2.5
Jan 9, 2025 08:40:41.252443075 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:43.225933075 CET	50009	443	192.168.2.5	142.250.186.68
Jan 9, 2025 08:40:43.225971937 CET	443	50009	142.250.186.68	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:39:14.472127914 CET	62397	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:14.479362011 CET	53	62397	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:26.424627066 CET	62241	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:26.424863100 CET	49325	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:26.431298018 CET	53	52880	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:26.431318045 CET	53	62241	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:26.431385040 CET	53	49325	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:26.455945015 CET	53	55573	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:27.464432955 CET	52307	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:27.464931011 CET	59004	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:27.466016054 CET	62825	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:27.467816114 CET	53669	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:27.470992088 CET	53	52307	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:27.471424103 CET	53	59004	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:27.474303961 CET	53	62825	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:27.474822044 CET	53	53669	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:27.581336975 CET	53	60994	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:28.250355959 CET	57951	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:28.250514030 CET	49170	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:28.256927967 CET	53	57951	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:28.257496119 CET	53	49170	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:28.424283981 CET	60196	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:28.424515009 CET	49188	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:28.430908918 CET	53	60196	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:28.431483030 CET	53	49188	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:30.681298018 CET	56588	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:30.681298018 CET	51458	53	192.168.2.5	1.1.1.1
Jan 9, 2025 08:39:30.687832117 CET	53	56588	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:30.688302994 CET	53	51458	1.1.1.1	192.168.2.5
Jan 9, 2025 08:39:44.652196884 CET	53	60581	1.1.1.1	192.168.2.5
Jan 9, 2025 08:40:03.535723925 CET	53	60285	1.1.1.1	192.168.2.5
Jan 9, 2025 08:40:25.892921925 CET	53	55949	1.1.1.1	192.168.2.5
Jan 9, 2025 08:40:26.357244015 CET	53	55515	1.1.1.1	192.168.2.5
Jan 9, 2025 08:40:57.672768116 CET	53	65138	1.1.1.1	192.168.2.5
Jan 9, 2025 08:41:43.031747103 CET	53	58924	1.1.1.1	192.168.2.5
Jan 9, 2025 08:42:55.139978886 CET	138	138	192.168.2.5	192.168.2.255
Jan 9, 2025 08:42:56.477194071 CET	53	56496	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:39:14.472127914 CET	192.168.2.5	1.1.1.1	0x5bef	Standard query (0)	codeberg.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:26.424627066 CET	192.168.2.5	1.1.1.1	0x8f3f	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:26.424863100 CET	192.168.2.5	1.1.1.1	0x5000	Standard query (0)	t.me	65	IN (0x0001)	false
Jan 9, 2025 08:39:27.464432955 CET	192.168.2.5	1.1.1.1	0x7e0b	Standard query (0)	telegram.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:27.464931011 CET	192.168.2.5	1.1.1.1	0xc0f9	Standard query (0)	telegram.org	65	IN (0x0001)	false
Jan 9, 2025 08:39:27.466016054 CET	192.168.2.5	1.1.1.1	0x6070	Standard query (0)	cdn4.cdn-telegram.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:27.467816114 CET	192.168.2.5	1.1.1.1	0x278e	Standard query (0)	cdn4.cdn-telegram.org	65	IN (0x0001)	false
Jan 9, 2025 08:39:28.250355959 CET	192.168.2.5	1.1.1.1	0xbb81	Standard query (0)	cdn4.cdn-telegram.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:28.250514030 CET	192.168.2.5	1.1.1.1	0x3bf1	Standard query (0)	cdn4.cdn-telegram.org	65	IN (0x0001)	false
Jan 9, 2025 08:39:28.424283981 CET	192.168.2.5	1.1.1.1	0x1bdb	Standard query (0)	telegram.org	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:28.424515009 CET	192.168.2.5	1.1.1.1	0x6e65	Standard query (0)	telegram.org	65	IN (0x0001)	false
Jan 9, 2025 08:39:30.681298018 CET	192.168.2.5	1.1.1.1	0x671b	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:30.681298018 CET	192.168.2.5	1.1.1.1	0x3663	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:39:14.479362011 CET	1.1.1.1	192.168.2.5	0x5bef	No error (0)	codeberg.org	217.197.91.145	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:26.431318045 CET	1.1.1.1	192.168.2.5	0x8f3f	No error (0)	t.me	149.154.167.99	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:27.470992088 CET	1.1.1.1	192.168.2.5	0x7e0b	No error (0)	telegram.org	149.154.167.99	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:27.474303961 CET	1.1.1.1	192.168.2.5	0x6070	No error (0)	cdn4.cdn-telegram.org	34.111.35.152	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:28.256927967 CET	1.1.1.1	192.168.2.5	0xbb81	No error (0)	cdn4.cdn-telegram.org	34.111.35.152	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:28.430908918 CET	1.1.1.1	192.168.2.5	0x1bdb	No error (0)	telegram.org	149.154.167.99	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:30.687832117 CET	1.1.1.1	192.168.2.5	0x671b	No error (0)	www.google.com	142.250.186.68	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:39:30.688302994 CET	1.1.1.1	192.168.2.5	0x3663	No error (0)	www.google.com		65	IN (0x0001)	false

HTTP Request Dependency Graph

codeberg.org

t.me

https:

cdn4.cdn-telegram.org

telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	217.197.91.145	443	1776	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:15 UTC	205	OUT	GET /censorliber/zapret/raw/branch/main/WinDivert.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: codeberg.org Connection: Keep-Alive
2025-01-09 07:39:15 UTC	841	IN	HTTP/1.1 200 OK access-control-expose-headers: Content-Disposition cache-control: private, max-age=300 content-disposition: inline; filename="WinDivert.dll"; filename*=UTF-8''WinDivert.dll content-length: 47616 content-type: application/octet-stream etag: "0662bb8978432b3ba96bc51e5f1f3ddf04efef23" last-modified: Mon, 06 Jan 2025 21:19:57 GMT set-cookie: i_like_gitea=b53e8564122f2ef2; Path=/; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax set-cookie: _csrf=N5A_VcZ_DzL8BKlOXb-rAhL4GR46MTczNjQwODM1NTMyMTkwMDIyOA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax date: Thu, 09 Jan 2025 07:39:15 GMT strict-transport-security: max-age=63072000; includeSubDomains; preload permissions-policy: interest-cohort=() x-frame-options: sameorigin x-content-type-options: nosniff connection: close
2025-01-09 07:39:15 UTC	3431	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 09 00 c0 af d0 af 00 00 00 00 00 00 00 00 f0 00 2e 22 0b 02 02 1a 00 7a 00 00 00 3c 00 00 00 02 00 00 08 7b 00 00 00 10 00 00 00 00 80 62 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 30 01 00 00 04 00 00 86 07 01 00 03 00 00 00 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEd."z<{b0
2025-01-09 07:39:15 UTC	16320	IN	Data Raw: 8b 1c c7 48 85 db 75 07 31 d2 e9 83 00 00 00 44 0f b7 43 1c 48 89 fa 66 44 3b 43 1e 75 0a 48 83 c4 28 5b 5e 5f 5d eb a6 e8 a1 ff ff ff 44 0f b7 43 1e 48 89 c5 48 89 fa 48 89 f1 e8 8e ff ff ff 48 85 ed 48 89 c7 74 c0 48 85 c0 74 bb 80 7d 18 45 75 09 80 78 18 46 48 89 da 74 36 ba 08 00 00 00 41 b8 20 00 00 00 48 89 f1 ff 15 ed f7 00 00 31 d2 48 85 c0 74 1b c6 40 18 7c 48 89 18 48 89 c2 48 89 68 08 48 89 78 10 eb 07 48 8d 15 07 96 00 00 48 89 d0 48 83 c4 28 5b 5e 5f 5d c3 53 48 83 ec 50 48 8b 84 24 90 00 00 00 48 8b 9c 24 88 00 00 00 4c 89 4c 24 20 41 b9 10 00 00 00 48 89 44 24 38 48 8d 44 24 4c 48 89 44 24 30 8b 84 24 80 00 00 00 89 44 24 28 ff 15 5f f7 00 00 85 c0 74 0b 48 85 db 74 06 8b 54 24 4c 89 13 48 83 c4 50 5b c3 41 57 41 56 41 55 41 54 55 57 56 53 Data Ascii: Hu1DCHfD;CuH([^_]DCHHHHHtHt}EuxFHt6A H1Ht@\|HHHhHxHHH([^_]SHPH$H$LL$ AHD$8HD$LHD$0$D$(_tHtT$LHP[AWAVAUATUWVS
2025-01-09 07:39:15 UTC	13017	IN	Data Raw: a1 01 00 00 8b 94 24 80 01 00 00 48 8b 8c 24 78 01 00 00 4c 8d 84 24 e0 00 00 00 e8 4a c2 ff ff 85 c0 0f 84 7d 01 00 00 8a 84 24 e6 00 00 00 4c 8b 5c 24 58 48 8b b4 24 e8 00 00 00 48 8b 9c 24 f0 00 00 00 4c 8b ac 24 00 01 00 00 48 8b ac 24 08 01 00 00 88 44 24 48 48 8b 84 24 f8 00 00 00 4c 8b a4 24 10 01 00 00 48 89 44 24 40 0f b7 84 24 e4 00 00 00 89 84 24 80 00 00 00 8b 84 24 e0 00 00 00 25 ff ff 01 00 89 44 24 54 8a 84 24 e3 00 00 00 c0 e8 06 83 e0 01 41 f6 43 0a 10 89 84 24 84 00 00 00 74 05 48 85 db eb 03 48 85 f6 75 4c e9 ef 00 00 00 48 83 bc 24 78 01 00 00 00 0f 85 e0 00 00 00 c7 84 24 80 00 00 00 00 00 00 00 c7 44 24 54 00 00 00 00 45 31 e4 c6 44 24 48 00 c7 84 24 84 00 00 00 00 00 00 00 31 ed 45 31 ed 48 c7 44 24 40 00 00 00 00 31 db 31 f6 41 80 Data Ascii: $H$xL$J}$L\$XH$H$L$H$D$HH$L$HD$@$$$%D$T$AC$tHHuLH$x$D$TE1D$H$1E1HD$@11A
2025-01-09 07:39:15 UTC	14848	IN	Data Raw: 3a 3a 00 3a 00 00 00 00 08 81 ff ff e8 83 ff ff a6 81 ff ff 50 81 ff ff 50 81 ff ff 08 81 ff ff e8 83 ff ff b5 81 ff ff 5a 81 ff ff 5a 81 ff ff 08 81 ff ff 92 81 ff ff f4 80 ff ff 15 82 ff ff 88 81 ff ff 15 81 ff ff 92 81 ff ff 92 81 ff ff f4 80 ff ff 39 81 ff ff 15 82 ff ff 92 81 ff ff 39 81 ff ff 08 81 ff ff 32 82 ff ff 03 82 ff ff 43 81 ff ff 9c 81 ff ff 43 81 ff ff 32 82 ff ff 43 81 ff ff 08 81 ff ff fe 80 ff ff e8 83 ff ff c7 81 ff ff c7 81 ff ff fe 80 ff ff 27 81 ff ff 64 81 ff ff c7 81 ff ff 87 82 ff ff c7 81 ff ff fe 80 ff ff fe 80 ff ff e8 83 ff ff c7 81 ff ff fe 80 ff ff fe 80 ff ff c7 81 ff ff c7 81 ff ff 08 81 ff ff d4 81 ff ff d4 81 ff ff d4 81 ff ff 6e 81 ff ff d4 81 ff ff 94 82 ff ff d4 81 ff ff d4 81 ff ff bc 82 ff ff e7 80 ff ff 7b 81 ff Data Ascii: :::PPZZ992CC2C'dn{

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	217.197.91.145	443	1776	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:19 UTC	183	OUT	GET /censorliber/zapret/raw/branch/main/WinDivert64.sys HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: codeberg.org
2025-01-09 07:39:19 UTC	845	IN	HTTP/1.1 200 OK access-control-expose-headers: Content-Disposition cache-control: private, max-age=300 content-disposition: inline; filename="WinDivert64.sys"; filename*=UTF-8''WinDivert64.sys content-length: 94664 content-type: application/octet-stream etag: "df5c405c881a1b7cf63e1bed57cf42ba0d9dd61a" last-modified: Mon, 06 Jan 2025 21:19:57 GMT set-cookie: i_like_gitea=ba83921e7ba4e3f3; Path=/; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax set-cookie: _csrf=sfg3jko_yHmOZHJkJqoaKKX4nfM6MTczNjQwODM1OTQ5MDQyNjQzMA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax date: Thu, 09 Jan 2025 07:39:19 GMT strict-transport-security: max-age=63072000; includeSubDomains; preload permissions-policy: interest-cohort=() x-frame-options: sameorigin x-content-type-options: nosniff connection: close
2025-01-09 07:39:19 UTC	3427	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 53 ba d0 8f 17 db be dc 17 db be dc 17 db be dc 35 bb b8 dd 15 db be dc 1e a3 36 dc 14 db be dc 1e a3 2d dc 15 db be dc 17 db bf dc 2e db be dc 35 bb bf dd 1e db be dc 35 bb bd dd 12 db be dc 35 bb ba dd 12 db be dc 80 85 ba dd 16 db be dc 85 85 41 dc 16 db be dc 80 85 bc dd 16 db be dc 52 69 63 68 17 db be dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 08 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$S56-.555ARichPEd
2025-01-09 07:39:19 UTC	16320	IN	Data Raw: 8c 24 88 00 00 00 49 8b cb 0f 45 d3 45 33 c9 83 e2 01 89 54 24 28 48 8d 54 24 50 c7 44 24 20 01 00 00 00 45 8d 41 03 e8 01 97 00 00 48 8b 9c 24 a0 00 00 00 48 8b 8c 24 90 00 00 00 48 33 cc e8 69 a1 00 00 48 81 c4 a8 00 00 00 c3 cc 48 81 ec a8 00 00 00 48 8b 05 92 06 01 00 48 33 c4 48 89 84 24 90 00 00 00 48 8b 42 70 4d 8b 51 30 45 33 c9 4c 8b 84 24 d8 00 00 00 48 89 44 24 50 8b 42 40 48 8b 51 08 89 44 24 60 4c 89 4c 24 58 4c 89 4c 24 6c 0f 10 4a 20 66 0f 7e c8 0f 11 4c 24 40 83 f8 03 74 07 4c 89 4c 24 64 eb 10 8b 44 24 48 89 44 24 64 c7 44 24 68 ff ff 00 00 0f 10 4a 40 33 c0 4c 89 44 24 30 0f 10 52 50 48 89 44 24 74 66 0f c5 c9 04 48 89 44 24 7c 66 0f 7e c8 66 0f 6f ca 66 0f 73 d9 08 66 44 89 8c 24 86 00 00 00 83 f8 02 66 0f 7e c8 66 41 0f 45 c9 66 89 8c Data Ascii: $IEE3T$(HT$PD$ EAH$H$H3iHHHH3H$HBpMQ0E3L$HD$PB@HQD$`LL$XLL$lJ f~L$@tLL$dD$HD$dD$hJ@3LD$0RPHD$tfHD$\|f~fofsfD$f~fAEf
2025-01-09 07:39:19 UTC	13021	IN	Data Raw: 41 8b 40 08 0f ba f0 10 c1 e2 11 41 0b c2 25 ff ff 81 ff 0b c8 0f ba f1 17 0b d1 41 89 50 08 41 c6 40 0b 00 83 fd 01 7e 57 83 fd 02 74 25 83 fd 03 74 20 83 fd 04 75 57 48 8b 84 24 80 00 00 00 0f 10 00 41 0f 11 40 10 0f 10 48 10 41 0f 11 48 20 eb 3c 48 8b 84 24 80 00 00 00 0f 10 00 41 0f 11 40 10 0f 10 48 10 41 0f 11 48 20 0f 10 40 20 41 0f 11 40 30 0f 10 48 30 41 0f 11 48 40 eb 0f 48 8b 84 24 80 00 00 00 48 8b 08 49 89 48 10 4d 85 c9 0f 84 67 fd ff ff 41 c7 01 50 00 00 00 e9 5b fd ff ff cc cc cc cc cc cc cc cc cc 48 89 5c 24 08 4c 89 4c 24 20 4c 89 44 24 18 89 54 24 10 55 56 57 41 54 41 55 41 56 41 57 48 8d 6c 24 f9 48 81 ec f0 00 00 00 33 db 4d 8b f0 48 89 5d 87 44 8b e2 48 89 5d 97 4c 8b f9 48 89 5d bf 44 8b d3 48 89 5d c7 44 8b c3 48 89 5c 24 68 44 8b Data Ascii: A@A%APA@~Wt%t uWH$A@HAH <H$A@HAH @ A@0H0AH@H$HIHMgAP[H\$LL$ LD$T$UVWATAUAVAWHl$H3MH]DH]LH]DH]DH\$hD
2025-01-09 07:39:19 UTC	16320	IN	Data Raw: e8 cb 1e 00 00 4c 8b c3 41 0f b6 d6 48 8b cf e8 8c f6 ff ff 8b d8 e9 84 01 00 00 81 ee 91 e4 12 00 0f 84 4d 01 00 00 83 ee 04 0f 84 8a 00 00 00 83 fe 08 74 0a bb 10 00 00 c0 e9 60 01 00 00 8b 31 48 8d 55 cf 48 8d 4f 08 ff 15 81 45 00 00 81 3f b1 00 00 00 0f 85 3e fd ff ff 83 ee 01 74 38 83 ee 01 74 26 83 fe 01 74 14 48 8d 4d cf ff 15 54 45 00 00 bb 0d 00 00 c0 e9 21 01 00 00 be 01 00 00 00 89 b7 c0 00 00 00 eb 12 be 01 00 00 00 89 b7 c0 00 00 00 eb 0b be 01 00 00 00 89 b7 bc 00 00 00 48 8d 4d cf ff 15 1b 45 00 00 48 8b cf e8 eb 10 00 00 e9 e5 00 00 00 44 8b 71 08 48 8d 55 cf 48 8b 31 48 8d 4f 08 ff 15 01 45 00 00 81 3f b1 00 00 00 0f 85 be fc ff ff 45 85 f6 74 72 41 83 ee 01 74 35 41 83 fe 01 0f 85 7a ff ff ff 48 8d 86 01 00 ff ff 48 3d 01 00 ff 01 0f 87 Data Ascii: LAHMt`1HUHOE?>t8t&tHMTE!HMEHDqHUH1HOE?EtrAt5AzHH=
2025-01-09 07:39:19 UTC	64	IN	Data Raw: a0 1d 00 40 01 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f5 00 40 01 00 00 00 a0 f5 00 40 01 00 00 00 00 f6 00 40 01 00 00 00 50 f6 00 40 01 00 00 00 Data Ascii: @@@@@P@
2025-01-09 07:39:19 UTC	16320	IN	Data Raw: b0 f6 00 40 01 00 00 00 00 f7 00 40 01 00 00 00 a8 06 01 40 01 00 00 00 00 d3 00 40 01 00 00 00 50 1f 00 40 01 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 f7 00 40 01 00 00 00 c0 f7 00 40 01 00 00 00 20 f8 00 40 01 00 00 00 70 f8 00 40 01 00 00 00 d0 f8 00 40 01 00 00 00 20 f9 00 40 01 00 00 00 88 06 01 40 01 00 00 00 10 d3 00 40 01 00 00 00 a0 20 00 40 01 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 f9 00 40 01 00 00 00 d0 f9 00 40 01 00 00 00 30 fa 00 40 01 00 00 00 80 fa 00 40 01 00 00 00 d0 fa 00 40 01 00 00 00 20 fb 00 40 01 00 00 00 68 07 01 40 01 00 00 00 20 d3 00 40 01 00 00 00 20 22 00 40 01 00 00 00 00 00 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@@@P@`@@ @p@@ @@@ @@@0@@@ @h@ @ "@
2025-01-09 07:39:19 UTC	64	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2025-01-09 07:39:19 UTC	16320	IN	Data Raw: 28 00 00 00 00 00 00 00 b8 05 01 40 01 00 00 00 20 03 00 00 00 00 00 00 00 20 01 40 01 00 00 00 00 00 00 00 00 00 00 00 28 00 00 00 00 00 00 00 c8 05 01 40 01 00 00 00 18 00 00 00 00 00 00 00 28 20 01 40 01 00 00 00 00 00 00 00 00 00 00 00 32 a2 df 2d 99 2b 00 00 cd 5d 20 d2 66 d4 ff ff 30 00 00 00 00 00 00 00 d8 05 01 40 01 00 00 00 01 00 00 00 09 00 00 00 b0 1d 00 00 8c 01 00 00 90 51 01 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 20 01 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: (@ @(@( @2-+] f0@Q@ @
2025-01-09 07:39:19 UTC	64	IN	Data Raw: 22 d4 52 4b 3c 22 ba ee dd b9 65 28 e3 b3 4f 8e 01 c8 d8 b2 05 1f 42 90 a7 4e 94 22 43 02 03 01 00 01 a3 82 01 d6 30 82 01 d2 30 1f 06 03 55 1d 23 04 18 30 16 80 14 81 32 92 41 2b 28 cd 46 c8 Data Ascii: "RK<"e(OBN"C00U#02A+(F
2025-01-09 07:39:19 UTC	12744	IN	Data Raw: c4 a2 c6 2a 39 12 ec 48 a9 3f 14 30 1d 06 03 55 1d 0e 04 16 04 14 dc 3f 15 d9 1b a8 9a 6d 70 26 10 38 a8 5b dd 76 c1 88 80 a8 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 07 80 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 03 30 49 06 03 55 1d 20 04 42 30 40 30 35 06 0c 2b 06 01 04 01 b2 31 01 02 01 06 01 30 25 30 23 06 08 2b 06 01 05 05 07 02 01 16 17 68 74 74 70 73 3a 2f 2f 73 65 63 74 69 67 6f 2e 63 6f 6d 2f 43 50 53 30 07 06 05 67 81 0c 01 03 30 4b 06 03 55 1d 1f 04 44 30 42 30 40 a0 3e a0 3c 86 3a 68 74 74 70 3a 2f 2f 63 72 6c 2e 73 65 63 74 69 67 6f 2e 63 6f 6d 2f 53 65 63 74 69 67 6f 50 75 62 6c 69 63 43 6f 64 65 53 69 67 6e 69 6e 67 43 41 45 56 52 33 36 2e 63 72 6c 30 7b 06 08 2b 06 01 05 05 07 Data Ascii: *9H?0U?mp&8[v0U0U00U%0+0IU B0@05+10%0#+https://sectigo.com/CPS0g0KUD0B0@><:http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0{+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	217.197.91.145	443	1776	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:23 UTC	177	OUT	GET /censorliber/zapret/raw/branch/main/winws.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: codeberg.org
2025-01-09 07:39:24 UTC	834	IN	HTTP/1.1 200 OK access-control-expose-headers: Content-Disposition cache-control: private, max-age=300 content-disposition: inline; filename="winws.exe"; filename*=UTF-8''winws.exe content-length: 159744 content-type: application/octet-stream etag: "855872ec43df93bdf31cc8a77a94a3fe45c7f8a7" last-modified: Mon, 06 Jan 2025 21:19:57 GMT set-cookie: i_like_gitea=c65cef49993761bb; Path=/; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax set-cookie: _csrf=PF7cLIFpPHc-Dw5PRLhdcrf9bsQ6MTczNjQwODM2Mzc0Nzg3NTMzNg; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax date: Thu, 09 Jan 2025 07:39:23 GMT strict-transport-security: max-age=63072000; includeSubDomains; preload permissions-policy: interest-cohort=() x-frame-options: sameorigin x-content-type-options: nosniff connection: close
2025-01-09 07:39:24 UTC	3438	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0a 00 25 aa 6d 67 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 29 00 76 01 00 00 6c 02 00 00 42 00 00 00 10 00 00 00 10 00 00 00 00 40 00 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 10 03 00 00 04 00 00 d4 f8 02 00 03 00 00 80 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEd%mg.)vlB@
2025-01-09 07:39:24 UTC	16320	IN	Data Raw: 00 48 8d 15 b1 87 01 00 4c 89 e1 e8 d2 38 01 00 41 89 c0 b8 05 00 00 00 45 85 c0 0f 84 e9 01 00 00 48 8d 15 98 87 01 00 4c 89 e1 e8 b2 38 01 00 41 89 c0 b8 06 00 00 00 45 85 c0 0f 84 c9 01 00 00 48 8d 15 7f 87 01 00 4c 89 e1 e8 92 38 01 00 41 89 c0 b8 07 00 00 00 45 85 c0 0f 84 a9 01 00 00 48 8d 15 67 87 01 00 4c 89 e1 e8 72 38 01 00 41 89 c0 b8 09 00 00 00 45 85 c0 0f 84 89 01 00 00 48 8d 15 55 87 01 00 4c 89 e1 e8 52 38 01 00 41 89 c0 b8 09 00 00 00 45 85 c0 0f 84 69 01 00 00 48 8d 15 3e 87 01 00 4c 89 e1 e8 32 38 01 00 41 89 c0 b8 08 00 00 00 45 85 c0 0f 84 49 01 00 00 48 8d 15 29 87 01 00 4c 89 e1 e8 12 38 01 00 41 89 c0 b8 08 00 00 00 45 85 c0 0f 84 29 01 00 00 48 8d 15 0f 87 01 00 4c 89 e1 e8 f2 37 01 00 41 89 c0 b8 0a 00 00 00 45 85 c0 0f 84 09 01 Data Ascii: HL8AEHL8AEHL8AEHgLr8AEHULR8AEiH>L28AEIH)L8AE)HL7AE
2025-01-09 07:39:24 UTC	13010	IN	Data Raw: 10 ff 40 0c 4c 89 30 d1 60 08 d1 ea 39 50 2c 77 0c c7 40 30 00 00 00 00 e9 f6 00 00 00 8b 70 30 8d 56 01 89 50 30 83 fa 01 0f 86 e4 00 00 00 c7 40 34 01 00 00 00 e9 d8 00 00 00 49 8b 4c 24 38 48 85 c9 74 04 48 89 41 18 49 8b 44 24 20 49 8b 4c 24 28 44 89 47 08 49 c7 44 24 38 00 00 00 00 49 c7 44 24 30 00 00 00 00 48 85 c0 75 2a 48 85 c9 75 25 4c 89 d9 e8 57 f0 00 00 48 8b 83 f0 40 00 00 48 8b 48 18 e8 47 f0 00 00 48 c7 83 f0 40 00 00 00 00 00 00 eb 72 4c 39 52 18 75 0b 4c 8b 42 20 49 01 c0 4c 89 42 18 48 85 c0 74 0b 48 8b 52 20 48 89 4c 10 10 eb 07 48 89 8b f0 40 00 00 49 8b 54 24 28 48 85 d2 74 14 48 8b 8b f0 40 00 00 48 8b 49 18 48 8b 49 20 48 89 44 0a 08 48 8b 83 f0 40 00 00 48 8b 50 18 8b 42 08 ff c8 44 21 f8 48 c1 e0 04 48 03 02 ff 48 08 4c 39 10 75 Data Ascii: @L0`9P,w@0p0VP0@4IL$8HtHAID$ IL$(DGID$8ID$0Hu*Hu%LWH@HHGH@rL9RuLB ILBHtHR HLH@IT$(HtH@HIHI HDH@HPBD!HHHL9u
2025-01-09 07:39:24 UTC	16320	IN	Data Raw: 8b 84 24 b8 00 00 00 48 89 94 24 88 00 00 00 48 8b 94 24 c0 00 00 00 48 8d 8c 24 a8 01 00 00 44 89 4c 24 60 41 89 c1 48 89 54 24 70 8b 94 24 90 00 00 00 48 89 bc 24 80 00 00 00 89 54 24 58 8b 94 24 b4 00 00 00 44 89 7c 24 68 89 54 24 40 48 8b 94 24 a0 00 00 00 44 89 74 24 50 48 89 54 24 38 8b 94 24 a8 00 00 00 44 89 5c 24 48 89 54 24 30 41 0f b7 52 0e 89 54 24 28 41 8b 52 08 89 54 24 20 4c 89 ea e8 7c 66 00 00 84 c0 0f 84 e9 06 00 00 48 8b 43 48 4c 89 e2 48 8d 0d 89 49 01 00 4c 8d 35 5e 41 01 00 49 89 c1 4c 8d 40 ff 4d 29 e1 e8 87 37 00 00 48 8b 53 48 48 8b 4b 40 41 b8 20 00 00 00 4c 29 e2 4c 01 e1 e8 13 39 00 00 4c 89 f1 e8 66 37 00 00 4c 8b 8c 24 00 01 00 00 49 89 f8 4c 89 e9 48 8b 94 24 c8 96 00 00 e8 24 60 00 00 84 c0 0f 84 81 06 00 00 48 83 7b 10 00 Data Ascii: $H$H$H$DL$`AHT$p$H$T$X$D\|$hT$@H$Dt$PHT$8$D\$HT$0ART$(ART$ L\|fHCHLHIL5^AIL@M)7HSHHK@A L)L9Lf7L$ILH$$`H{
2025-01-09 07:39:24 UTC	64	IN	Data Raw: c7 44 24 20 00 00 00 00 4d 85 d2 74 04 49 89 7a 18 8b 43 0c 48 89 3b ff c0 6b c0 0a 39 c2 73 07 b0 01 e9 43 02 00 00 4d 8b 6c 24 08 41 83 7d 34 00 75 ed 41 8b 4d 08 4c 89 54 24 38 89 54 24 34 Data Ascii: D$ MtIzCH;k9sCMl$A}4uAMLT$8T$4
2025-01-09 07:39:24 UTC	16320	IN	Data Raw: 48 c1 e1 05 4c 89 4c 24 28 48 89 4c 24 20 e8 6d 7e 00 00 48 8b 4c 24 20 4c 8b 4c 24 28 48 85 c0 8b 54 24 34 4c 8b 54 24 38 49 89 c0 75 1a 49 8b 44 24 20 4c 89 13 48 85 c0 0f 84 0b 01 00 00 4c 89 50 20 e9 02 01 00 00 31 c0 4c 89 c7 f3 aa 41 c7 45 2c 00 00 00 00 45 8b 5d 08 41 8b 45 10 41 8b 7d 0c 4d 8b 75 00 43 8d 5c 1b ff 41 89 c2 8d 4f 01 21 d8 41 d3 ea 83 f8 01 41 83 da ff 31 ff 45 89 55 28 41 39 fb 76 6d 48 89 f8 48 c1 e0 04 49 8b 14 06 48 85 d2 74 58 89 d8 23 42 34 48 8b 6a 20 48 c1 e0 04 4c 01 c0 8b 48 08 ff c1 89 48 08 41 39 ca 73 1b 44 8b 48 0c 45 89 d7 41 ff 45 2c 45 0f af f9 44 39 f9 76 07 41 ff c1 44 89 48 0c 48 8b 08 48 c7 42 18 00 00 00 00 48 89 4a 20 48 85 c9 74 04 48 89 51 18 48 89 10 48 89 ea eb a3 48 ff c7 eb 8e 4c 89 f1 4c 89 44 24 20 e8 Data Ascii: HLL$(HL$ m~HL$ LL$(HT$4LT$8IuID$ LHLP 1LAE,E]AEA}MuC\AO!AA1EU(A9vmHHIHtX#B4Hj HLHHA9sDHEAE,ED9vADHHHBHJ HtHQHHHLLD$
2025-01-09 07:39:24 UTC	16320	IN	Data Raw: 05 00 00 00 48 89 45 78 c7 45 08 47 3f 00 00 0f 84 62 19 00 00 48 89 d7 0f 1f 84 00 00 00 00 00 c7 45 08 48 3f 00 00 83 fe 05 0f 86 80 0c 00 00 41 81 fd 01 01 00 00 0f 86 73 0c 00 00 4d 89 5f 18 8b 54 24 30 4c 89 f9 45 89 6f 20 49 89 3f 41 89 77 08 4c 89 75 50 89 5d 58 e8 51 36 00 00 8b 45 08 4d 8b 5f 18 45 8b 6f 20 49 8b 3f 41 8b 77 08 4c 8b 75 50 8b 5d 58 3d 3f 3f 00 00 0f 85 a7 fd ff ff c7 85 ec 1b 00 00 ff ff ff ff e9 76 fe ff ff 66 0f 1f 44 00 00 83 fb 02 0f 87 c7 15 00 00 85 f6 0f 84 ee 15 00 00 0f b6 07 89 d9 83 ee 01 48 8d 57 01 83 c3 08 48 d3 e0 49 01 c6 44 89 f0 83 e0 01 89 45 0c 4c 89 f0 48 d1 e8 83 e0 03 83 f8 02 0f 84 e9 09 00 00 83 f8 03 0f 84 0f 12 00 00 83 f8 01 0f 84 ea fe ff ff c7 45 08 41 3f 00 00 49 c1 ee 03 83 eb 03 48 89 d7 0f 1f 40 Data Ascii: HExEG?bHEH?AsM_T$0LEo I?AwLuP]XQ6EM_Eo I?AwLuP]X=??vfDHWHIDELHEA?IH@
2025-01-09 07:39:24 UTC	128	IN	Data Raw: ff 25 32 7b 01 00 90 90 90 90 90 90 90 90 90 90 ff 25 3a 7b 01 00 90 90 90 90 90 90 90 90 90 90 ff 25 32 7b 01 00 90 90 90 90 90 90 90 90 90 90 48 83 ec 28 31 d2 e8 55 00 00 00 ff 15 df 78 01 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 Data Ascii: %2{%:{%2{H(1Ux
2025-01-09 07:39:24 UTC	16320	IN	Data Raw: c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 56 53 48 83 ec 28 48 89 ce 48 89 d3 b9 08 00 00 00 e8 ba 04 00 00 48 85 db 0f 84 11 02 00 00 48 ba 00 00 00 00 59 01 00 00 48 89 73 40 48 8d 35 8c ff ff ff 48 8d 0d a5 38 00 00 48 89 93 f0 00 00 00 48 8d 15 af 38 00 00 48 89 53 50 48 8b 15 44 78 01 00 48 89 b3 80 00 00 00 48 8d 35 6e ff ff ff 48 89 4b 48 48 8d 0d 73 ff ff ff 48 89 53 18 48 8d 15 58 62 01 00 48 89 b3 88 00 00 00 48 8d 35 6a ff ff ff 48 89 8b 90 00 00 00 48 b9 48 01 00 00 bc 0b 00 00 48 89 b3 98 00 00 00 48 8d 35 cb fd ff ff 48 89 53 38 48 8d 15 40 fd ff ff 48 89 4b 08 48 8d 0d 35 04 00 00 48 89 73 20 48 8d 35 ea 03 00 00 48 89 53 28 48 8d 15 0f 04 00 00 48 c7 03 00 00 00 00 c7 43 10 0a 00 00 00 48 89 4b 30 48 89 73 78 48 89 93 18 01 00 00 48 Data Ascii: VSH(HHHHYHs@H5H8HH8HSPHDxHH5nHKHHsHSHXbHH5jHHHHH5HS8H@HKH5Hs H5HS(HHCHK0HsxHH
2025-01-09 07:39:24 UTC	64	IN	Data Raw: 73 fb 41 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8f fb 41 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: sAA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:27 UTC	658	OUT	GET /bypassblock HTTP/1.1 Host: t.me Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:27 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:27 GMT Content-Type: text/html; charset=utf-8 Content-Length: 11947 Connection: close Set-Cookie: stel_ssid=6c0050476a1f65b153_17604319187614517503; expires=Fri, 10 Jan 2025 07:39:27 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-01-09 07:39:27 UTC	11947	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 62 79 70 61 73 73 62 6c 6f 63 6b 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @bypassblock</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49714	217.197.91.145	443	1776	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:27 UTC	179	OUT	GET /censorliber/zapret/raw/branch/main/version.txt HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: codeberg.org
2025-01-09 07:39:27 UTC	834	IN	HTTP/1.1 200 OK access-control-expose-headers: Content-Disposition cache-control: private, max-age=300 content-disposition: inline; filename="version.txt"; filename*=UTF-8''version.txt content-length: 5 content-type: text/plain; charset=utf-8 etag: "04757a5d3c904740bcb990e57702def1368c902e" last-modified: Tue, 07 Jan 2025 16:09:18 GMT set-cookie: i_like_gitea=8be3611caec47532; Path=/; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax set-cookie: _csrf=9oiPtXfyCJsj-bu1cCSXkwkl2JQ6MTczNjQwODM2NzgyNDQ5ODgxNA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax; Secure; SameSite=Lax date: Thu, 09 Jan 2025 07:39:27 GMT strict-transport-security: max-age=63072000; includeSubDomains; preload permissions-policy: interest-cohort=() x-frame-options: sameorigin x-content-type-options: nosniff connection: close
2025-01-09 07:39:27 UTC	5	IN	Data Raw: 36 2e 34 2e 32 Data Ascii: 6.4.2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49722	34.111.35.152	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:28 UTC	920	OUT	GET /file/s3vCUVV1oFSCO-dE5CqAY7IgPiKpdP2z8zxQN72D_TT9z56ahyE0msKqmuM_tk2PSEmQvnQwUvZb1H5LTpaO8JEmhF-5-DzRJn0IlgPUduazk5LN5P7paldIt115IoTuBIfpLYc9IcyeP_A6RfZJrgNinKpPj_KVprinZI2XeGxYV-Oc0kv7FigdkzDmuIUo82gNjtBCwxGg4jGao68ygfD4hQmU5yHjzaetNKqe2slF0f4nvrf0N7_9vCVoXLLhOJ2zVr1x-Jyq6PLsYys0HxH7NN2KH5LN_sO1jucDXW-MlsW7Iv6_BhYjfO3Mc2eDr_gKM9-O3DknTg7q8Q2omQ.jpg HTTP/1.1 Host: cdn4.cdn-telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://t.me/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:28 UTC	685	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Content-Length: 24842 Access-Control-Allow-Origin: * X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'none'; sandbox X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Access-Control-Expose-Headers: Accept-Ranges, Content-Range, Content-Length Accept-Ranges: bytes Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes Via: 1.1 google Date: Thu, 09 Jan 2025 07:31:48 GMT Cache-Control: public,max-age=7200 ETag: "0ad5b51448dae3b6826b23a40f1a54544dbb0d95" Content-Type: image/jpeg Age: 460 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-09 07:39:28 UTC	705	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff e2 01 db 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 01 cb 00 00 00 00 02 40 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 00 00 00 00 00 00 00 00 00 00 00 00 61 63 73 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 f6 d6 00 01 00 00 00 00 d3 2d 51 74 05 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 72 58 59 5a 00 00 00 f0 00 00 00 14 67 58 59 5a 00 00 01 04 00 00 00 14 62 58 59 5a 00 00 01 18 00 00 00 14 77 74 70 74 00 00 01 2c 00 00 00 14 63 70 72 74 00 00 01 40 00 00 00 0c 72 54 52 43 00 00 01 4c 00 00 00 20 67 54 52 43 00 00 01 4c 00 00 00 20 62 Data Ascii: JFIF``ICC_PROFILE@mntrRGB XYZ acsp-QtrXYZgXYZbXYZwtpt,cprt@rTRCL gTRCL b
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 03 00 01 02 03 04 00 05 11 06 21 07 12 31 41 08 13 51 61 22 32 71 81 14 91 09 15 23 42 52 a1 b1 c1 33 62 72 82 d1 16 24 e1 17 34 43 25 92 f0 f1 53 63 b2 ff c4 00 1c 01 00 00 07 01 01 00 00 00 00 00 00 00 00 00 00 00 00 01 02 04 06 07 08 03 05 ff c4 00 38 11 00 01 03 03 03 02 04 04 06 00 04 07 00 00 00 00 01 00 02 03 04 11 21 05 06 31 12 41 13 22 51 61 14 32 71 b1 42 81 91 a1 c1 e1 23 24 52 d1 07 25 33 72 b2 f0 f1 ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 e9 ce 71 56 e0 fa ff 00 2a 31 3d 2a ee c2 9e 20 8b 04 81 d6 aa 46 d4 06 0f 6a ba 82 3b 22 ea a3 e6 15 76 05 57 18 a0 89 0a 19 cd 0c 66 86 31 41 04 28 50 a1 41 04 28 50 a1 41 04 2a 98 15 5a bf 02 82 0a cc 62 85 5f ca 28 60 7a 50 41 16 a3 81 50 97 19 38 bb 66 e1 77 0f 9d 97 21 d4 bf 78 7c 14 c1 8a 93 f1 29 Data Ascii: !1AQa"2q#BR3br$4C%Sc8!1A"Qa2qB#$R%3r?qV1= Fj;"vWf1A(PA(PA*Zb_(`zPAP8fw!x\|)
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 1e 38 2a 55 a3 6b 33 e9 15 01 cd 37 61 e4 76 5e 80 86 c2 85 0a 15 99 16 a8 01 0c e6 ab 8c d5 a0 60 f5 a3 46 c2 8c e5 0b ab 40 de ae a1 42 89 25 0a 14 2a a0 13 d2 82 0a 94 6a 3e 43 f5 ab 39 15 e9 46 24 10 9a 31 ca 0a ea a8 00 8c 9a a5 53 3f 0e fb 1e c3 b9 fa 52 bb d8 72 50 b8 19 3c 2b b0 9c 81 5a fd c6 ee 38 59 f8 5b a4 64 30 d3 8d cd d4 4f 24 a6 34 5e 6c f2 92 3a ab d0 55 9c 6f e3 b5 8f 85 ba 59 d8 cc ba 89 9a 91 e0 50 c4 64 9c 96 ce 3e 65 7b 57 32 2c 16 6d 7d e2 0b c4 1f e0 a2 b4 ed c2 eb 31 ce 67 de 59 3e 5c 46 b3 92 b5 76 09 03 35 60 e8 9a 08 99 9f 15 5b e5 89 b9 b9 c5 ec ab 5d 7b 5e 74 6e f8 3a 2f 34 a7 18 ed fd ac 44 35 c4 1e 38 f1 ac 35 12 3c 9b fd e6 5a 89 21 a0 4a 18 4f 6c f6 48 15 d4 3e 02 78 47 d2 fa 0f 4e 46 bc eb d8 6d 5f 35 53 a7 9c 45 58 e6 Data Ascii: 8Uk37av^`F@B%j>C9F$1S?RrP<+Z8Y[d0O$4^l:UoYPd>e{W2,m}1gY>\Fv5`[]{^tn:/4D585<Z!JOlH>xGNFm_5SEX
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: f5 47 05 f5 2b 7d d4 49 de 9d f0 99 0d 5b 5b 6c 6d 84 e0 8a 4b 8e 10 44 38 df c4 36 df 04 1a c6 92 d6 60 b6 a1 9e 64 8f ef 4a 6b 4e fb d1 2b 48 e5 29 ea 08 a5 02 2c 82 c5 5a 4a 9b c1 f4 14 9a f3 24 73 01 9c 1e d4 b8 50 02 07 d2 b1 d4 d7 32 ba d0 04 21 72 32 16 93 f8 b3 e0 64 6e 28 70 4a 65 de db 0d 2b d5 f6 76 54 e4 35 21 3f 1b e8 1b 96 ff 00 bd 70 c6 64 49 10 ee 6f c5 92 d2 99 90 ca ca 1c 42 c6 0a 54 0e 08 c5 7a 93 9b 13 fe cd c2 94 0e 71 ed da b4 3b 8c 7e 08 f4 87 10 6e 77 4d 47 a5 a7 ab 4d 6a 09 47 cc 52 14 8e 68 ee 2c fa 81 b8 cd 5a 9b 5b 72 c7 42 c3 4b 52 7c 9d 8f 36 f6 55 3e e6 db 52 57 bb e2 a9 47 9f f1 0e 2f ee b8 aa 46 6a d2 31 52 77 13 38 4b ad 78 55 ac 9d b4 6a 6b 52 d8 21 44 37 21 3b b4 e0 f5 4a bb 8a 8c 49 cf d6 af 78 a6 86 a2 21 2c 66 e0 aa Data Ascii: G+}I[[lmKD86`dJkN+H),ZJ$sP2!r2dn(pJe+vT5!?pdIoBTzq;~nwMGMjGRh,Z[rBKR\|6U>RWG/Fj1Rw8KxUjkR!D7!;JIx!,f
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 20 18 a4 67 fd a6 9e 92 5b 1c 9b 8d bd 69 b9 71 69 2b 6d d0 46 c5 bc 52 91 26 cc e7 11 1e 2c 48 88 27 90 36 09 f6 00 00 29 29 00 3b 21 4a 19 1d 85 17 3e 5f 9b 76 71 29 dc 25 b4 b6 9f e7 56 b0 b5 ae 61 42 39 42 1a 4f 20 24 f5 3f f8 a5 84 16 51 5a 5f ba b3 01 27 95 a2 e7 c5 95 64 90 93 cc a2 3d 81 c2 69 eb 6f 2b 7a e4 14 7a 2c fc b8 d8 24 7f e7 34 c5 b0 27 f1 37 99 f3 49 fd 9a bf 62 c1 50 df cb 49 c9 fc d4 4a be e2 a4 48 09 4b 6e 15 6f 84 8f 84 0a 23 ca 09 7d 4a 49 74 e4 fc b8 ab 4b 83 73 da 98 9a ab 5c d9 b4 c0 61 a9 b3 1b 62 54 8d d0 8c 85 38 ad f0 4f 28 ed bf 5a 69 dd 38 b5 61 b6 a6 1a 1c 95 ce a7 72 08 38 00 81 d7 72 7f 2f 5a 41 20 2e 8d 8d ee e0 29 95 25 21 43 e2 1f 11 fe 74 7f 9e df 75 00 7d 2a 0e 56 b5 b8 5c f9 1d b4 25 a6 18 f2 87 93 e6 10 a2 54 ae Data Ascii: g[iqi+mFR&,H'6));!J>_vq)%VaB9BO $?QZ_'d=io+zz,$4'7IbPIJHKno#}JItKs\abT8O(Zi8ar8r/ZA .)%!Ctu}*V\%T
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: fc d0 b9 bc 95 72 ba c4 86 94 d3 a7 b6 7e 21 fd 2b 48 38 7d aa fc 4d de ae da 66 36 96 bd 5c e5 bb 2e e6 ed 9e d4 89 2e 94 b0 f4 d2 82 b5 c7 f3 15 94 79 a0 74 41 fa 56 c8 70 ef 52 de ee 9a 92 66 95 e2 fe 85 55 b6 f9 0d 41 80 f4 f8 a5 2b 79 c1 ba d2 a3 d1 2b df 20 83 f1 03 4a 2c 91 9f 32 e5 04 f1 cc eb 05 d1 2d 0f e3 1a d9 a9 a7 b5 6e b8 58 55 16 5a 94 12 42 1e 03 39 fb 56 df 45 b8 33 22 2b 6f 27 64 38 80 b0 7e a2 b9 ff 00 c3 3e 15 70 fa 4d fe 3d d6 d9 19 f8 72 5b 57 32 99 0f f3 0e be fb d6 f0 c1 42 9a b7 36 82 7e 14 27 09 07 b0 ae 7d 4b ac d1 c6 d1 80 90 78 9d c5 0b 57 0d b8 7e e5 fe e2 c9 94 84 ba 96 90 d2 0e 15 93 d4 fd ab 44 75 bf 8c 6b fd d1 84 23 49 c3 62 d6 5c 77 e0 75 c4 f9 ae 29 03 a6 12 3b a8 f7 f6 a9 b7 c4 c6 b2 e1 96 9f e1 9b ef f1 2a 72 91 6a Data Ascii: r~!+H8}Mf6\..ytAVpRfUA+y+ J,2-nXUZB9VE3"+o'd8~>pM=r[W2B6~'}KxW~Duk#Ib\wu);*rj
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: c3 fe 1a 6d b1 4d 7e 21 db 83 00 12 9f 33 18 4a 1c 4a b0 52 e2 49 29 03 1b 8a 74 5b f4 75 be 3c 94 ac 35 8e 53 f0 a7 27 02 9e 08 88 88 8c f2 36 9e 54 f4 a7 0e 91 d2 1f 32 62 d8 e2 83 31 85 07 e9 6d 26 de 9c e2 14 84 42 79 c7 20 87 3e 00 af 4f 7a d9 96 50 c0 d2 4b 90 b4 73 2d 09 ce c7 75 00 2a 3b 54 56 9b bb 73 f9 78 a9 0a 19 0e 69 c7 1a 56 e8 29 e9 4d d2 9e e2 ec 95 cb 6f 16 fe 1d b8 85 c4 db d5 93 51 69 d4 7f d4 36 96 e0 3e 2e f1 22 cf 69 12 d8 79 dc 10 eb 6d b8 52 15 80 39 31 9d 80 18 a6 47 85 18 37 be 1d 71 9e f3 a8 78 a2 c4 2d 05 a6 ed 7a 41 3a 79 bb 77 ea af 22 55 e1 41 41 4d ba e3 4d 73 a5 c5 80 14 54 b3 dc 8a e9 cc fb 0c 79 a1 48 53 3c e9 00 84 e7 7a 69 37 a1 d4 cd c3 38 6d c6 9c 39 29 52 72 53 b7 4e 6e b4 e4 4e e6 37 a4 0c 26 9f 0f 13 dd d4 e3 95 Data Ascii: mM~!3JJRI)t[u<5S'6T2b1m&By >OzPKs-u*;TVsxiV)MoQi6>."iymR91G7qx-zA:yw"UAAMMsTyHS<zi78m9)RrSNnN7&
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 1d 1d 11 9e 9b 29 7f 0a 90 02 5a 24 e3 75 0d 93 f5 c5 38 85 b6 b9 5c e5 70 03 0b 64 b4 ab 09 0b 9d 2b 00 0c 86 d0 47 70 07 fc d4 8e d2 0e 52 12 36 c0 cd 33 6c cd a5 8d 3d 19 90 90 92 ae 52 b2 3f 33 4f 58 a5 4a 68 29 5d 54 33 8f 6e d4 e5 78 26 f7 28 8b 83 7c d1 4a 00 c9 29 a8 a6 53 7e 5c c7 10 7b 2a a5 c9 5b 90 33 d0 54 69 7a 68 22 ec a5 01 f3 1d e8 22 48 85 29 00 d6 3b 8d 85 b4 e3 6b 00 a5 40 e4 1a cb c1 ab 14 06 3a 51 82 5a 6e 11 10 08 b1 ca e7 af 89 cf 0d ad dd 2d f3 35 c6 8d 86 05 c9 b4 95 cc 86 da 71 e6 a4 6e 54 3d eb 99 8b 65 6d b8 b4 3a da 9b 71 07 0b 42 86 0a 4f 70 6b d1 6c 94 21 d6 dc 43 88 0b 4a d3 ca a0 47 51 5c e1 f1 2b e1 a9 ef c5 4b d7 5a 22 26 42 89 72 74 26 93 81 ee 52 2a e0 db 5b 8a c1 b4 95 2e fa 12 a9 7d cf b6 ad d5 59 48 3d dc 07 dd 73 Data Ascii: )Z$u8\pd+GpR63l=R?3OXJh)]T3nx&(\|J)S~\{[3Tizh""H);k@:QZn-5qnT=em:qBOpkl!CJGQ\+KZ"&Brt&R[.}YH=s
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 9c a9 44 fb 57 50 fc 37 78 69 63 4b 5b 23 6b 0d 61 1d 2f df 1d 48 5c 76 1c 46 44 74 9f 6f e2 ac 8f 0d 5e 1b 58 d3 16 68 9a b7 57 46 0f df 57 fb 46 23 b8 9d a3 83 d3 39 ef 5b ce db 41 0d 04 8c 0d b1 b5 37 dc 5b 90 49 7a 5a 53 8e e7 d7 e8 9c ed bd b4 63 b5 55 50 b9 ec 3d 3d ca f3 88 a5 11 93 d4 fb d5 bc e7 b6 05 5a 77 34 2a f1 c9 54 90 0a a3 e6 14 71 dc 51 14 61 d8 d7 56 37 28 88 ba bd 3f 27 de 8e 07 07 1e b4 4a 7e 5f bd 5e 37 3f 4a 47 2f 2b 99 59 f0 51 e6 5e e3 23 1c c1 4b 03 15 e8 13 80 31 4c 1f 0c f6 06 d4 b0 a2 84 25 2a 20 63 a2 47 fc d7 05 74 9c 4f c6 f1 0a da ce 32 14 f2 41 f5 ea 2b d0 67 0b 62 a2 df e1 e7 4e 34 82 a5 07 1b 2e 15 28 6e 79 95 de aa 7d f0 f1 e0 31 be a5 5a db 15 84 d6 c8 ff 00 40 a6 3b 58 e6 82 95 67 23 b5 2e a7 95 25 20 f7 e9 48 96 93 Data Ascii: DWP7xicK[#ka/H\vFDto^XhWFWF#9[A7[IzZScUP==Zw4TqQaV7(?'J~_^7?JG/+YQ^#K1L% cGtO2A+gbN4.(ny}1Z@;Xg#.% H
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 49 5f d5 c2 2e 28 21 73 b8 69 79 98 1c 8f 35 b5 82 bb 14 b2 39 51 2d 85 1e 8d 92 47 38 fb 9e f5 26 a6 d3 a7 ad d3 5d 2c 3f 33 39 f7 5e 77 c6 c3 4d 58 d8 e6 e1 cb 66 f5 72 e4 eb 4b d3 53 e6 38 a9 0e 18 8d b0 f2 dc f9 96 a6 c7 28 5f dd 38 cf d2 a1 bb ce 86 71 a2 b5 b2 df 7c 8c 56 e1 de 34 05 c7 48 5f 59 8b 70 42 25 c1 7d 05 76 eb a3 00 29 89 ad f6 29 23 60 ac 7c c9 3f 51 90 6b 05 fd 36 89 30 95 fb 1e 74 9e 98 4e 6a 16 ef 11 8f 2d 7f 2a 7b 17 86 f8 c1 67 0b 48 23 db a7 da 6e 88 79 0b 71 87 52 7e 07 1b 3c aa 4f b8 3d aa 7d d1 3c 52 be 5a 5c 8e d5 d9 0f 4b 63 60 64 b3 8f 37 db 99 3d 15 f6 c5 39 ee 3a 0d 06 42 9c 0d 9c 7a 72 d5 6d da 11 0b 70 a7 93 1b e7 38 a2 ea 4b 2d 5b 2d a3 b8 9d 6e 99 19 b7 9b 94 db a8 ef c8 0e 53 f5 49 dc 1a d8 4b 1e b0 81 26 32 08 78 15 Data Ascii: I_.(!siy59Q-G8&],?39^wMXfrKS8(_8q\|V4H_YpB%}v))#`\|?Qk60tNj-*{gH#nyqR~<O=}<RZ\Kc`d7=9:Bzrmp8K-[-nSIK&2x

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49720	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:28 UTC	535	OUT	GET /css/font-roboto.css?1 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://t.me/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:28 UTC	378	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:28 GMT Content-Type: text/css Content-Length: 6166 Last-Modified: Thu, 20 Oct 2022 11:05:33 GMT Connection: close ETag: "63512b7d-1816" Expires: Mon, 13 Jan 2025 07:39:28 GMT Cache-Control: max-age=345600 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2025-01-09 07:39:28 UTC	6166	IN	Data Raw: 2f 2a 20 63 79 72 69 6c 6c 69 63 2d 65 78 74 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 6f 62 6f 74 6f 27 3b 0a 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 66 6f 6e 74 2d 64 69 73 70 6c 61 79 3a 20 73 77 61 70 3b 0a 20 20 73 72 63 3a 20 75 72 6c 28 27 2e 2e 2f 66 6f 6e 74 73 2f 52 6f 62 6f 74 6f 2f 4b 46 4f 6d 43 6e 71 45 75 39 32 46 72 31 4d 75 37 32 78 4b 4b 54 55 31 4b 76 6e 7a 2e 77 6f 66 66 32 27 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 32 27 29 3b 0a 20 20 75 6e 69 63 6f 64 65 2d 72 61 6e 67 65 3a 20 55 2b 30 34 36 30 2d 30 35 32 46 2c 20 55 2b 31 43 38 30 2d 31 43 38 38 2c 20 55 2b 32 30 42 34 2c 20 55 Data Ascii: /* cyrillic-ext */@font-face { font-family: 'Roboto'; font-style: normal; font-weight: 400; font-display: swap; src: url('../fonts/Roboto/KFOmCnqEu92Fr1Mu72xKKTU1Kvnz.woff2') format('woff2'); unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49719	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:28 UTC	537	OUT	GET /css/bootstrap.min.css?3 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://t.me/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:28 UTC	379	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:28 GMT Content-Type: text/css Content-Length: 42523 Last-Modified: Fri, 10 Nov 2017 17:54:14 GMT Connection: close ETag: "5a05e7c6-a61b" Expires: Mon, 13 Jan 2025 07:39:28 GMT Cache-Control: max-age=345600 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2025-01-09 07:39:28 UTC	16005	IN	Data Raw: 2f 2a 21 0a 20 2a 20 42 6f 6f 74 73 74 72 61 70 20 76 33 2e 32 2e 30 20 28 68 74 74 70 3a 2f 2f 67 65 74 62 6f 6f 74 73 74 72 61 70 2e 63 6f 6d 29 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 32 30 31 31 2d 32 30 31 34 20 54 77 69 74 74 65 72 2c 20 49 6e 63 2e 0a 20 2a 20 4c 69 63 65 6e 73 65 64 20 75 6e 64 65 72 20 4d 49 54 20 28 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 74 77 62 73 2f 62 6f 6f 74 73 74 72 61 70 2f 62 6c 6f 62 2f 6d 61 73 74 65 72 2f 4c 49 43 45 4e 53 45 29 0a 20 2a 2f 0a 0a 2f 2a 21 0a 20 2a 20 47 65 6e 65 72 61 74 65 64 20 75 73 69 6e 67 20 74 68 65 20 42 6f 6f 74 73 74 72 61 70 20 43 75 73 74 6f 6d 69 7a 65 72 20 28 68 74 74 70 3a 2f 2f 67 65 74 62 6f 6f 74 73 74 72 61 70 2e 63 6f 6d 2f 63 75 73 74 6f 6d 69 7a 65 2f 3f 69 Data Ascii: /! Bootstrap v3.2.0 (http://getbootstrap.com) * Copyright 2011-2014 Twitter, Inc. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) //! * Generated using the Bootstrap Customizer (http://getbootstrap.com/customize/?i
2025-01-09 07:39:28 UTC	16384	IN	Data Raw: 6c 6f 72 3a 23 37 37 37 7d 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 3a 3a 2d 77 65 62 6b 69 74 2d 69 6e 70 75 74 2d 70 6c 61 63 65 68 6f 6c 64 65 72 7b 63 6f 6c 6f 72 3a 23 37 37 37 7d 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 5b 64 69 73 61 62 6c 65 64 5d 2c 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 5b 72 65 61 64 6f 6e 6c 79 5d 2c 66 69 65 6c 64 73 65 74 5b 64 69 73 61 62 6c 65 64 5d 20 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 7b 63 75 72 73 6f 72 3a 6e 6f 74 2d 61 6c 6c 6f 77 65 64 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 6f 70 61 63 69 74 79 3a 31 7d 74 65 78 74 61 72 65 61 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 7b 68 65 69 67 68 74 3a 61 75 74 6f 7d 69 6e 70 75 74 5b 74 79 70 65 3d 22 73 65 61 72 63 68 22 5d 7b 2d 77 65 62 6b 69 74 Data Ascii: lor:#777}.form-control::-webkit-input-placeholder{color:#777}.form-control[disabled],.form-control[readonly],fieldset[disabled] .form-control{cursor:not-allowed;background-color:#eee;opacity:1}textarea.form-control{height:auto}input[type="search"]{-webkit
2025-01-09 07:39:28 UTC	10134	IN	Data Raw: 74 3a 30 7d 2e 6e 61 76 62 61 72 2d 66 6f 72 6d 20 2e 72 61 64 69 6f 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2c 2e 6e 61 76 62 61 72 2d 66 6f 72 6d 20 2e 63 68 65 63 6b 62 6f 78 20 69 6e 70 75 74 5b 74 79 70 65 3d 22 63 68 65 63 6b 62 6f 78 22 5d 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 2e 6e 61 76 62 61 72 2d 66 6f 72 6d 20 2e 68 61 73 2d 66 65 65 64 62 61 63 6b 20 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 2d 66 65 65 64 62 61 63 6b 7b 74 6f 70 3a 30 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 30 29 7b 2e 6e 61 76 62 61 72 2d 66 6f 72 6d 20 2e 66 6f 72 6d 2d 67 72 6f 75 70 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 7d 7d 40 6d 65 64 69 61 20 28 6d 69 6e Data Ascii: t:0}.navbar-form .radio input[type="radio"],.navbar-form .checkbox input[type="checkbox"]{position:relative;margin-left:0}.navbar-form .has-feedback .form-control-feedback{top:0}}@media (max-width:0){.navbar-form .form-group{margin-bottom:5px}}@media (min

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49721	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:28 UTC	534	OUT	GET /css/telegram.css?242 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://t.me/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:28 UTC	381	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:28 GMT Content-Type: text/css Content-Length: 115228 Last-Modified: Thu, 28 Nov 2024 20:13:47 GMT Connection: close ETag: "6748cefb-1c21c" Expires: Mon, 13 Jan 2025 07:39:28 GMT Cache-Control: max-age=345600 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2025-01-09 07:39:28 UTC	16003	IN	Data Raw: 62 6f 64 79 20 7b 0a 20 20 66 6f 6e 74 3a 20 31 32 70 78 2f 31 38 70 78 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 22 4c 75 63 69 64 61 20 53 61 6e 73 20 55 6e 69 63 6f 64 65 22 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 2f 2a 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 20 61 6e 74 69 61 6c 69 61 73 65 64 3b 2a 2f 0a 7d 0a 68 74 6d 6c 2e 6e 61 74 69 76 65 5f 66 6f 6e 74 73 20 62 6f 64 79 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 Data Ascii: body { font: 12px/18px "Lucida Grande", "Lucida Sans Unicode", Arial, Helvetica, Verdana, sans-serif; /-webkit-font-smoothing: antialiased;/}html.native_fonts body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica,
2025-01-09 07:39:28 UTC	16384	IN	Data Raw: 20 61 75 74 6f 3b 0a 7d 0a 2e 74 6c 5f 6d 61 69 6e 5f 64 6f 77 6e 6c 6f 61 64 5f 6c 69 6e 6b 20 7b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 32 36 32 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 34 30 70 78 20 30 3b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0a 7d 0a 61 2e 74 6c 5f 6d 61 69 6e 5f 64 6f 77 6e 6c 6f 61 64 5f 6c 69 6e 6b 3a 68 6f 76 65 72 20 7b Data Ascii: auto;}.tl_main_download_link { text-align: center; display: inline-block; height: 300px; padding-top: 262px; padding-bottom: 20px; margin: 40px 0; font-size: 15px; max-width: 100%; position: relative;}a.tl_main_download_link:hover {
2025-01-09 07:39:28 UTC	16384	IN	Data Raw: 6e 74 65 6e 74 20 69 6d 67 2e 65 6d 6f 6a 69 20 7b 0a 20 20 2d 77 65 62 6b 69 74 2d 75 73 65 72 2d 64 72 61 67 3a 20 6e 6f 6e 65 3b 0a 20 20 75 73 65 72 2d 64 72 61 67 3a 20 6e 6f 6e 65 3b 0a 20 20 63 75 72 73 6f 72 3a 20 74 65 78 74 3b 0a 7d 0a 2e 64 65 76 5f 70 61 67 65 5f 62 72 65 61 64 5f 63 72 75 6d 62 73 20 2e 62 72 65 61 64 63 72 75 6d 62 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 30 3b 0a 7d 0a 23 64 65 76 5f 70 61 67 65 5f 74 69 74 6c 65 20 7b 0a 20 20 70 6f 73 69 74 69 6f 6e 3a 20 73 74 61 74 69 63 3b 0a 7d 0a 0a 2e 64 65 76 5f 70 61 67 65 5f 68 65 61 64 20 2e 64 65 76 5f 70 61 67 65 5f 68 65 61 64 5f 6c 6f 67 6f 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 Data Ascii: ntent img.emoji { -webkit-user-drag: none; user-drag: none; cursor: text;}.dev_page_bread_crumbs .breadcrumb { margin-bottom: 10px; border-radius: 0;}#dev_page_title { position: static;}.dev_page_head .dev_page_head_logo { margin-left
2025-01-09 07:39:28 UTC	16384	IN	Data Raw: 65 78 74 66 69 65 6c 64 2d 69 74 65 6d 20 69 6e 70 75 74 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 3a 66 6f 63 75 73 3a 3a 2d 6d 6f 7a 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 20 20 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 36 29 3b 0a 7d 0a 2e 74 65 78 74 66 69 65 6c 64 2d 69 74 65 6d 20 69 6e 70 75 74 2e 66 6f 72 6d 2d 63 6f 6e 74 72 6f 6c 3a 66 6f 63 75 73 3a 2d 6d 73 2d 69 6e 70 75 74 2d 70 6c 61 63 65 68 6f 6c 64 65 72 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 63 63 63 3b 0a 20 20 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 36 29 3b 0a 7d 0a 2e 74 65 78 74 66 69 65 6c 64 2d 69 74 65 6d 2d 65 72 72 6f 72 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 64 34 35 61 35 38 3b 0a 20 20 70 Data Ascii: extfield-item input.form-control:focus::-moz-placeholder { color: #ccc; color: rgba(0,0,0,.26);}.textfield-item input.form-control:focus:-ms-input-placeholder { color: #ccc; color: rgba(0,0,0,.26);}.textfield-item-error { color: #d45a58; p
2025-01-09 07:39:28 UTC	16384	IN	Data Raw: 20 69 6d 67 20 7b 0a 20 20 77 69 64 74 68 3a 20 32 37 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 20 35 70 78 3b 0a 7d 0a 2e 62 6c 6f 67 5f 6d 65 64 69 75 6d 5f 69 6d 61 67 65 5f 77 72 61 70 2c 0a 2e 62 6c 6f 67 5f 6d 65 64 69 75 6d 5f 69 6d 61 67 65 5f 77 72 61 70 20 69 6d 67 20 7b 0a 20 20 77 69 64 74 68 3a 20 34 30 30 70 78 3b 0a 7d 0a 0a 2e 62 6c 6f 67 5f 77 69 64 65 5f 69 6d 61 67 65 5f 77 72 61 70 2c 0a 2e 62 6c 6f 67 5f 77 69 64 65 5f 69 6d 61 67 65 5f 77 72 61 70 20 69 6d 67 20 7b 0a 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 61 75 74 6f 3b 0a 7d 0a 23 64 65 76 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2e 62 6c 6f 67 5f 69 6d 61 67 65 5f 77 72 61 70 20 70 2c 0a 23 64 65 76 5f 70 61 67 65 5f Data Ascii: img { width: 275px; padding: 10px 5px;}.blog_medium_image_wrap,.blog_medium_image_wrap img { width: 400px;}.blog_wide_image_wrap,.blog_wide_image_wrap img { width: 100%; max-width: auto;}#dev_page_content .blog_image_wrap p,#dev_page_
2025-01-09 07:39:28 UTC	16384	IN	Data Raw: 75 6e 64 3a 20 23 35 64 63 33 39 30 3b 0a 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 32 32 70 78 3b 0a 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 31 33 70 78 20 32 34 70 78 3b 0a 20 20 68 65 69 67 68 74 3a 20 34 32 70 78 3b 0a 20 20 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 20 75 70 70 65 72 63 61 73 65 3b 0a 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 74 6f 70 3b 0a 7d 0a 61 2e 74 67 6d 65 5f 61 63 74 69 6f 6e 5f 62 75 74 74 6f 6e 3a 68 6f 76 65 72 2c 0a 61 2e 74 67 6d 65 5f 61 63 74 69 6f 6e 5f 62 75 74 74 6f 6e 3a 61 63 74 69 76 65 2c 0a 61 2e 74 67 6d 65 5f 61 63 74 69 6f 6e 5f 62 75 74 74 6f 6e 5f 6e 65 77 Data Ascii: und: #5dc390; border-radius: 22px; overflow: hidden; display: inline-block; padding: 13px 24px; height: 42px; text-transform: uppercase; vertical-align: top;}a.tgme_action_button:hover,a.tgme_action_button:active,a.tgme_action_button_new
2025-01-09 07:39:28 UTC	16384	IN	Data Raw: 68 6f 77 5f 61 6c 6c 5f 70 6c 61 74 66 6f 72 6d 73 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 7d 0a 2e 74 64 5f 61 6c 6c 5f 73 68 6f 77 6e 20 73 70 61 6e 2e 74 64 5f 62 74 6e 5f 68 69 64 64 65 6e 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 3b 0a 7d 0a 2e 74 64 5f 61 6c 6c 5f 73 68 6f 77 6e 20 64 69 76 2e 74 64 5f 62 74 6e 5f 68 69 64 64 65 6e 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 7d 0a 2e 74 64 5f 63 6f 6e 74 65 6e 74 5f 77 72 61 70 20 7b 0a 20 20 77 69 64 74 68 3a 20 34 32 30 70 78 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 7d 0a 2e 74 64 5f 63 6f 6e 74 65 6e 74 5f 74 69 74 6c 65 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a Data Ascii: how_all_platforms { display: none;}.td_all_shown span.td_btn_hidden { display: inline;}.td_all_shown div.td_btn_hidden { display: block;}.td_content_wrap { width: 420px; margin: 0 auto; font-size: 16px;}.td_content_title { font-size:
2025-01-09 07:39:28 UTC	921	IN	Data Raw: 20 7d 0a 20 20 2e 62 6c 6f 67 5f 32 69 6d 61 67 65 73 5f 77 72 61 70 20 2e 62 6c 6f 67 5f 69 6d 61 67 65 5f 77 72 61 70 2c 0a 20 20 2e 62 6c 6f 67 5f 33 69 6d 61 67 65 73 5f 77 72 61 70 20 2e 62 6c 6f 67 5f 69 6d 61 67 65 5f 77 72 61 70 20 7b 0a 20 20 20 20 66 6c 6f 61 74 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 32 30 70 78 20 30 20 32 30 70 78 3b 0a 20 20 7d 0a 7d 0a 0a 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 20 33 34 30 70 78 29 20 7b 0a 20 20 2e 74 6c 5f 6d 61 69 6e 5f 64 6f 77 6e 6c 6f 61 64 5f 69 6d 61 67 65 5f 5f 61 6e 64 72 6f 69 64 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 2d 31 30 39 70 78 20 30 20 30 20 2d 31 30 31 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 20 31 39 36 70 78 20 31 Data Ascii: } .blog_2images_wrap .blog_image_wrap, .blog_3images_wrap .blog_image_wrap { float: none; margin: 20px 0 20px; }}@media (max-width: 340px) { .tl_main_download_image__android { margin: -109px 0 0 -101px; background-size: 196px 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49718	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:28 UTC	523	OUT	GET /js/tgwallpaper.min.js?3 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://t.me/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:28 UTC	391	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:28 GMT Content-Type: application/javascript Content-Length: 2979 Last-Modified: Thu, 03 Mar 2022 19:57:25 GMT Connection: close ETag: "62211da5-ba3" Expires: Mon, 13 Jan 2025 07:39:28 GMT Cache-Control: max-age=345600 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2025-01-09 07:39:28 UTC	2979	IN	Data Raw: 76 61 72 20 54 57 61 6c 6c 70 61 70 65 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 78 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 5b 5d 2e 63 6f 6e 63 61 74 28 47 29 3b 30 3c 61 3b 29 62 2e 70 75 73 68 28 62 2e 73 68 69 66 74 28 29 29 2c 61 2d 2d 3b 61 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 3d 32 29 61 2e 70 75 73 68 28 62 5b 63 5d 29 3b 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 42 28 61 2c 62 29 7b 62 25 3d 39 30 3b 76 61 72 20 63 3d 78 28 61 25 70 29 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 78 28 2b 2b 61 25 70 29 3b 72 65 74 75 72 6e 5b 7b 78 3a 63 5b 30 5d 2e 78 2b 28 64 5b 30 5d 2e 78 2d 63 5b 30 5d 2e 78 29 2f 39 30 2a 62 2c 79 3a 63 5b 30 5d 2e 79 2b 28 64 5b 30 5d 2e 79 Data Ascii: var TWallpaper=function(){function x(a){for(var b=[].concat(G);0<a;)b.push(b.shift()),a--;a=[];for(var c=0;c<b.length;c+=2)a.push(b[c]);return a}function B(a,b){b%=90;var c=x(a%p);if(b){var d=x(++a%p);return[{x:c[0].x+(d[0].x-c[0].x)/90*b,y:c[0].y+(d[0].y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49725	34.111.35.152	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:28 UTC	696	OUT	GET /file/s3vCUVV1oFSCO-dE5CqAY7IgPiKpdP2z8zxQN72D_TT9z56ahyE0msKqmuM_tk2PSEmQvnQwUvZb1H5LTpaO8JEmhF-5-DzRJn0IlgPUduazk5LN5P7paldIt115IoTuBIfpLYc9IcyeP_A6RfZJrgNinKpPj_KVprinZI2XeGxYV-Oc0kv7FigdkzDmuIUo82gNjtBCwxGg4jGao68ygfD4hQmU5yHjzaetNKqe2slF0f4nvrf0N7_9vCVoXLLhOJ2zVr1x-Jyq6PLsYys0HxH7NN2KH5LN_sO1jucDXW-MlsW7Iv6_BhYjfO3Mc2eDr_gKM9-O3DknTg7q8Q2omQ.jpg HTTP/1.1 Host: cdn4.cdn-telegram.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:28 UTC	685	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Content-Length: 24842 Access-Control-Allow-Origin: * X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'none'; sandbox X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Access-Control-Expose-Headers: Accept-Ranges, Content-Range, Content-Length Accept-Ranges: bytes Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes Via: 1.1 google Date: Thu, 09 Jan 2025 07:31:48 GMT Cache-Control: public,max-age=7200 ETag: "0ad5b51448dae3b6826b23a40f1a54544dbb0d95" Content-Type: image/jpeg Age: 460 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-09 07:39:28 UTC	705	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff e2 01 db 49 43 43 5f 50 52 4f 46 49 4c 45 00 01 01 00 00 01 cb 00 00 00 00 02 40 00 00 6d 6e 74 72 52 47 42 20 58 59 5a 20 00 00 00 00 00 00 00 00 00 00 00 00 61 63 73 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 f6 d6 00 01 00 00 00 00 d3 2d 51 74 05 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 72 58 59 5a 00 00 00 f0 00 00 00 14 67 58 59 5a 00 00 01 04 00 00 00 14 62 58 59 5a 00 00 01 18 00 00 00 14 77 74 70 74 00 00 01 2c 00 00 00 14 63 70 72 74 00 00 01 40 00 00 00 0c 72 54 52 43 00 00 01 4c 00 00 00 20 67 54 52 43 00 00 01 4c 00 00 00 20 62 Data Ascii: JFIF``ICC_PROFILE@mntrRGB XYZ acsp-QtrXYZgXYZbXYZwtpt,cprt@rTRCL gTRCL b
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 03 00 01 02 03 04 00 05 11 06 21 07 12 31 41 08 13 51 61 22 32 71 81 14 91 09 15 23 42 52 a1 b1 c1 33 62 72 82 d1 16 24 e1 17 34 43 25 92 f0 f1 53 63 b2 ff c4 00 1c 01 00 00 07 01 01 00 00 00 00 00 00 00 00 00 00 00 00 01 02 04 06 07 08 03 05 ff c4 00 38 11 00 01 03 03 03 02 04 04 06 00 04 07 00 00 00 00 01 00 02 03 04 11 21 05 06 31 12 41 13 22 51 61 14 32 71 b1 42 81 91 a1 c1 e1 23 24 52 d1 07 25 33 72 b2 f0 f1 ff da 00 0c 03 01 00 02 11 03 11 00 3f 00 e9 ce 71 56 e0 fa ff 00 2a 31 3d 2a ee c2 9e 20 8b 04 81 d6 aa 46 d4 06 0f 6a ba 82 3b 22 ea a3 e6 15 76 05 57 18 a0 89 0a 19 cd 0c 66 86 31 41 04 28 50 a1 41 04 28 50 a1 41 04 2a 98 15 5a bf 02 82 0a cc 62 85 5f ca 28 60 7a 50 41 16 a3 81 50 97 19 38 bb 66 e1 77 0f 9d 97 21 d4 bf 78 7c 14 c1 8a 93 f1 29 Data Ascii: !1AQa"2q#BR3br$4C%Sc8!1A"Qa2qB#$R%3r?qV1= Fj;"vWf1A(PA(PA*Zb_(`zPAP8fw!x\|)
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 1e 38 2a 55 a3 6b 33 e9 15 01 cd 37 61 e4 76 5e 80 86 c2 85 0a 15 99 16 a8 01 0c e6 ab 8c d5 a0 60 f5 a3 46 c2 8c e5 0b ab 40 de ae a1 42 89 25 0a 14 2a a0 13 d2 82 0a 94 6a 3e 43 f5 ab 39 15 e9 46 24 10 9a 31 ca 0a ea a8 00 8c 9a a5 53 3f 0e fb 1e c3 b9 fa 52 bb d8 72 50 b8 19 3c 2b b0 9c 81 5a fd c6 ee 38 59 f8 5b a4 64 30 d3 8d cd d4 4f 24 a6 34 5e 6c f2 92 3a ab d0 55 9c 6f e3 b5 8f 85 ba 59 d8 cc ba 89 9a 91 e0 50 c4 64 9c 96 ce 3e 65 7b 57 32 2c 16 6d 7d e2 0b c4 1f e0 a2 b4 ed c2 eb 31 ce 67 de 59 3e 5c 46 b3 92 b5 76 09 03 35 60 e8 9a 08 99 9f 15 5b e5 89 b9 b9 c5 ec ab 5d 7b 5e 74 6e f8 3a 2f 34 a7 18 ed fd ac 44 35 c4 1e 38 f1 ac 35 12 3c 9b fd e6 5a 89 21 a0 4a 18 4f 6c f6 48 15 d4 3e 02 78 47 d2 fa 0f 4e 46 bc eb d8 6d 5f 35 53 a7 9c 45 58 e6 Data Ascii: 8Uk37av^`F@B%j>C9F$1S?RrP<+Z8Y[d0O$4^l:UoYPd>e{W2,m}1gY>\Fv5`[]{^tn:/4D585<Z!JOlH>xGNFm_5SEX
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: f5 47 05 f5 2b 7d d4 49 de 9d f0 99 0d 5b 5b 6c 6d 84 e0 8a 4b 8e 10 44 38 df c4 36 df 04 1a c6 92 d6 60 b6 a1 9e 64 8f ef 4a 6b 4e fb d1 2b 48 e5 29 ea 08 a5 02 2c 82 c5 5a 4a 9b c1 f4 14 9a f3 24 73 01 9c 1e d4 b8 50 02 07 d2 b1 d4 d7 32 ba d0 04 21 72 32 16 93 f8 b3 e0 64 6e 28 70 4a 65 de db 0d 2b d5 f6 76 54 e4 35 21 3f 1b e8 1b 96 ff 00 bd 70 c6 64 49 10 ee 6f c5 92 d2 99 90 ca ca 1c 42 c6 0a 54 0e 08 c5 7a 93 9b 13 fe cd c2 94 0e 71 ed da b4 3b 8c 7e 08 f4 87 10 6e 77 4d 47 a5 a7 ab 4d 6a 09 47 cc 52 14 8e 68 ee 2c fa 81 b8 cd 5a 9b 5b 72 c7 42 c3 4b 52 7c 9d 8f 36 f6 55 3e e6 db 52 57 bb e2 a9 47 9f f1 0e 2f ee b8 aa 46 6a d2 31 52 77 13 38 4b ad 78 55 ac 9d b4 6a 6b 52 d8 21 44 37 21 3b b4 e0 f5 4a bb 8a 8c 49 cf d6 af 78 a6 86 a2 21 2c 66 e0 aa Data Ascii: G+}I[[lmKD86`dJkN+H),ZJ$sP2!r2dn(pJe+vT5!?pdIoBTzq;~nwMGMjGRh,Z[rBKR\|6U>RWG/Fj1Rw8KxUjkR!D7!;JIx!,f
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 20 18 a4 67 fd a6 9e 92 5b 1c 9b 8d bd 69 b9 71 69 2b 6d d0 46 c5 bc 52 91 26 cc e7 11 1e 2c 48 88 27 90 36 09 f6 00 00 29 29 00 3b 21 4a 19 1d 85 17 3e 5f 9b 76 71 29 dc 25 b4 b6 9f e7 56 b0 b5 ae 61 42 39 42 1a 4f 20 24 f5 3f f8 a5 84 16 51 5a 5f ba b3 01 27 95 a2 e7 c5 95 64 90 93 cc a2 3d 81 c2 69 eb 6f 2b 7a e4 14 7a 2c fc b8 d8 24 7f e7 34 c5 b0 27 f1 37 99 f3 49 fd 9a bf 62 c1 50 df cb 49 c9 fc d4 4a be e2 a4 48 09 4b 6e 15 6f 84 8f 84 0a 23 ca 09 7d 4a 49 74 e4 fc b8 ab 4b 83 73 da 98 9a ab 5c d9 b4 c0 61 a9 b3 1b 62 54 8d d0 8c 85 38 ad f0 4f 28 ed bf 5a 69 dd 38 b5 61 b6 a6 1a 1c 95 ce a7 72 08 38 00 81 d7 72 7f 2f 5a 41 20 2e 8d 8d ee e0 29 95 25 21 43 e2 1f 11 fe 74 7f 9e df 75 00 7d 2a 0e 56 b5 b8 5c f9 1d b4 25 a6 18 f2 87 93 e6 10 a2 54 ae Data Ascii: g[iqi+mFR&,H'6));!J>_vq)%VaB9BO $?QZ_'d=io+zz,$4'7IbPIJHKno#}JItKs\abT8O(Zi8ar8r/ZA .)%!Ctu}*V\%T
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: fc d0 b9 bc 95 72 ba c4 86 94 d3 a7 b6 7e 21 fd 2b 48 38 7d aa fc 4d de ae da 66 36 96 bd 5c e5 bb 2e e6 ed 9e d4 89 2e 94 b0 f4 d2 82 b5 c7 f3 15 94 79 a0 74 41 fa 56 c8 70 ef 52 de ee 9a 92 66 95 e2 fe 85 55 b6 f9 0d 41 80 f4 f8 a5 2b 79 c1 ba d2 a3 d1 2b df 20 83 f1 03 4a 2c 91 9f 32 e5 04 f1 cc eb 05 d1 2d 0f e3 1a d9 a9 a7 b5 6e b8 58 55 16 5a 94 12 42 1e 03 39 fb 56 df 45 b8 33 22 2b 6f 27 64 38 80 b0 7e a2 b9 ff 00 c3 3e 15 70 fa 4d fe 3d d6 d9 19 f8 72 5b 57 32 99 0f f3 0e be fb d6 f0 c1 42 9a b7 36 82 7e 14 27 09 07 b0 ae 7d 4b ac d1 c6 d1 80 90 78 9d c5 0b 57 0d b8 7e e5 fe e2 c9 94 84 ba 96 90 d2 0e 15 93 d4 fd ab 44 75 bf 8c 6b fd d1 84 23 49 c3 62 d6 5c 77 e0 75 c4 f9 ae 29 03 a6 12 3b a8 f7 f6 a9 b7 c4 c6 b2 e1 96 9f e1 9b ef f1 2a 72 91 6a Data Ascii: r~!+H8}Mf6\..ytAVpRfUA+y+ J,2-nXUZB9VE3"+o'd8~>pM=r[W2B6~'}KxW~Duk#Ib\wu);*rj
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: c3 fe 1a 6d b1 4d 7e 21 db 83 00 12 9f 33 18 4a 1c 4a b0 52 e2 49 29 03 1b 8a 74 5b f4 75 be 3c 94 ac 35 8e 53 f0 a7 27 02 9e 08 88 88 8c f2 36 9e 54 f4 a7 0e 91 d2 1f 32 62 d8 e2 83 31 85 07 e9 6d 26 de 9c e2 14 84 42 79 c7 20 87 3e 00 af 4f 7a d9 96 50 c0 d2 4b 90 b4 73 2d 09 ce c7 75 00 2a 3b 54 56 9b bb 73 f9 78 a9 0a 19 0e 69 c7 1a 56 e8 29 e9 4d d2 9e e2 ec 95 cb 6f 16 fe 1d b8 85 c4 db d5 93 51 69 d4 7f d4 36 96 e0 3e 2e f1 22 cf 69 12 d8 79 dc 10 eb 6d b8 52 15 80 39 31 9d 80 18 a6 47 85 18 37 be 1d 71 9e f3 a8 78 a2 c4 2d 05 a6 ed 7a 41 3a 79 bb 77 ea af 22 55 e1 41 41 4d ba e3 4d 73 a5 c5 80 14 54 b3 dc 8a e9 cc fb 0c 79 a1 48 53 3c e9 00 84 e7 7a 69 37 a1 d4 cd c3 38 6d c6 9c 39 29 52 72 53 b7 4e 6e b4 e4 4e e6 37 a4 0c 26 9f 0f 13 dd d4 e3 95 Data Ascii: mM~!3JJRI)t[u<5S'6T2b1m&By >OzPKs-u*;TVsxiV)MoQi6>."iymR91G7qx-zA:yw"UAAMMsTyHS<zi78m9)RrSNnN7&
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 1d 1d 11 9e 9b 29 7f 0a 90 02 5a 24 e3 75 0d 93 f5 c5 38 85 b6 b9 5c e5 70 03 0b 64 b4 ab 09 0b 9d 2b 00 0c 86 d0 47 70 07 fc d4 8e d2 0e 52 12 36 c0 cd 33 6c cd a5 8d 3d 19 90 90 92 ae 52 b2 3f 33 4f 58 a5 4a 68 29 5d 54 33 8f 6e d4 e5 78 26 f7 28 8b 83 7c d1 4a 00 c9 29 a8 a6 53 7e 5c c7 10 7b 2a a5 c9 5b 90 33 d0 54 69 7a 68 22 ec a5 01 f3 1d e8 22 48 85 29 00 d6 3b 8d 85 b4 e3 6b 00 a5 40 e4 1a cb c1 ab 14 06 3a 51 82 5a 6e 11 10 08 b1 ca e7 af 89 cf 0d ad dd 2d f3 35 c6 8d 86 05 c9 b4 95 cc 86 da 71 e6 a4 6e 54 3d eb 99 8b 65 6d b8 b4 3a da 9b 71 07 0b 42 86 0a 4f 70 6b d1 6c 94 21 d6 dc 43 88 0b 4a d3 ca a0 47 51 5c e1 f1 2b e1 a9 ef c5 4b d7 5a 22 26 42 89 72 74 26 93 81 ee 52 2a e0 db 5b 8a c1 b4 95 2e fa 12 a9 7d cf b6 ad d5 59 48 3d dc 07 dd 73 Data Ascii: )Z$u8\pd+GpR63l=R?3OXJh)]T3nx&(\|J)S~\{[3Tizh""H);k@:QZn-5qnT=em:qBOpkl!CJGQ\+KZ"&Brt&R[.}YH=s
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 9c a9 44 fb 57 50 fc 37 78 69 63 4b 5b 23 6b 0d 61 1d 2f df 1d 48 5c 76 1c 46 44 74 9f 6f e2 ac 8f 0d 5e 1b 58 d3 16 68 9a b7 57 46 0f df 57 fb 46 23 b8 9d a3 83 d3 39 ef 5b ce db 41 0d 04 8c 0d b1 b5 37 dc 5b 90 49 7a 5a 53 8e e7 d7 e8 9c ed bd b4 63 b5 55 50 b9 ec 3d 3d ca f3 88 a5 11 93 d4 fb d5 bc e7 b6 05 5a 77 34 2a f1 c9 54 90 0a a3 e6 14 71 dc 51 14 61 d8 d7 56 37 28 88 ba bd 3f 27 de 8e 07 07 1e b4 4a 7e 5f bd 5e 37 3f 4a 47 2f 2b 99 59 f0 51 e6 5e e3 23 1c c1 4b 03 15 e8 13 80 31 4c 1f 0c f6 06 d4 b0 a2 84 25 2a 20 63 a2 47 fc d7 05 74 9c 4f c6 f1 0a da ce 32 14 f2 41 f5 ea 2b d0 67 0b 62 a2 df e1 e7 4e 34 82 a5 07 1b 2e 15 28 6e 79 95 de aa 7d f0 f1 e0 31 be a5 5a db 15 84 d6 c8 ff 00 40 a6 3b 58 e6 82 95 67 23 b5 2e a7 95 25 20 f7 e9 48 96 93 Data Ascii: DWP7xicK[#ka/H\vFDto^XhWFWF#9[A7[IzZScUP==Zw4TqQaV7(?'J~_^7?JG/+YQ^#K1L% cGtO2A+gbN4.(ny}1Z@;Xg#.% H
2025-01-09 07:39:28 UTC	1390	IN	Data Raw: 49 5f d5 c2 2e 28 21 73 b8 69 79 98 1c 8f 35 b5 82 bb 14 b2 39 51 2d 85 1e 8d 92 47 38 fb 9e f5 26 a6 d3 a7 ad d3 5d 2c 3f 33 39 f7 5e 77 c6 c3 4d 58 d8 e6 e1 cb 66 f5 72 e4 eb 4b d3 53 e6 38 a9 0e 18 8d b0 f2 dc f9 96 a6 c7 28 5f dd 38 cf d2 a1 bb ce 86 71 a2 b5 b2 df 7c 8c 56 e1 de 34 05 c7 48 5f 59 8b 70 42 25 c1 7d 05 76 eb a3 00 29 89 ad f6 29 23 60 ac 7c c9 3f 51 90 6b 05 fd 36 89 30 95 fb 1e 74 9e 98 4e 6a 16 ef 11 8f 2d 7f 2a 7b 17 86 f8 c1 67 0b 48 23 db a7 da 6e 88 79 0b 71 87 52 7e 07 1b 3c aa 4f b8 3d aa 7d d1 3c 52 be 5a 5c 8e d5 d9 0f 4b 63 60 64 b3 8f 37 db 99 3d 15 f6 c5 39 ee 3a 0d 06 42 9c 0d 9c 7a 72 d5 6d da 11 0b 70 a7 93 1b e7 38 a2 ea 4b 2d 5b 2d a3 b8 9d 6e 99 19 b7 9b 94 db a8 ef c8 0e 53 f5 49 dc 1a d8 4b 1e b0 81 26 32 08 78 15 Data Ascii: I_.(!siy59Q-G8&],?39^wMXfrKS8(_8q\|V4H_YpB%}v))#`\|?Qk60tNj-*{gH#nyqR~<O=}<RZ\Kc`d7=9:Bzrmp8K-[-nSIK&2x

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49727	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:29 UTC	359	OUT	GET /js/tgwallpaper.min.js?3 HTTP/1.1 Host: telegram.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:29 UTC	391	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:29 GMT Content-Type: application/javascript Content-Length: 2979 Last-Modified: Thu, 03 Mar 2022 19:57:25 GMT Connection: close ETag: "62211da5-ba3" Expires: Mon, 13 Jan 2025 07:39:29 GMT Cache-Control: max-age=345600 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Accept-Ranges: bytes
2025-01-09 07:39:29 UTC	2979	IN	Data Raw: 76 61 72 20 54 57 61 6c 6c 70 61 70 65 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 78 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3d 5b 5d 2e 63 6f 6e 63 61 74 28 47 29 3b 30 3c 61 3b 29 62 2e 70 75 73 68 28 62 2e 73 68 69 66 74 28 29 29 2c 61 2d 2d 3b 61 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 3d 32 29 61 2e 70 75 73 68 28 62 5b 63 5d 29 3b 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 42 28 61 2c 62 29 7b 62 25 3d 39 30 3b 76 61 72 20 63 3d 78 28 61 25 70 29 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 78 28 2b 2b 61 25 70 29 3b 72 65 74 75 72 6e 5b 7b 78 3a 63 5b 30 5d 2e 78 2b 28 64 5b 30 5d 2e 78 2d 63 5b 30 5d 2e 78 29 2f 39 30 2a 62 2c 79 3a 63 5b 30 5d 2e 79 2b 28 64 5b 30 5d 2e 79 Data Ascii: var TWallpaper=function(){function x(a){for(var b=[].concat(G);0<a;)b.push(b.shift()),a--;a=[];for(var c=0;c<b.length;c+=2)a.push(b[c]);return a}function B(a,b){b%=90;var c=x(a%p);if(b){var d=x(++a%p);return[{x:c[0].x+(d[0].x-c[0].x)/90*b,y:c[0].y+(d[0].y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49728	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:29 UTC	610	OUT	GET /img/tgme/pattern.svg?1 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://telegram.org/css/telegram.css?242 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:29 UTC	345	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:29 GMT Content-Type: image/svg+xml Content-Length: 231706 Last-Modified: Thu, 05 Jan 2023 17:52:04 GMT Connection: close ETag: "63b70e44-3891a" Expires: Mon, 13 Jan 2025 07:39:29 GMT Cache-Control: max-age=345600 Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-01-09 07:39:29 UTC	16039	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0a 3c 21 2d 2d 20 47 65 6e 65 72 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 20 32 37 2e 30 2e 31 2c 20 53 56 47 20 45 78 70 6f 72 74 20 50 6c 75 67 2d 49 6e 20 2e 20 53 56 47 20 56 65 72 73 69 6f 6e 3a 20 36 2e 30 30 20 42 75 69 6c 64 20 30 29 20 20 2d 2d 3e 0a 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 69 64 3d 22 4c 61 79 65 72 5f 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 20 78 3d 22 30 70 78 22 20 79 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?>... Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="
2025-01-09 07:39:29 UTC	16384	IN	Data Raw: 34 30 2e 34 2d 32 2e 38 73 38 2e 37 2d 32 38 2e 35 2c 37 2e 33 2d 33 31 2e 31 73 2d 33 2e 31 2d 38 2e 39 2c 32 2e 34 2d 31 31 2e 39 63 35 2e 36 2d 33 2c 31 32 2c 33 2c 31 35 2e 33 2c 31 30 2e 35 0a 09 09 73 39 2e 38 2c 33 32 2e 35 2d 31 39 2e 31 2c 34 38 2e 39 63 2d 33 30 2e 32 2c 31 37 2e 31 2d 35 37 2e 33 2c 31 33 2e 36 2d 36 37 2e 36 2c 33 2e 37 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 35 32 30 2e 36 2c 32 37 34 35 2e 39 63 2d 32 2c 33 2e 38 2d 33 2e 34 2c 31 39 2e 38 2d 31 2e 36 2c 32 31 2e 32 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 35 32 37 2e 37 2c 32 37 34 36 2e 37 63 31 2e 35 2c 33 2e 38 2d 30 2e 39 2c 31 38 2e 31 2d 32 2e 35 2c 31 39 2e 38 22 2f 3e 0a 09 3c 70 61 74 Data Ascii: 40.4-2.8s8.7-28.5,7.3-31.1s-3.1-8.9,2.4-11.9c5.6-3,12,3,15.3,10.5s9.8,32.5-19.1,48.9c-30.2,17.1-57.3,13.6-67.6,3.7"/><path class="st0" d="M520.6,2745.9c-2,3.8-3.4,19.8-1.6,21.2"/><path class="st0" d="M527.7,2746.7c1.5,3.8-0.9,18.1-2.5,19.8"/><pat
2025-01-09 07:39:29 UTC	16384	IN	Data Raw: 2d 31 30 2e 38 73 36 2e 33 2c 35 2e 33 2c 36 2e 33 2c 35 2e 33 73 33 2e 36 2d 32 2e 38 2c 37 2e 31 2c 30 2e 32 73 31 2e 33 2c 37 2e 39 2c 31 2e 33 2c 37 2e 39 73 35 2e 31 2d 32 2c 36 2e 37 2c 33 2e 35 0a 09 09 63 31 2e 34 2c 35 2e 31 2d 35 2e 36 2c 39 2e 33 2d 31 30 2e 37 2c 37 2e 34 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 32 38 35 2e 34 2c 31 37 39 36 2e 39 63 32 2e 38 2c 30 2e 36 2c 34 2e 35 2c 33 2e 36 2c 34 2e 35 2c 33 2e 36 73 32 2e 37 2d 33 2e 37 2c 36 2e 39 2d 31 2e 38 73 33 2e 35 2c 37 2e 32 2c 33 2e 35 2c 37 2e 32 73 34 2e 33 2d 33 2e 34 2c 37 2e 34 2c 31 2e 35 0a 09 09 63 32 2e 33 2c 33 2e 36 2d 31 2c 38 2e 33 2d 35 2e 32 2c 39 2e 37 22 2f 3e 0a 3c 2f 67 3e 0a 3c 67 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 Data Ascii: -10.8s6.3,5.3,6.3,5.3s3.6-2.8,7.1,0.2s1.3,7.9,1.3,7.9s5.1-2,6.7,3.5c1.4,5.1-5.6,9.3-10.7,7.4"/><path class="st0" d="M285.4,1796.9c2.8,0.6,4.5,3.6,4.5,3.6s2.7-3.7,6.9-1.8s3.5,7.2,3.5,7.2s4.3-3.4,7.4,1.5c2.3,3.6-1,8.3-5.2,9.7"/></g><g><path clas
2025-01-09 07:39:29 UTC	16384	IN	Data Raw: 34 2e 32 2c 31 36 2e 36 2d 38 2e 32 2c 32 30 2e 33 2d 36 2e 39 63 34 2e 34 2c 31 2e 35 2c 31 31 2e 35 2c 31 31 2e 35 2c 31 37 2e 36 2c 32 30 2e 34 0a 09 09 73 31 31 2c 37 2e 38 2c 31 31 2e 38 2c 33 2e 37 63 30 2e 38 2d 33 2e 39 2d 36 2e 37 2d 32 30 2e 33 2d 34 2e 37 2d 32 33 2e 32 63 30 2e 35 2d 30 2e 37 2c 33 2e 31 2d 30 2e 39 2c 37 2e 37 2c 37 2e 36 73 39 2e 33 2c 31 38 2e 32 2c 31 33 2c 31 32 2e 38 63 31 2e 34 2d 32 2c 30 2e 37 2d 36 2e 33 2d 31 2e 34 2d 31 32 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 38 32 2e 39 2c 31 34 34 37 2e 38 63 2d 37 2e 37 2d 34 2e 37 2d 38 2e 32 2d 34 33 2e 37 2c 31 2e 35 2d 35 33 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 37 32 2e 31 2c 31 33 39 38 Data Ascii: 4.2,16.6-8.2,20.3-6.9c4.4,1.5,11.5,11.5,17.6,20.4s11,7.8,11.8,3.7c0.8-3.9-6.7-20.3-4.7-23.2c0.5-0.7,3.1-0.9,7.7,7.6s9.3,18.2,13,12.8c1.4-2,0.7-6.3-1.4-12"/><path class="st0" d="M82.9,1447.8c-7.7-4.7-8.2-43.7,1.5-53"/><path class="st0" d="M72.1,1398
2025-01-09 07:39:29 UTC	16384	IN	Data Raw: 2e 38 2c 32 2e 32 2d 31 30 2e 37 2c 36 2d 31 31 2e 34 2c 31 31 2e 34 63 2d 30 2e 33 2c 31 2e 39 2c 30 2e 36 2c 33 2e 38 2c 32 2e 31 2c 34 2e 38 0a 09 09 63 30 2e 36 2c 30 2e 34 2c 31 2e 33 2c 30 2e 37 2c 32 2e 31 2c 30 2e 38 63 32 2e 37 2c 30 2e 34 2c 35 2e 33 2d 31 2e 35 2c 35 2e 37 2d 34 2e 32 63 30 2e 31 2d 30 2e 35 2c 30 2e 33 2d 31 2e 39 2c 34 2e 36 2d 33 2e 33 43 35 38 38 2e 31 2c 31 35 32 39 2e 37 2c 35 39 32 2e 33 2c 31 35 32 35 2e 34 2c 35 39 33 2e 32 2c 31 35 32 30 2e 35 7a 20 4d 35 38 31 2e 36 2c 31 35 32 38 2e 37 0a 09 09 63 2d 36 2e 31 2c 32 2d 36 2e 35 2c 34 2e 37 2d 36 2e 37 2c 35 2e 37 63 2d 30 2e 32 2c 31 2e 31 2d 31 2e 32 2c 31 2e 39 2d 32 2e 33 2c 31 2e 37 63 2d 30 2e 33 2c 30 2d 30 2e 36 2d 30 2e 32 2d 30 2e 38 2d 30 2e 33 63 2d 30 2e Data Ascii: .8,2.2-10.7,6-11.4,11.4c-0.3,1.9,0.6,3.8,2.1,4.8c0.6,0.4,1.3,0.7,2.1,0.8c2.7,0.4,5.3-1.5,5.7-4.2c0.1-0.5,0.3-1.9,4.6-3.3C588.1,1529.7,592.3,1525.4,593.2,1520.5z M581.6,1528.7c-6.1,2-6.5,4.7-6.7,5.7c-0.2,1.1-1.2,1.9-2.3,1.7c-0.3,0-0.6-0.2-0.8-0.3c-0.
2025-01-09 07:39:29 UTC	16384	IN	Data Raw: 36 2e 36 2c 37 2e 37 2c 33 2e 31 2c 32 30 2e 36 2c 36 2e 31 2c 32 39 2e 37 73 31 34 2e 31 2c 34 35 2e 32 2d 31 31 2e 38 2c 34 33 2e 32 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 31 34 39 2e 31 2c 35 33 37 2e 36 63 37 2e 38 2d 30 2e 35 2c 37 2e 37 2c 31 33 2e 33 2d 31 2e 31 2c 39 2e 37 63 2d 34 2e 31 2d 31 2e 37 2d 33 2e 38 2d 39 2e 32 2c 30 2e 39 2d 39 2e 37 43 31 34 39 2c 35 33 37 2e 36 2c 31 34 39 2e 31 2c 35 33 37 2e 36 2c 31 34 39 2e 31 2c 35 33 37 2e 36 7a 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 31 32 34 2e 36 2c 35 34 31 2e 35 63 31 30 2e 38 2c 35 2e 33 2d 31 2e 36 2c 32 31 2e 33 2d 39 2e 31 2c 31 32 2e 32 63 2d 34 2e 39 2d 35 2e 39 2c 32 2d 31 35 2e 34 2c 38 2e 38 2d 31 Data Ascii: 6.6,7.7,3.1,20.6,6.1,29.7s14.1,45.2-11.8,43.2"/><path class="st0" d="M149.1,537.6c7.8-0.5,7.7,13.3-1.1,9.7c-4.1-1.7-3.8-9.2,0.9-9.7C149,537.6,149.1,537.6,149.1,537.6z"/><path class="st0" d="M124.6,541.5c10.8,5.3-1.6,21.3-9.1,12.2c-4.9-5.9,2-15.4,8.8-1
2025-01-09 07:39:29 UTC	16384	IN	Data Raw: 38 0a 09 09 63 38 2e 34 2c 36 2e 38 2d 32 33 2e 31 2c 33 31 2e 35 2d 32 33 2e 31 2c 33 31 2e 35 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 35 2c 32 34 37 37 2e 36 63 2d 32 2e 32 2c 32 2e 36 2d 32 35 2e 36 2c 32 31 2e 34 2d 32 36 2e 38 2c 32 32 2e 36 22 2f 3e 0a 09 3c 6c 69 6e 65 20 63 6c 61 73 73 3d 22 73 74 30 22 20 78 31 3d 22 36 34 30 2e 36 22 20 79 31 3d 22 32 34 36 35 22 20 78 32 3d 22 36 33 35 2e 32 22 20 79 32 3d 22 32 34 36 39 2e 33 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 34 36 2e 39 2c 32 34 37 32 2e 34 63 30 2c 30 2d 33 38 2e 39 2c 32 37 2e 38 2d 34 31 2e 36 2c 33 31 2e 39 22 2f 3e 0a 3c 2f 67 3e 0a 3c 67 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 Data Ascii: 8c8.4,6.8-23.1,31.5-23.1,31.5"/><path class="st0" d="M625,2477.6c-2.2,2.6-25.6,21.4-26.8,22.6"/><line class="st0" x1="640.6" y1="2465" x2="635.2" y2="2469.3"/><path class="st0" d="M646.9,2472.4c0,0-38.9,27.8-41.6,31.9"/></g><g><path class="st
2025-01-09 07:39:30 UTC	16384	IN	Data Raw: 67 6f 6e 20 63 6c 61 73 73 3d 22 73 74 30 22 20 70 6f 69 6e 74 73 3d 22 33 39 33 2e 34 2c 34 37 30 2e 31 20 33 39 34 2e 39 2c 34 37 36 2e 37 20 33 38 30 2e 33 2c 34 37 36 2e 37 20 33 37 39 2e 38 2c 34 37 31 2e 35 20 09 22 2f 3e 0a 09 3c 70 6f 6c 79 67 6f 6e 20 63 6c 61 73 73 3d 22 73 74 30 22 20 70 6f 69 6e 74 73 3d 22 34 31 33 2e 37 2c 34 36 35 2e 32 20 34 31 36 2e 34 2c 34 37 31 2e 35 20 34 32 38 2c 34 36 31 20 34 32 34 2e 39 2c 34 35 36 2e 35 20 09 22 2f 3e 0a 3c 2f 67 3e 0a 3c 67 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 37 34 30 2e 33 2c 31 33 35 31 2e 38 63 31 31 2e 34 2d 32 32 2c 33 37 2e 33 2d 33 34 2c 34 34 2e 34 2d 33 35 2e 32 63 30 2c 30 2d 32 30 2e 39 2d 31 35 2e 37 2d 33 36 2e 33 2d 38 2e 34 63 2d 31 30 2e 39 Data Ascii: gon class="st0" points="393.4,470.1 394.9,476.7 380.3,476.7 379.8,471.5 "/><polygon class="st0" points="413.7,465.2 416.4,471.5 428,461 424.9,456.5 "/></g><g><path class="st0" d="M740.3,1351.8c11.4-22,37.3-34,44.4-35.2c0,0-20.9-15.7-36.3-8.4c-10.9
2025-01-09 07:39:30 UTC	16384	IN	Data Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 34 33 39 2e 36 2c 31 32 32 38 2e 33 63 33 2e 34 2c 32 2e 35 2c 32 2e 34 2c 31 34 2e 36 2d 31 35 2e 36 2c 36 2e 39 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 34 32 37 2e 36 2c 31 32 33 36 2e 35 63 30 2e 32 2c 33 2e 35 2d 33 2e 35 2c 38 2e 37 2d 31 30 2e 38 2c 35 2e 34 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 36 33 2e 32 2c 31 32 30 34 2e 35 63 2d 33 2e 39 2c 31 2e 32 2d 32 2e 37 2c 39 2e 35 2c 32 2e 34 2c 39 2e 31 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 36 30 2e 39 2c 31 32 33 38 2e 35 63 2d 37 2e 32 2c 30 2e 33 2d 31 37 2d 31 2e 33 2d 32 32 2e 33 2d 38 2e 36 63 33 2e 34 2c Data Ascii: ath class="st0" d="M439.6,1228.3c3.4,2.5,2.4,14.6-15.6,6.9"/><path class="st0" d="M427.6,1236.5c0.2,3.5-3.5,8.7-10.8,5.4"/><path class="st0" d="M363.2,1204.5c-3.9,1.2-2.7,9.5,2.4,9.1"/><path class="st0" d="M360.9,1238.5c-7.2,0.3-17-1.3-22.3-8.6c3.4,
2025-01-09 07:39:30 UTC	16384	IN	Data Raw: 35 2e 36 2c 39 2e 37 2d 39 2e 37 2c 31 35 2e 32 2d 35 2e 34 63 36 2e 34 2c 35 2c 35 2e 34 2c 31 38 2e 39 2d 31 35 2c 32 37 2e 39 63 2d 32 31 2e 36 2d 31 30 2e 32 2d 32 30 2e 37 2d 32 32 2e 31 2d 31 37 2e 32 2d 32 36 2e 37 0a 09 43 38 34 34 2e 37 2c 31 38 32 39 2e 32 2c 38 35 35 2e 32 2c 31 38 33 30 2e 39 2c 38 35 37 2e 33 2c 31 38 33 39 2e 31 7a 22 2f 3e 0a 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 38 31 36 2e 37 2c 32 30 34 32 2e 31 63 34 2e 38 2d 37 2e 33 2c 31 36 2e 35 2d 31 31 2c 32 33 2d 33 2e 34 63 37 2e 37 2c 38 2e 39 2c 32 2e 34 2c 32 38 2e 32 2d 32 39 2c 33 35 2e 34 63 2d 32 37 2e 37 2d 32 30 2e 35 2d 32 33 2e 33 2d 33 37 2e 31 2d 31 37 2e 31 2d 34 32 2e 35 0a 09 43 38 30 31 2e 37 2c 32 30 32 34 2e 36 2c 38 31 36 2c 32 30 Data Ascii: 5.6,9.7-9.7,15.2-5.4c6.4,5,5.4,18.9-15,27.9c-21.6-10.2-20.7-22.1-17.2-26.7C844.7,1829.2,855.2,1830.9,857.3,1839.1z"/><path class="st0" d="M816.7,2042.1c4.8-7.3,16.5-11,23-3.4c7.7,8.9,2.4,28.2-29,35.4c-27.7-20.5-23.3-37.1-17.1-42.5C801.7,2024.6,816,20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49731	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:29 UTC	595	OUT	GET /fonts/Roboto/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://t.me sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: font Referer: https://telegram.org/css/font-roboto.css?1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:29 UTC	354	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:29 GMT Content-Type: application/octet-stream Content-Length: 11040 Last-Modified: Thu, 20 Oct 2022 11:05:33 GMT Connection: close ETag: "63512b7d-2b20" Expires: Mon, 13 Jan 2025 07:39:29 GMT Cache-Control: max-age=345600 Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-01-09 07:39:29 UTC	11040	IN	Data Raw: 77 4f 46 32 00 01 00 00 00 00 2b 20 00 0e 00 00 00 00 54 b4 00 00 2a c9 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 64 1b 9a 1e 1c 85 5e 06 60 00 83 20 11 0c 0a f2 20 da 21 0b 84 0a 00 01 36 02 24 03 88 10 04 20 05 82 7e 07 20 1b b4 45 05 e3 98 03 6c 1c 00 61 f6 5b 29 8a 72 31 4a a2 28 1d 94 11 c5 ff 75 02 37 86 c8 fb 28 55 18 72 af e3 0b 0e 3d c7 a7 a8 15 c5 32 b1 08 87 10 68 a2 46 9b be 6a 05 a5 50 1e 29 18 30 d0 9b af 8b 5d 7e 10 22 4a 6b 35 24 3c 07 07 ef a9 4c 85 a3 53 87 12 1e 39 73 06 8e f3 51 73 a1 7f b6 79 1f 1b a0 3b 1a 83 c9 d0 2d a1 cd f1 7e e0 e7 d6 fb db 88 52 4a 30 88 0d b4 11 a9 11 03 24 6a 83 de 18 92 b1 8d 31 46 85 48 8e 90 2a 01 a9 50 62 a4 4d 28 ad 87 85 91 28 0a 6d 20 c6 dd 59 f7 e9 f4 9b 91 2c c3 ec ae Data Ascii: wOF2+ Td^` !6$ ~ Ela[)r1J(u7(Ur=2hFjP)0]~"Jk5$<LS9sQsy;-~RJ0$j1FHPbM((m Y,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49730	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:29 UTC	591	OUT	GET /fonts/Roboto/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://t.me sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: font Referer: https://telegram.org/css/font-roboto.css?1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:29 UTC	354	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:29 GMT Content-Type: application/octet-stream Content-Length: 11028 Last-Modified: Thu, 20 Oct 2022 11:05:33 GMT Connection: close ETag: "63512b7d-2b14" Expires: Mon, 13 Jan 2025 07:39:29 GMT Cache-Control: max-age=345600 Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-01-09 07:39:29 UTC	11028	IN	Data Raw: 77 4f 46 32 00 01 00 00 00 00 2b 14 00 0e 00 00 00 00 54 28 00 00 2a bc 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 64 1b 99 64 1c 85 5e 06 60 00 83 20 11 0c 0a f1 5c da 72 0b 84 0a 00 01 36 02 24 03 88 10 04 20 05 82 74 07 20 1b c1 45 45 46 ee ca e0 ad f0 28 6a d6 de d4 13 fc 5f 27 70 72 fd 58 0f a2 43 b4 08 19 8d c6 25 49 14 ae 3d c8 15 23 37 66 43 f4 ea c8 c7 79 d3 2f f4 d4 d0 7a 8f 97 2f c7 64 5c 48 b9 9a d5 77 4e fa 11 92 cc 12 d4 fb c7 7f 3d 07 17 1f dc 0d 21 47 46 08 a1 f2 75 4e 47 60 4e 64 80 22 f2 cd 01 cd ed 7e c5 88 1a 61 14 a0 60 12 29 95 12 52 d2 21 35 6a 54 48 8e c1 80 91 69 40 cb a0 37 54 2a 54 2c 30 69 49 3b fd ef f7 6b 76 fe be 2b b6 62 52 a1 25 a6 33 84 0a c5 e3 c5 3b 49 5e ee 0b 54 a1 54 d0 9a 95 b1 a8 b7 Data Ascii: wOF2+T(dd^` \r6$ t EEF(j_'prXC%I=#7fCy/z/d\HwN=!GFuNG`Nd"~a`)R!5jTHi@7TT,0iI;kv+bR%3;I^TT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49729	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:29 UTC	597	OUT	GET /fonts/Roboto/KFOlCnqEu92Fr1MmWUlfABc4AMP6lbBP.woff2 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://t.me sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: font Referer: https://telegram.org/css/font-roboto.css?1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:29 UTC	353	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:29 GMT Content-Type: application/octet-stream Content-Length: 6620 Last-Modified: Thu, 20 Oct 2022 11:05:33 GMT Connection: close ETag: "63512b7d-19dc" Expires: Mon, 13 Jan 2025 07:39:29 GMT Cache-Control: max-age=345600 Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-01-09 07:39:29 UTC	6620	IN	Data Raw: 77 4f 46 32 00 01 00 00 00 00 19 dc 00 0e 00 00 00 00 34 a0 00 00 19 84 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 6a 1b 9a 7a 1c 36 06 60 00 82 04 11 0c 0a bd 5c ae 23 0b 82 10 00 01 36 02 24 03 84 1c 04 20 05 82 7e 07 20 1b e0 2a 33 03 c1 c6 01 40 3c e7 9a a2 a8 18 9c 27 ff e5 01 37 64 c2 1b a4 83 86 e0 71 34 53 c5 44 29 83 02 ff ae ac ac 61 eb fe fe 8e af 7b 91 95 9d 74 d1 ed e9 e1 8f 81 63 a2 48 90 bc c0 03 bc c5 ec 60 0f 1b 6c 78 2f 26 c3 f4 37 47 68 72 8a 56 82 68 ed 3f 6b 66 bb 67 76 f7 fd 23 56 a7 cc 29 22 4f 18 40 1f 05 68 7d 84 4d 94 8b 3a e8 03 7e 6e 7f 6f 41 6e 30 16 44 bf 11 35 22 c5 a7 64 08 63 44 85 41 1a 05 23 3a ec 61 24 69 81 d1 84 51 9f fa 08 36 46 e2 4f ba f9 0f d7 76 aa 23 a6 c9 e1 57 b7 40 c5 12 dc b6 Data Ascii: wOF24jz6`\#6$ ~ *3@<'7dq4SD)a{tcH`lx/&7GhrVh?kfgv#V)"O@h}M:~noAn0D5"dcDA#:a$iQ6FOv#W@

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49732	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:29 UTC	593	OUT	GET /fonts/Roboto/KFOmCnqEu92Fr1Mu5mxKKTU1Kvnz.woff2 HTTP/1.1 Host: telegram.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" Origin: https://t.me sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: font Referer: https://telegram.org/css/font-roboto.css?1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:29 UTC	353	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:29 GMT Content-Type: application/octet-stream Content-Length: 6460 Last-Modified: Thu, 20 Oct 2022 11:05:33 GMT Connection: close ETag: "63512b7d-193c" Expires: Mon, 13 Jan 2025 07:39:29 GMT Cache-Control: max-age=345600 Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-01-09 07:39:29 UTC	6460	IN	Data Raw: 77 4f 46 32 00 01 00 00 00 00 19 3c 00 0e 00 00 00 00 31 e4 00 00 18 e5 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 6a 1b 96 56 1c 36 06 60 00 82 04 11 0c 0a bc 50 ae 76 0b 82 10 00 01 36 02 24 03 84 1c 04 20 05 82 74 07 20 1b 05 29 13 ee 30 63 1c 00 db 20 0f 8a a2 62 30 18 fc 97 09 dc 18 82 b7 41 5d 8c 08 47 c1 62 51 a2 2a 15 aa 87 d0 44 05 ac 6d c7 70 4c 59 b8 54 7c 7b c7 5e f4 67 86 95 27 80 89 a5 23 34 f6 49 2e 0f 5f 6b e5 eb 99 ee 99 dd 00 91 3e 19 44 9b 8a 62 b4 0c e5 09 74 54 84 65 56 2e 51 07 ff 80 e6 76 bf 60 1b 39 06 ad 02 82 20 28 95 a3 ca a2 aa 0d 9c 60 52 a5 d0 1b 65 0e c4 f8 51 c3 06 94 2a a3 30 92 36 30 e0 9f f8 7b 62 e7 ef 9b 79 bb 40 a9 16 70 41 92 42 40 b4 d7 ff 9a a6 bb 52 ff 6f 57 7b 85 a7 00 5c 01 ca 04 Data Ascii: wOF2<1jV6`Pv6$ t )0c b0A]GbQDmpLYT\|{^g'#4I._k>DbtTeV.Qv`9 (`ReQ060{by@pAB@RoW{\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49741	149.154.167.99	443	2072	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:39:30 UTC	358	OUT	GET /img/tgme/pattern.svg?1 HTTP/1.1 Host: telegram.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-09 07:39:30 UTC	345	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 09 Jan 2025 07:39:30 GMT Content-Type: image/svg+xml Content-Length: 231706 Last-Modified: Thu, 05 Jan 2023 17:52:04 GMT Connection: close ETag: "63b70e44-3891a" Expires: Mon, 13 Jan 2025 07:39:30 GMT Cache-Control: max-age=345600 Access-Control-Allow-Origin: * Accept-Ranges: bytes
2025-01-09 07:39:30 UTC	16039	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0a 3c 21 2d 2d 20 47 65 6e 65 72 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 20 32 37 2e 30 2e 31 2c 20 53 56 47 20 45 78 70 6f 72 74 20 50 6c 75 67 2d 49 6e 20 2e 20 53 56 47 20 56 65 72 73 69 6f 6e 3a 20 36 2e 30 30 20 42 75 69 6c 64 20 30 29 20 20 2d 2d 3e 0a 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 69 64 3d 22 4c 61 79 65 72 5f 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 20 78 3d 22 30 70 78 22 20 79 3d 22 Data Ascii: <?xml version="1.0" encoding="utf-8"?>... Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) --><svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 34 30 2e 34 2d 32 2e 38 73 38 2e 37 2d 32 38 2e 35 2c 37 2e 33 2d 33 31 2e 31 73 2d 33 2e 31 2d 38 2e 39 2c 32 2e 34 2d 31 31 2e 39 63 35 2e 36 2d 33 2c 31 32 2c 33 2c 31 35 2e 33 2c 31 30 2e 35 0a 09 09 73 39 2e 38 2c 33 32 2e 35 2d 31 39 2e 31 2c 34 38 2e 39 63 2d 33 30 2e 32 2c 31 37 2e 31 2d 35 37 2e 33 2c 31 33 2e 36 2d 36 37 2e 36 2c 33 2e 37 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 35 32 30 2e 36 2c 32 37 34 35 2e 39 63 2d 32 2c 33 2e 38 2d 33 2e 34 2c 31 39 2e 38 2d 31 2e 36 2c 32 31 2e 32 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 35 32 37 2e 37 2c 32 37 34 36 2e 37 63 31 2e 35 2c 33 2e 38 2d 30 2e 39 2c 31 38 2e 31 2d 32 2e 35 2c 31 39 2e 38 22 2f 3e 0a 09 3c 70 61 74 Data Ascii: 40.4-2.8s8.7-28.5,7.3-31.1s-3.1-8.9,2.4-11.9c5.6-3,12,3,15.3,10.5s9.8,32.5-19.1,48.9c-30.2,17.1-57.3,13.6-67.6,3.7"/><path class="st0" d="M520.6,2745.9c-2,3.8-3.4,19.8-1.6,21.2"/><path class="st0" d="M527.7,2746.7c1.5,3.8-0.9,18.1-2.5,19.8"/><pat
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 2d 31 30 2e 38 73 36 2e 33 2c 35 2e 33 2c 36 2e 33 2c 35 2e 33 73 33 2e 36 2d 32 2e 38 2c 37 2e 31 2c 30 2e 32 73 31 2e 33 2c 37 2e 39 2c 31 2e 33 2c 37 2e 39 73 35 2e 31 2d 32 2c 36 2e 37 2c 33 2e 35 0a 09 09 63 31 2e 34 2c 35 2e 31 2d 35 2e 36 2c 39 2e 33 2d 31 30 2e 37 2c 37 2e 34 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 32 38 35 2e 34 2c 31 37 39 36 2e 39 63 32 2e 38 2c 30 2e 36 2c 34 2e 35 2c 33 2e 36 2c 34 2e 35 2c 33 2e 36 73 32 2e 37 2d 33 2e 37 2c 36 2e 39 2d 31 2e 38 73 33 2e 35 2c 37 2e 32 2c 33 2e 35 2c 37 2e 32 73 34 2e 33 2d 33 2e 34 2c 37 2e 34 2c 31 2e 35 0a 09 09 63 32 2e 33 2c 33 2e 36 2d 31 2c 38 2e 33 2d 35 2e 32 2c 39 2e 37 22 2f 3e 0a 3c 2f 67 3e 0a 3c 67 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 Data Ascii: -10.8s6.3,5.3,6.3,5.3s3.6-2.8,7.1,0.2s1.3,7.9,1.3,7.9s5.1-2,6.7,3.5c1.4,5.1-5.6,9.3-10.7,7.4"/><path class="st0" d="M285.4,1796.9c2.8,0.6,4.5,3.6,4.5,3.6s2.7-3.7,6.9-1.8s3.5,7.2,3.5,7.2s4.3-3.4,7.4,1.5c2.3,3.6-1,8.3-5.2,9.7"/></g><g><path clas
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 34 2e 32 2c 31 36 2e 36 2d 38 2e 32 2c 32 30 2e 33 2d 36 2e 39 63 34 2e 34 2c 31 2e 35 2c 31 31 2e 35 2c 31 31 2e 35 2c 31 37 2e 36 2c 32 30 2e 34 0a 09 09 73 31 31 2c 37 2e 38 2c 31 31 2e 38 2c 33 2e 37 63 30 2e 38 2d 33 2e 39 2d 36 2e 37 2d 32 30 2e 33 2d 34 2e 37 2d 32 33 2e 32 63 30 2e 35 2d 30 2e 37 2c 33 2e 31 2d 30 2e 39 2c 37 2e 37 2c 37 2e 36 73 39 2e 33 2c 31 38 2e 32 2c 31 33 2c 31 32 2e 38 63 31 2e 34 2d 32 2c 30 2e 37 2d 36 2e 33 2d 31 2e 34 2d 31 32 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 38 32 2e 39 2c 31 34 34 37 2e 38 63 2d 37 2e 37 2d 34 2e 37 2d 38 2e 32 2d 34 33 2e 37 2c 31 2e 35 2d 35 33 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 37 32 2e 31 2c 31 33 39 38 Data Ascii: 4.2,16.6-8.2,20.3-6.9c4.4,1.5,11.5,11.5,17.6,20.4s11,7.8,11.8,3.7c0.8-3.9-6.7-20.3-4.7-23.2c0.5-0.7,3.1-0.9,7.7,7.6s9.3,18.2,13,12.8c1.4-2,0.7-6.3-1.4-12"/><path class="st0" d="M82.9,1447.8c-7.7-4.7-8.2-43.7,1.5-53"/><path class="st0" d="M72.1,1398
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 2e 38 2c 32 2e 32 2d 31 30 2e 37 2c 36 2d 31 31 2e 34 2c 31 31 2e 34 63 2d 30 2e 33 2c 31 2e 39 2c 30 2e 36 2c 33 2e 38 2c 32 2e 31 2c 34 2e 38 0a 09 09 63 30 2e 36 2c 30 2e 34 2c 31 2e 33 2c 30 2e 37 2c 32 2e 31 2c 30 2e 38 63 32 2e 37 2c 30 2e 34 2c 35 2e 33 2d 31 2e 35 2c 35 2e 37 2d 34 2e 32 63 30 2e 31 2d 30 2e 35 2c 30 2e 33 2d 31 2e 39 2c 34 2e 36 2d 33 2e 33 43 35 38 38 2e 31 2c 31 35 32 39 2e 37 2c 35 39 32 2e 33 2c 31 35 32 35 2e 34 2c 35 39 33 2e 32 2c 31 35 32 30 2e 35 7a 20 4d 35 38 31 2e 36 2c 31 35 32 38 2e 37 0a 09 09 63 2d 36 2e 31 2c 32 2d 36 2e 35 2c 34 2e 37 2d 36 2e 37 2c 35 2e 37 63 2d 30 2e 32 2c 31 2e 31 2d 31 2e 32 2c 31 2e 39 2d 32 2e 33 2c 31 2e 37 63 2d 30 2e 33 2c 30 2d 30 2e 36 2d 30 2e 32 2d 30 2e 38 2d 30 2e 33 63 2d 30 2e Data Ascii: .8,2.2-10.7,6-11.4,11.4c-0.3,1.9,0.6,3.8,2.1,4.8c0.6,0.4,1.3,0.7,2.1,0.8c2.7,0.4,5.3-1.5,5.7-4.2c0.1-0.5,0.3-1.9,4.6-3.3C588.1,1529.7,592.3,1525.4,593.2,1520.5z M581.6,1528.7c-6.1,2-6.5,4.7-6.7,5.7c-0.2,1.1-1.2,1.9-2.3,1.7c-0.3,0-0.6-0.2-0.8-0.3c-0.
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 36 2e 36 2c 37 2e 37 2c 33 2e 31 2c 32 30 2e 36 2c 36 2e 31 2c 32 39 2e 37 73 31 34 2e 31 2c 34 35 2e 32 2d 31 31 2e 38 2c 34 33 2e 32 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 31 34 39 2e 31 2c 35 33 37 2e 36 63 37 2e 38 2d 30 2e 35 2c 37 2e 37 2c 31 33 2e 33 2d 31 2e 31 2c 39 2e 37 63 2d 34 2e 31 2d 31 2e 37 2d 33 2e 38 2d 39 2e 32 2c 30 2e 39 2d 39 2e 37 43 31 34 39 2c 35 33 37 2e 36 2c 31 34 39 2e 31 2c 35 33 37 2e 36 2c 31 34 39 2e 31 2c 35 33 37 2e 36 7a 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 31 32 34 2e 36 2c 35 34 31 2e 35 63 31 30 2e 38 2c 35 2e 33 2d 31 2e 36 2c 32 31 2e 33 2d 39 2e 31 2c 31 32 2e 32 63 2d 34 2e 39 2d 35 2e 39 2c 32 2d 31 35 2e 34 2c 38 2e 38 2d 31 Data Ascii: 6.6,7.7,3.1,20.6,6.1,29.7s14.1,45.2-11.8,43.2"/><path class="st0" d="M149.1,537.6c7.8-0.5,7.7,13.3-1.1,9.7c-4.1-1.7-3.8-9.2,0.9-9.7C149,537.6,149.1,537.6,149.1,537.6z"/><path class="st0" d="M124.6,541.5c10.8,5.3-1.6,21.3-9.1,12.2c-4.9-5.9,2-15.4,8.8-1
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 38 0a 09 09 63 38 2e 34 2c 36 2e 38 2d 32 33 2e 31 2c 33 31 2e 35 2d 32 33 2e 31 2c 33 31 2e 35 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 35 2c 32 34 37 37 2e 36 63 2d 32 2e 32 2c 32 2e 36 2d 32 35 2e 36 2c 32 31 2e 34 2d 32 36 2e 38 2c 32 32 2e 36 22 2f 3e 0a 09 3c 6c 69 6e 65 20 63 6c 61 73 73 3d 22 73 74 30 22 20 78 31 3d 22 36 34 30 2e 36 22 20 79 31 3d 22 32 34 36 35 22 20 78 32 3d 22 36 33 35 2e 32 22 20 79 32 3d 22 32 34 36 39 2e 33 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 34 36 2e 39 2c 32 34 37 32 2e 34 63 30 2c 30 2d 33 38 2e 39 2c 32 37 2e 38 2d 34 31 2e 36 2c 33 31 2e 39 22 2f 3e 0a 3c 2f 67 3e 0a 3c 67 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 Data Ascii: 8c8.4,6.8-23.1,31.5-23.1,31.5"/><path class="st0" d="M625,2477.6c-2.2,2.6-25.6,21.4-26.8,22.6"/><line class="st0" x1="640.6" y1="2465" x2="635.2" y2="2469.3"/><path class="st0" d="M646.9,2472.4c0,0-38.9,27.8-41.6,31.9"/></g><g><path class="st
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 67 6f 6e 20 63 6c 61 73 73 3d 22 73 74 30 22 20 70 6f 69 6e 74 73 3d 22 33 39 33 2e 34 2c 34 37 30 2e 31 20 33 39 34 2e 39 2c 34 37 36 2e 37 20 33 38 30 2e 33 2c 34 37 36 2e 37 20 33 37 39 2e 38 2c 34 37 31 2e 35 20 09 22 2f 3e 0a 09 3c 70 6f 6c 79 67 6f 6e 20 63 6c 61 73 73 3d 22 73 74 30 22 20 70 6f 69 6e 74 73 3d 22 34 31 33 2e 37 2c 34 36 35 2e 32 20 34 31 36 2e 34 2c 34 37 31 2e 35 20 34 32 38 2c 34 36 31 20 34 32 34 2e 39 2c 34 35 36 2e 35 20 09 22 2f 3e 0a 3c 2f 67 3e 0a 3c 67 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 37 34 30 2e 33 2c 31 33 35 31 2e 38 63 31 31 2e 34 2d 32 32 2c 33 37 2e 33 2d 33 34 2c 34 34 2e 34 2d 33 35 2e 32 63 30 2c 30 2d 32 30 2e 39 2d 31 35 2e 37 2d 33 36 2e 33 2d 38 2e 34 63 2d 31 30 2e 39 Data Ascii: gon class="st0" points="393.4,470.1 394.9,476.7 380.3,476.7 379.8,471.5 "/><polygon class="st0" points="413.7,465.2 416.4,471.5 428,461 424.9,456.5 "/></g><g><path class="st0" d="M740.3,1351.8c11.4-22,37.3-34,44.4-35.2c0,0-20.9-15.7-36.3-8.4c-10.9
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 34 33 39 2e 36 2c 31 32 32 38 2e 33 63 33 2e 34 2c 32 2e 35 2c 32 2e 34 2c 31 34 2e 36 2d 31 35 2e 36 2c 36 2e 39 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 34 32 37 2e 36 2c 31 32 33 36 2e 35 63 30 2e 32 2c 33 2e 35 2d 33 2e 35 2c 38 2e 37 2d 31 30 2e 38 2c 35 2e 34 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 36 33 2e 32 2c 31 32 30 34 2e 35 63 2d 33 2e 39 2c 31 2e 32 2d 32 2e 37 2c 39 2e 35 2c 32 2e 34 2c 39 2e 31 22 2f 3e 0a 09 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 36 30 2e 39 2c 31 32 33 38 2e 35 63 2d 37 2e 32 2c 30 2e 33 2d 31 37 2d 31 2e 33 2d 32 32 2e 33 2d 38 2e 36 63 33 2e 34 2c Data Ascii: ath class="st0" d="M439.6,1228.3c3.4,2.5,2.4,14.6-15.6,6.9"/><path class="st0" d="M427.6,1236.5c0.2,3.5-3.5,8.7-10.8,5.4"/><path class="st0" d="M363.2,1204.5c-3.9,1.2-2.7,9.5,2.4,9.1"/><path class="st0" d="M360.9,1238.5c-7.2,0.3-17-1.3-22.3-8.6c3.4,
2025-01-09 07:39:31 UTC	16384	IN	Data Raw: 35 2e 36 2c 39 2e 37 2d 39 2e 37 2c 31 35 2e 32 2d 35 2e 34 63 36 2e 34 2c 35 2c 35 2e 34 2c 31 38 2e 39 2d 31 35 2c 32 37 2e 39 63 2d 32 31 2e 36 2d 31 30 2e 32 2d 32 30 2e 37 2d 32 32 2e 31 2d 31 37 2e 32 2d 32 36 2e 37 0a 09 43 38 34 34 2e 37 2c 31 38 32 39 2e 32 2c 38 35 35 2e 32 2c 31 38 33 30 2e 39 2c 38 35 37 2e 33 2c 31 38 33 39 2e 31 7a 22 2f 3e 0a 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 38 31 36 2e 37 2c 32 30 34 32 2e 31 63 34 2e 38 2d 37 2e 33 2c 31 36 2e 35 2d 31 31 2c 32 33 2d 33 2e 34 63 37 2e 37 2c 38 2e 39 2c 32 2e 34 2c 32 38 2e 32 2d 32 39 2c 33 35 2e 34 63 2d 32 37 2e 37 2d 32 30 2e 35 2d 32 33 2e 33 2d 33 37 2e 31 2d 31 37 2e 31 2d 34 32 2e 35 0a 09 43 38 30 31 2e 37 2c 32 30 32 34 2e 36 2c 38 31 36 2c 32 30 Data Ascii: 5.6,9.7-9.7,15.2-5.4c6.4,5,5.4,18.9-15,27.9c-21.6-10.2-20.7-22.1-17.2-26.7C844.7,1829.2,855.2,1830.9,857.3,1839.1z"/><path class="st0" d="M816.7,2042.1c4.8-7.3,16.5-11,23-3.4c7.7,8.9,2.4,28.2-29,35.4c-27.7-20.5-23.3-37.1-17.1-42.5C801.7,2024.6,816,20

Target ID:	0
Start time:	02:39:07
Start date:	09/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\5dFLJyS86S.ps1"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	02:39:07
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:39:23
Start date:	09/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://t.me/bypassblock
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	02:39:24
Start date:	09/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:39:25
Start date:	09/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2524,i,17522185104263954872,595179964274981035,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	02:39:26
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\bin\winws.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bin\winws.exe" --wf-tcp=80,443 --wf-udp=443,50000-50100 --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\russia-youtube-rtmps.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeQ.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=4 --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_3.bin" --dpi-desync-cutoff=n3 --dpi-desync-repeats=2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtube_v2.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld+1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\youtubeGV.txt" --dpi-desync=multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\other.txt" --dpi-desync=fake,multisplit --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=midsld-1 --dpi-desync-fooling=md5sig,badseq --dpi-desync-fake-tls="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --dpi-desync-ttl=2 --new --filter-tcp=443 --ipset="C:\Users\user\Desktop\lists\\ipset-discord.txt" --dpi-desync=syndata --dpi-desync-fake-syndata="C:\Users\user\Desktop\bin\\tls_clienthello_3.bin" --dpi-desync-autottl --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fakedsplit --dpi-desync-split-pos=1 --dpi-desync-fooling=badseq --dpi-desync-repeats=10 --dpi-desync-autottl --new --filter-udp=443 --hostlist="C:\Users\user\Desktop\lists\\discord.txt" --dpi-desync=fake,udplen --dpi-desync-udplen-increment=5 --dpi-desync-udplen-pattern=0xDEADBEEF --dpi-desync-fake-quic="C:\Users\user\Desktop\bin\\quic_2.bin" --dpi-desync-repeats=7 --dpi-desync-cutoff=n2 --new --filter-udp=50000-50090 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=n3 --new --filter-tcp=443 --ipset-ip=XXX.XXX.XXX.XXX/XX,XXX.XXX.XXX.XXX/XX --wssize=1:6 --hostlist-domains=googlevideo.com --dpi-desync=multidisorder --dpi-desync-split-seqovl=1 --dpi-desync-split-pos=1,host+2,sld+2,sld+5,sniext+1,sniext+2,endhost-2 --new --filter-tcp=443 --hostlist="C:\Users\user\Desktop\lists\\faceinsta.txt" --dpi-desync=split2 --dpi-desync-split-seqovl=652 --dpi-desync-split-pos=2 --dpi-desync-split-seqovl-pattern="C:\Users\user\Desktop\bin\\tls_clienthello_4.bin" --new
Imagebase:	0x100400000
File size:	159'744 bytes
MD5 hash:	7824C819BD3C98BF7890D92FD3EF3785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	02:39:26
Start date:	09/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Function 00007FF849003E7E Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4526825788.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6eaa1ac36e29525ff896ab25dce8f5f4f291e8a1b31c008bf2fa3e586bf914
Instruction ID: f5db74b4de21f44225971d6ae1054a80d279e24d730270a0a0c7d44c2098c1ed
Opcode Fuzzy Hash: 8e6eaa1ac36e29525ff896ab25dce8f5f4f291e8a1b31c008bf2fa3e586bf914
Instruction Fuzzy Hash: 65D1E422D0EBC65FEB66AB3828151717FE1EF52690B0901FBD089CB1D3F91C9C4A8356

Function 00007FF849003F4A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4526825788.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b897fdce303e437c1e1a618438b488d2c6b03872e1909680521348590d37619
Instruction ID: 359d379a62869bcbbcc14f7ba28aa31abc10993f0b0c006d8e43d95dd55fc1a5
Opcode Fuzzy Hash: 6b897fdce303e437c1e1a618438b488d2c6b03872e1909680521348590d37619
Instruction Fuzzy Hash: 1331D421D1EAC74FFBAAAB2C28155346AE1EF522E1B0801FAD04DD71D3EE1CD8444316

Function 00007FF849008457 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4526825788.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849000000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5661f5770ad1a25db50fd360fbc2b44aaa4e4c2901bf31a97d2e70f7b60e30
Instruction ID: 6514f10194b3d893554c5444bf4671c4ce3b4ca3fa201e899f74cf2f7c482f4d
Opcode Fuzzy Hash: 0f5661f5770ad1a25db50fd360fbc2b44aaa4e4c2901bf31a97d2e70f7b60e30
Instruction Fuzzy Hash: FB21D321C1FAC65FE7B5BB382819078BFE0FF466A5B1805FED459DB0D3E90998458312

Function 00007FF848F34CF5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4526461893.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e3361d74d2ee27645d0f2256e5238b1b89f9cb8af1d851f9524dd22a4e15d4
Instruction ID: 61d61cd83273919ea6ccf6324f81e7159dfb498cf32b6cf86bf68628e556b049
Opcode Fuzzy Hash: d0e3361d74d2ee27645d0f2256e5238b1b89f9cb8af1d851f9524dd22a4e15d4
Instruction Fuzzy Hash: A201677111CB0C4FD748EF4CE451AA5B7E0FB95364F10056EE58AC3695D736E881CB45

Non-executed Functions

Function 00007FF848F39890 Relevance: 1.9, Strings: 1, Instructions: 658COMMON

Download Yara Rule

Strings

X, xrefs: 00007FF848F39C3C

Memory Dump Source

Source File: 00000000.00000002.4526461893.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: c8e0d45e85b6a5aaf3fe8ca968eef3cb6a0d9130278fcd076388831e6f8775b4
Instruction ID: fb9f764bf7b24176a7ae833503e3d04956059e93026240946021705487f13232
Opcode Fuzzy Hash: c8e0d45e85b6a5aaf3fe8ca968eef3cb6a0d9130278fcd076388831e6f8775b4
Instruction Fuzzy Hash: 9932C462E0EAC25FE35797782C15139AF91FF536D4B4801FFC0844B8DB961E9E098396

Function 00007FF848F39EF3 Relevance: .8, Instructions: 799COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4526461893.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c2c9cc791a9e7eb4ea1cfeb74eadd980548b9c0124f7df2b9641424f5a6dff
Instruction ID: 0c4cc034cd9e1ed3f72f19db717c0e4eb0e4e7c4bc87efb4c6ff9df85b3a9511
Opcode Fuzzy Hash: 74c2c9cc791a9e7eb4ea1cfeb74eadd980548b9c0124f7df2b9641424f5a6dff
Instruction Fuzzy Hash: 7842D472D1EEC24FE356E77968151787BA1FF52698F4800FFC0884B0D7EA1E9945838A

Analysis Process: winws.exePID: 7464, Parent PID: 1776COMMON

Non-executed Functions

Function 00000001004153F0 Relevance: 291.7, APIs: 82, Strings: 84, Instructions: 1156stringCOMMON

Download Yara Rule

APIs

strdup.CYGWIN1(0002CC70,?,?,?,?,?,?,?,0000000100410410), ref: 0000000100415428
free.CYGWIN1(0002CC70,?,?,?,?,?,?,?,0000000100410410), ref: 000000010041545A

Part of subcall function 0000000100403E2D: printf.CYGWIN1 ref: 0000000100403EC7
Part of subcall function 0000000100403E2D: exit.CYGWIN1 ref: 0000000100403ED1

StartServiceCtrlDispatcherA.ADVAPI32 ref: 00000001004154BC
time.CYGWIN1 ref: 0000000100415540
srandom.CYGWIN1 ref: 0000000100415547
printf.CYGWIN1 ref: 00000001004155CC
getopt_long_only.CYGWIN1 ref: 0000000100415833
free.CYGWIN1 ref: 00000001004173C7
wordfree.CYGWIN1 ref: 00000001004173E4
snprintf.CYGWIN1 ref: 0000000100417492

Strings

profile %d autottl ipv6 %u:%u-%u, xrefs: 00000001004177E4
profile %d include fixed hostlist%s, xrefs: 0000000100417A0C
windivert filter: raw filter saved to %s, xrefs: 00000001004176B8
packet: id=%u reinject unmodified, xrefs: 00000001004183AA
windivert: try to disable secure boot and install OS patches, xrefs: 0000000100418046
profile %d seqovl %s %d, xrefs: 0000000100417992
windivert: error opening filter: %s, xrefs: 0000000100418020
and ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0)), xrefs: 000000010041757E
(tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin), xrefs: 0000000100417460
and (((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAd, xrefs: 0000000100417594
(empty), xrefs: 000000010041796F, 00000001004179F5
profile %d multisplit %s %d, xrefs: 0000000100417986
35d676406cede0e689910fa9d5b0b2cc7f5b7c1a, xrefs: 00000001004155B0
windivert: reinject of packet id=%u failed, xrefs: 0000000100418403
ifIdx=%u and subIfIdx=%u and, xrefs: 0000000100417486
ipset fixed (%s), xrefs: 0000000100417B02
logical network disappeared. deinitializing windivert., xrefs: 0000000100417ECA
could not write pidfile, xrefs: 0000000100417D64
inbound, xrefs: 000000010041832B
lists summary:, xrefs: 000000010041794E
profile %d auto hostlist %s%s, xrefs: 0000000100417AD3
initializing conntrack with timeouts tcp=%u:%u:%u udp=%u, xrefs: 0000000100417D8D
v69.9, xrefs: 00000001004155B7
winws, xrefs: 000000010041545F
and false, xrefs: 0000000100417573
outbound, xrefs: 000000010041830F
logical network is not present. waiting it to appear., xrefs: 0000000100417EE4
windivert: ignoring too large packet, xrefs: 000000010041822D
Global\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u, xrefs: 00000001004176ED
hostlist fixed%s, xrefs: 0000000100417976
(!tcp or tcp.Syn or tcp.Rst or tcp.Fin or tcp.PayloadLength>0) and , xrefs: 0000000100417470
EXEDIR, xrefs: 000000010041544B
x , xrefs: 000000010041569B
ip and, xrefs: 00000001004175A6
windivert: passing loopback packet, xrefs: 000000010041835E
profile %d exclude fixed hostlist%s, xrefs: 0000000100417A6D
windivert filter : could not make filter, xrefs: 000000010041761B
github version %s (%s), xrefs: 00000001004155BE
windivert filter: could not save raw filter to %s, xrefs: 00000001004176CC
logical network now present, xrefs: 0000000100417F30
hostlists load failed, xrefs: 0000000100417908
profile %d include fixed ipset (%s), xrefs: 0000000100417B54
we have %d user defined desync profile(s) and default low priority profile 0, xrefs: 00000001004177D6
((ip.SrcAddr < 127.0.0.1 or ip.SrcAddr > 127.255.255.255) and (ip.SrcAddr < 10.0.0.0 or ip.SrcAddr > 10.255.255.255) and (ip.SrcAddr < 192.168.0.0 or ip.SrcAddr > 192.168.255.255) and (ip.SrcAddr < 172.16.0.0 or ip.SrcAddr > 172.31.255.255) and (ip.SrcAddr < 1, xrefs: 000000010041753A
ipv6 and, xrefs: 0000000100417585
desync_profile_add: out of memory, xrefs: 00000001004155F2
windivert initialized. capture is started., xrefs: 00000001004180A0
profile %d exclude ipset %s (%s), xrefs: 0000000100417BBC
packet: id=%u reinject modified len=%zu, xrefs: 00000001004183C2
fork, xrefs: 0000000100417CAC
ipset load failed, xrefs: 000000010041793D
win_dark_init failed. win32 error %u (0x%08X), xrefs: 0000000100417EA8
QUIT requested, xrefs: 0000000100417F07
windivert filter size: %zuwindivert filter:%s, xrefs: 000000010041763A
profile %d include ipset %s (%s), xrefs: 0000000100417B5B
windivert: recv failed. errno %d, xrefs: 0000000100418251
profile %d exclude hostlist %s%s, xrefs: 0000000100417A91
(%s or %s), xrefs: 00000001004174DC
splits summary:, xrefs: 000000010041797F
command line parameters verified, xrefs: 0000000100417C85
packet: id=%u len=%zu %s IPv6=%u IPChecksum=%u TCPChecksum=%u UDPChecksum=%u IfIdx=%u.%u, xrefs: 0000000100418303
windivert filter : must specify port filter, xrefs: 00000001004173FE
and ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAdd, xrefs: 000000010041759B
hostlist file %s%s, xrefs: 00000001004179B8
profile %d autottl ipv4 %u:%u-%u, xrefs: 00000001004177DD
could not load config file '%s', xrefs: 00000001004156C0
packet: id=%u drop, xrefs: 0000000100418413
and , xrefs: 000000010041751C, 0000000100417557
(((ip.SrcAddr < 127.0.0.1 or ip.SrcAddr > 127.255.255.255) and (ip.SrcAddr < 10.0.0.0 or ip.SrcAddr > 10.255.255.255) and (ip.SrcAddr < 192.168.0.0 or ip.SrcAddr > 192.168.255.255) and (ip.SrcAddr < 172.16.0.0 or ip.SrcAddr > 172.31.255.255) and (ip.SrcAddr < , xrefs: 0000000100417533
failed to split command line options from file '%s', xrefs: 000000010041573C
A copy of winws is already running with the same filter, xrefs: 00000001004177A4
Global\winws_windivert_mutex, xrefs: 0000000100417F6A
adding low-priority default empty desync profile, xrefs: 00000001004177B5
/dev/null, xrefs: 0000000100417D03
profile %d exclude fixed ipset (%s), xrefs: 0000000100417BB5
L, xrefs: 000000010041585A
windivert: passing impostor packet, xrefs: 000000010041834A
profile %d include hostlist %s%s, xrefs: 0000000100417A39
((ipv6.SrcAddr > ::1) and (ipv6.SrcAddr < 2001::0 or ipv6.SrcAddr >= 2001:1::0) and (ipv6.SrcAddr < fc00::0 or ipv6.SrcAddr >= fe00::0) and (ipv6.SrcAddr < fe80::0 or ipv6.SrcAddr >= fec0::0) and (ipv6.SrcAddr < ff00::0 or ipv6.SrcAddr >= ffff::0)), xrefs: 0000000100417515
%u.%u, xrefs: 00000001004182A7
ipset file %s (%s), xrefs: 0000000100417B09
!impostor and !loopback and%s%s ((outbound and %s%s%s) or (inbound and tcp%s%s%s%s%s%s%s)), xrefs: 00000001004175E2
((tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin) or (tcp.PayloadLength>=12 and tcp.Payload32[0]==0x48545450 and tcp.Payload16[2]==0x2F31 and tcp.Payload[6]==0x2E and tcp.Payload16[4]==0x2033 and tcp.Payload[10]==0x30 and (tcp.Payload[11]==0x32 or tcp.Payload[11]==, xrefs: 0000000100417469
split seqovl supports only absolute positive positions, xrefs: 00000001004178D2

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: freeprintf$CtrlDispatcherServiceStartexitgetopt_long_onlysnprintfsrandomstrduptimewordfree
String ID: lists summary:$splits summary:$ (empty)$ and $ and (((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAd$ and ((ip.DstAddr < 127.0.0.1 or ip.DstAddr > 127.255.255.255) and (ip.DstAddr < 10.0.0.0 or ip.DstAddr > 10.255.255.255) and (ip.DstAddr < 192.168.0.0 or ip.DstAddr > 192.168.255.255) and (ip.DstAddr < 172.16.0.0 or ip.DstAddr > 172.31.255.255) and (ip.DstAdd$ and ((ipv6.DstAddr > ::1) and (ipv6.DstAddr < 2001::0 or ipv6.DstAddr >= 2001:1::0) and (ipv6.DstAddr < fc00::0 or ipv6.DstAddr >= fe00::0) and (ipv6.DstAddr < fe80::0 or ipv6.DstAddr >= fec0::0) and (ipv6.DstAddr < ff00::0 or ipv6.DstAddr >= ffff::0))$ and false$ ifIdx=%u and subIfIdx=%u and$ ip and$ ipv6 and$!impostor and !loopback and%s%s ((outbound and %s%s%s) or (inbound and tcp%s%s%s%s%s%s%s))$%u.%u$(!tcp or tcp.Syn or tcp.Rst or tcp.Fin or tcp.PayloadLength>0) and $(%s or %s)$(((ip.SrcAddr < 127.0.0.1 or ip.SrcAddr > 127.255.255.255) and (ip.SrcAddr < 10.0.0.0 or ip.SrcAddr > 10.255.255.255) and (ip.SrcAddr < 192.168.0.0 or ip.SrcAddr > 192.168.255.255) and (ip.SrcAddr < 172.16.0.0 or ip.SrcAddr > 172.31.255.255) and (ip.SrcAddr < $((ip.SrcAddr < 127.0.0.1 or ip.SrcAddr > 127.255.255.255) and (ip.SrcAddr < 10.0.0.0 or ip.SrcAddr > 10.255.255.255) and (ip.SrcAddr < 192.168.0.0 or ip.SrcAddr > 192.168.255.255) and (ip.SrcAddr < 172.16.0.0 or ip.SrcAddr > 172.31.255.255) and (ip.SrcAddr < 1$((ipv6.SrcAddr > ::1) and (ipv6.SrcAddr < 2001::0 or ipv6.SrcAddr >= 2001:1::0) and (ipv6.SrcAddr < fc00::0 or ipv6.SrcAddr >= fe00::0) and (ipv6.SrcAddr < fe80::0 or ipv6.SrcAddr >= fec0::0) and (ipv6.SrcAddr < ff00::0 or ipv6.SrcAddr >= ffff::0))$((tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin) or (tcp.PayloadLength>=12 and tcp.Payload32[0]==0x48545450 and tcp.Payload16[2]==0x2F31 and tcp.Payload[6]==0x2E and tcp.Payload16[4]==0x2033 and tcp.Payload[10]==0x30 and (tcp.Payload[11]==0x32 or tcp.Payload[11]==$(tcp.Ack and tcp.Syn or tcp.Rst or tcp.Fin)$/dev/null$35d676406cede0e689910fa9d5b0b2cc7f5b7c1a$A copy of winws is already running with the same filter$EXEDIR$Global\winws_arg_%u_%u_%u_%u_%u_%u_%u_%u_%u$Global\winws_windivert_mutex$L$QUIT requested$adding low-priority default empty desync profile$command line parameters verified$could not load config file '%s'$could not write pidfile$desync_profile_add: out of memory$failed to split command line options from file '%s'$fork$github version %s (%s)$hostlist file %s%s$hostlist fixed%s$hostlists load failed$inbound$initializing conntrack with timeouts tcp=%u:%u:%u udp=%u$ipset file %s (%s)$ipset fixed (%s)$ipset load failed$logical network disappeared. deinitializing windivert.$logical network is not present. waiting it to appear.$logical network now present$outbound$packet: id=%u drop$packet: id=%u len=%zu %s IPv6=%u IPChecksum=%u TCPChecksum=%u UDPChecksum=%u IfIdx=%u.%u$packet: id=%u reinject modified len=%zu$packet: id=%u reinject unmodified$profile %d auto hostlist %s%s$profile %d autottl ipv4 %u:%u-%u$profile %d autottl ipv6 %u:%u-%u$profile %d exclude fixed hostlist%s$profile %d exclude fixed ipset (%s)$profile %d exclude hostlist %s%s$profile %d exclude ipset %s (%s)$profile %d include fixed hostlist%s$profile %d include fixed ipset (%s)$profile %d include hostlist %s%s$profile %d include ipset %s (%s)$profile %d multisplit %s %d$profile %d seqovl %s %d$split seqovl supports only absolute positive positions$v69.9$we have %d user defined desync profile(s) and default low priority profile 0$win_dark_init failed. win32 error %u (0x%08X)$windivert filter : could not make filter$windivert filter : must specify port filter$windivert filter size: %zuwindivert filter:%s$windivert filter: could not save raw filter to %s$windivert filter: raw filter saved to %s$windivert initialized. capture is started.$windivert: error opening filter: %s$windivert: ignoring too large packet$windivert: passing impostor packet$windivert: passing loopback packet$windivert: recv failed. errno %d$windivert: reinject of packet id=%u failed$windivert: try to disable secure boot and install OS patches$winws$x
API String ID: 3422133915-1305784827
Opcode ID: 2d6a7bf9f5ee40e1b25bf8a44121f6d18f060c6877ab2b0a58138cc3d0bff57b
Instruction ID: 742a5735f9aed11d688c59fade480711349d47672b4ab946478360a58248c244
Opcode Fuzzy Hash: 2d6a7bf9f5ee40e1b25bf8a44121f6d18f060c6877ab2b0a58138cc3d0bff57b
Instruction Fuzzy Hash: C8C27B71308A8096FB22DB21E8503EA67A0F78D784F844116DBC9D7B96DFB8C5C9C749

Function 62807BB6 Relevance: 98.5, APIs: 45, Strings: 11, Instructions: 527memoryserviceregistryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 62807C49
HeapAlloc.KERNEL32 ref: 62807C68
GetLastError.KERNEL32 ref: 62807C76
HeapDestroy.KERNEL32 ref: 62807C81
SetLastError.KERNEL32 ref: 62807C89
HeapDestroy.KERNEL32 ref: 62807CC0
CreateFileW.KERNEL32 ref: 62807F25
GetLastError.KERNEL32 ref: 62807F3F
HeapDestroy.KERNEL32 ref: 62807F5E
HeapDestroy.KERNEL32 ref: 62807F75
SetLastError.KERNEL32 ref: 62807F80
SetLastError.KERNEL32 ref: 62807F8A
CreateMutexW.KERNEL32 ref: 62807F98
WaitForSingleObject.KERNEL32 ref: 62807FB2
OpenSCManagerW.ADVAPI32 ref: 62807FCF
OpenServiceW.ADVAPI32 ref: 62807FF1
GetModuleFileNameW.KERNEL32 ref: 62808037
SetLastError.KERNEL32 ref: 62808067
CreateServiceW.ADVAPI32 ref: 6280810A
OpenServiceW.ADVAPI32 ref: 62808144
StartServiceW.ADVAPI32 ref: 6280815A
GetLastError.KERNEL32 ref: 6280816A
DeleteService.ADVAPI32 ref: 6280817E
GetLastError.KERNEL32 ref: 62808184
CloseServiceHandle.ADVAPI32 ref: 62808195
CloseServiceHandle.ADVAPI32 ref: 628081A3
ReleaseMutex.KERNEL32 ref: 628081AE
CloseHandle.KERNEL32 ref: 628081B9
SetLastError.KERNEL32 ref: 628081C9
GetLastError.KERNEL32 ref: 628081D0
HeapDestroy.KERNEL32 ref: 628081E5
CreateFileW.KERNEL32 ref: 6280821B
HeapDestroy.KERNEL32 ref: 62808239
SetLastError.KERNEL32 ref: 62808241
CloseHandle.KERNEL32 ref: 62808314
HeapDestroy.KERNEL32 ref: 6280831D
GetLastError.KERNEL32 ref: 62808368
CloseHandle.KERNEL32 ref: 62808373
HeapDestroy.KERNEL32 ref: 6280837C
SetLastError.KERNEL32 ref: 62808381
HeapDestroy.KERNEL32 ref: 62808393
RegCreateKeyExA.ADVAPI32 ref: 6280841F
RegSetValueExW.ADVAPI32 ref: 62808453
RegSetValueExA.ADVAPI32 ref: 62808486
RegCloseKey.ADVAPI32 ref: 62808494

Strings

@, xrefs: 628082D8
WinDivertDriverInstallMutex, xrefs: 62807F91
@, xrefs: 628082AF
\\.\WinDivert, xrefs: 62807F1E, 62808214
\WinDivert64.sys, xrefs: 62808003, 62808087
WinDivert, xrefs: 62807FE7, 628080A6, 6280813A
TypesSupported, xrefs: 6280847A
#WdivSYS, xrefs: 628082F3
EventMessageFile, xrefs: 62808448
System\CurrentControlSet\Services\EventLog\System\WinDivert, xrefs: 628083FC
$WdivDLL, xrefs: 6280829C

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$Destroy$Service$CloseCreate$Handle$FileOpen$MutexValue$AllocDeleteManagerModuleNameObjectReleaseSingleStartWait
String ID: #WdivSYS$$WdivDLL$@$@$EventMessageFile$System\CurrentControlSet\Services\EventLog\System\WinDivert$TypesSupported$WinDivert$WinDivertDriverInstallMutex$\WinDivert64.sys$\\.\WinDivert
API String ID: 1678129784-3754777098
Opcode ID: c0b82e24a6d8298f9a6c2309092f27bb93acb551c82d9d2d451f5fdc91eee29c
Instruction ID: e031360463cd0404f02d9d7ac908f1c18b8765aceadad91f7f36c46469ad8699
Opcode Fuzzy Hash: c0b82e24a6d8298f9a6c2309092f27bb93acb551c82d9d2d451f5fdc91eee29c
Instruction Fuzzy Hash: 7D123679305A8186FB208B26FD2475AA692FB85BD8F009A24CE5E47FE4DF7EC155C700

Function 0000000100416D3A Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 340registrystringcomCOMMON

Download Yara Rule

APIs

strcmp.CYGWIN1 ref: 0000000100416D54
CoInitialize.OLE32 ref: 0000000100416D61
CoCreateInstance.OLE32 ref: 0000000100416D94
CoUninitialize.OLE32 ref: 0000000100416DA4
WideCharToMultiByte.KERNEL32 ref: 0000000100416F2D
printf.CYGWIN1 ref: 0000000100416F41
printf.CYGWIN1 ref: 0000000100416F58
printf.CYGWIN1 ref: 0000000100416F6F
printf.CYGWIN1 ref: 0000000100416FAE
printf.CYGWIN1 ref: 0000000100416FC8
RegOpenKeyExA.ADVAPI32 ref: 0000000100417085
RegEnumKeyExA.ADVAPI32 ref: 0000000100417118
RegOpenKeyExA.ADVAPI32 ref: 000000010041715E
RegQueryValueExA.ADVAPI32 ref: 00000001004171A4
strcmp.CYGWIN1 ref: 00000001004171D6
RegQueryValueExW.ADVAPI32 ref: 0000000100417219
WideCharToMultiByte.KERNEL32 ref: 0000000100417271
RegCloseKey.ADVAPI32 ref: 0000000100417281
RegCloseKey.ADVAPI32 ref: 000000010041729D
printf.CYGWIN1 ref: 00000001004172BA
printf.CYGWIN1 ref: 00000001004172CB
putchar.CYGWIN1 ref: 00000001004172F8
GetLastError.KERNEL32 ref: 0000000100417306
GetLastError.KERNEL32 ref: 000000010041730C
GetLastError.KERNEL32 ref: 0000000100417310
SysFreeString.OLEAUT32 ref: 000000010041732A
CoUninitialize.OLE32 ref: 0000000100417369

Strings

{, xrefs: 00000001004170A8
NetID : %s, xrefs: 0000000100416FC1
could not get list of NLM networks, xrefs: 0000000100417377
}, xrefs: 00000001004170B7
unknown, xrefs: 0000000100416F9C
public, xrefs: 0000000100416F7B
Name : %s, xrefs: 0000000100416F3A
(inet), xrefs: 0000000100416F68
all, xrefs: 0000000100416D4B
domain, xrefs: 0000000100416F95
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 0000000100416FE5
Description, xrefs: 00000001004171F2
private, xrefs: 0000000100416F86
(connected), xrefs: 0000000100416F51
(%s), xrefs: 0000000100416FA7
Adapter : %s, xrefs: 00000001004172C4
ServiceName, xrefs: 000000010041717D
Adapter : %s (%s), xrefs: 00000001004172B3

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: printf$ErrorLast$ByteCharCloseMultiOpenQueryUninitializeValueWidestrcmp$CreateEnumFreeInitializeInstanceStringputchar
String ID: (%s)$ (connected)$ (inet)$Adapter : %s$Adapter : %s (%s)$Description$Name : %s$NetID : %s$SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName$all$could not get list of NLM networks$domain$private$public$unknown${$}
API String ID: 3947993482-882119128
Opcode ID: 1ac12819dcd33bd2c262d933e028a3e99d247a3d7d8bca8b856c0f89dc262998
Instruction ID: fdc38b328d656c1d191d81c93481fd835e775233cbeab622a9021a18768f5cd6
Opcode Fuzzy Hash: 1ac12819dcd33bd2c262d933e028a3e99d247a3d7d8bca8b856c0f89dc262998
Instruction Fuzzy Hash: BA021076308A8185E7729B25E4547DA77A0F78C788F804126DFC9C7BA4DFB9C588C748

Function 0000000100401CE7 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 271stringCOMMON

Download Yara Rule

APIs

WlanQueryInterface.WLANAPI ref: 0000000100401DE3
strlen.CYGWIN1 ref: 0000000100401E10
memcmp.CYGWIN1 ref: 0000000100401E2B
WlanFreeMemory.WLANAPI ref: 0000000100401E39
WlanFreeMemory.WLANAPI ref: 0000000100401E53
WlanFreeMemory.WLANAPI ref: 0000000100401E78
WlanCloseHandle.WLANAPI ref: 0000000100401E8C
WideCharToMultiByte.KERNEL32 ref: 0000000100401FA3
strcmp.CYGWIN1 ref: 0000000100401FCD
strlen.CYGWIN1 ref: 0000000100401FE1
sscanf.CYGWIN1 ref: 000000010040207E
memcmp.CYGWIN1 ref: 00000001004020F2
GetLastError.KERNEL32 ref: 0000000100402115
GetLastError.KERNEL32 ref: 000000010040211B
GetLastError.KERNEL32 ref: 000000010040211F
SysFreeString.OLEAUT32 ref: 000000010040213B

Strings

%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 0000000100401FB4

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: Wlan$Free$ErrorLastMemory$memcmpstrlen$ByteCharCloseHandleInterfaceMultiQueryStringWidesscanfstrcmp
String ID: %08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X
API String ID: 3907171171-861051678
Opcode ID: be9e969d30bf3616541acffa30679d8d2416bfb725b45fa8a2e4d6bc5f2a20e2
Instruction ID: b0bb3c7b936e36b07e460c8a7e153e6649dbd57530c7a42aedaee81e4049c079
Opcode Fuzzy Hash: be9e969d30bf3616541acffa30679d8d2416bfb725b45fa8a2e4d6bc5f2a20e2
Instruction Fuzzy Hash: D3C12C32304B8185E762DB25E5447DA73A1FB88B84F844116EFC9D7BA8DFB8C485C749

Function 62801A05 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 62801A3F

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: fc993b264eefa0ad9f10c0675a1d9b70a49773db9c627f9620c110002daf70a3
Instruction ID: 4f1b1cb6f17d90d0fcf7fe498f531e60f7e7f1ca04b8a1d04263c571eb61e9c9
Opcode Fuzzy Hash: fc993b264eefa0ad9f10c0675a1d9b70a49773db9c627f9620c110002daf70a3
Instruction Fuzzy Hash: 1FF01C36618B848ADB208F21F88078AB7A5F798754F145115DEDC47B08EF3CC1658B00

Function 00000001004018FE Relevance: 58.6, APIs: 19, Strings: 20, Instructions: 148stringCOMMON

Download Yara Rule

APIs

strcmp.CYGWIN1 ref: 0000000100401939
strcmp.CYGWIN1 ref: 0000000100401959
strcmp.CYGWIN1 ref: 0000000100401979
strcmp.CYGWIN1 ref: 0000000100401999
strcmp.CYGWIN1 ref: 00000001004019B9
strcmp.CYGWIN1 ref: 00000001004019D9
strcmp.CYGWIN1 ref: 00000001004019F9
strcmp.CYGWIN1 ref: 0000000100401A19
strcmp.CYGWIN1 ref: 0000000100401A39
strcmp.CYGWIN1 ref: 0000000100401A59
strcmp.CYGWIN1 ref: 0000000100401A79
strcmp.CYGWIN1 ref: 0000000100401A99
strcmp.CYGWIN1 ref: 0000000100401AB9
strcmp.CYGWIN1 ref: 0000000100401AD9
strcmp.CYGWIN1 ref: 0000000100401AF9
strcmp.CYGWIN1 ref: 0000000100401B15
strcmp.CYGWIN1 ref: 0000000100401B31
strcmp.CYGWIN1 ref: 0000000100401B4D
strcmp.CYGWIN1 ref: 0000000100401B69

Strings

tamper, xrefs: 0000000100401B5F
destopt, xrefs: 0000000100401B0B
udplen, xrefs: 0000000100401B43
fake, xrefs: 0000000100401912
split2, xrefs: 0000000100401A6F
split, xrefs: 0000000100401A2F
fakeknown, xrefs: 000000010040192F
rst, xrefs: 000000010040194F
ipfrag1, xrefs: 0000000100401B27
rstack, xrefs: 000000010040196F
syndata, xrefs: 00000001004019AF
multidisorder, xrefs: 0000000100401A8F
ipfrag2, xrefs: 0000000100401ACF
disorder2, xrefs: 0000000100401AAF
fakedsplit, xrefs: 0000000100401A0F
fakeddisorder, xrefs: 00000001004019CF
multisplit, xrefs: 0000000100401A4F
disorder, xrefs: 00000001004019EF
synack, xrefs: 000000010040198F
hopbyhop, xrefs: 0000000100401AEF

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp
String ID: destopt$disorder$disorder2$fake$fakeddisorder$fakedsplit$fakeknown$hopbyhop$ipfrag1$ipfrag2$multidisorder$multisplit$rst$rstack$split$split2$synack$syndata$tamper$udplen
API String ID: 1004003707-2024544915
Opcode ID: 758cd890e9d1e99f20caf472e90ae34cd9766e3f8a7275a32252ed25d544403d
Instruction ID: 9fb69ded5926fa9cc3e70b563a58a9dea87e1e677406c4291c7f9085cc325bc2
Opcode Fuzzy Hash: 758cd890e9d1e99f20caf472e90ae34cd9766e3f8a7275a32252ed25d544403d
Instruction Fuzzy Hash: 02510B3433152054FB6BD76E9405FE013906B8D781FC469556E98CAB92EBFD8484CF89

Function 00000001004055CB Relevance: 54.7, APIs: 19, Strings: 12, Instructions: 439stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000010040CF53: strlen.CYGWIN1(?,?,?,?,0000000100402244), ref: 000000010040CF68
Part of subcall function 000000010040CF53: memcmp.CYGWIN1(?,?,?,?,0000000100402244), ref: 000000010040CFCF

strlen.CYGWIN1 ref: 0000000100405614
malloc.CYGWIN1 ref: 0000000100405621
malloc.CYGWIN1 ref: 0000000100405636
strlen.CYGWIN1 ref: 000000010040566A
strlen.CYGWIN1 ref: 000000010040569B
malloc.CYGWIN1 ref: 00000001004056C5
malloc.CYGWIN1 ref: 0000000100405710
free.CYGWIN1 ref: 0000000100405728
malloc.CYGWIN1 ref: 0000000100405818
free.CYGWIN1 ref: 0000000100405922
free.CYGWIN1 ref: 00000001004059A4
free.CYGWIN1 ref: 00000001004059B4
time.CYGWIN1 ref: 0000000100405A4C
free.CYGWIN1 ref: 0000000100405A70
free.CYGWIN1 ref: 0000000100405A78
strlen.CYGWIN1 ref: 0000000100405BA8
fopen.CYGWIN1 ref: 0000000100405BF7
fprintf.CYGWIN1 ref: 0000000100405C30
fclose.CYGWIN1 ref: 0000000100405C3A

Strings

write to auto hostlist:, xrefs: 0000000100405C04
auto hostlist (profile %d) : rechecking %s to avoid duplicates, xrefs: 0000000100405B21
%s : profile %d : client %s : proto %s : adding to %s, xrefs: 0000000100405B89
auto hostlist (profile %d) : adding %s to %s, xrefs: 0000000100405B6D
auto hostlist (profile %d) : NOT adding %s, xrefs: 0000000100405C5D
auto hostlist (profile %d) : fail threshold reached. about to add %s to auto hostlist, xrefs: 0000000100405B01
%s : profile %d : client %s : proto %s : NOT adding, duplicate detected, xrefs: 0000000100405C77
HostFailPoolAdd: out of memory, xrefs: 0000000100405A7D
%s : profile %d : client %s : proto %s : fail counter %d/%d, xrefs: 0000000100405AC1
auto hostlist (profile %d) : %s : fail counter %d/%d, xrefs: 0000000100405A91
StrPoolAddStr out of memory, xrefs: 0000000100405BC7
%s, xrefs: 0000000100405C29

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free$mallocstrlen$fclosefopenfprintfmemcmptime
String ID: %s$%s : profile %d : client %s : proto %s : NOT adding, duplicate detected$%s : profile %d : client %s : proto %s : adding to %s$%s : profile %d : client %s : proto %s : fail counter %d/%d$HostFailPoolAdd: out of memory$StrPoolAddStr out of memory$auto hostlist (profile %d) : %s : fail counter %d/%d$auto hostlist (profile %d) : NOT adding %s$auto hostlist (profile %d) : adding %s to %s$auto hostlist (profile %d) : fail threshold reached. about to add %s to auto hostlist$auto hostlist (profile %d) : rechecking %s to avoid duplicates$write to auto hostlist:
API String ID: 851951275-494448408
Opcode ID: 2d00dbbfd8cb5f73473cfae1795f1cb59b0dbf6d37b1065a46c49fcdef82396f
Instruction ID: 9b10284b14412bb1764b3f3d798c8ad723be30d38f28ffea2c0e7f33db31680a
Opcode Fuzzy Hash: 2d00dbbfd8cb5f73473cfae1795f1cb59b0dbf6d37b1065a46c49fcdef82396f
Instruction Fuzzy Hash: 4812ABB2301B8086EB12DF15E4847DA77A4F788BD4F058126EF8997795DBB8C894CB48

Function 000000010040B3D4 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 327COMMON

Download Yara Rule

APIs

inet_ntop.CYGWIN1 ref: 000000010040B5EB
inet_ntop.CYGWIN1 ref: 000000010040B602
snprintf.CYGWIN1 ref: 000000010040B61E
snprintf.CYGWIN1 ref: 000000010040B64E
inet_ntop.CYGWIN1 ref: 000000010040B69F
inet_ntop.CYGWIN1 ref: 000000010040B6B6
snprintf.CYGWIN1 ref: 000000010040B6D2
snprintf.CYGWIN1 ref: 000000010040B702
snprintf.CYGWIN1 ref: 000000010040B7CC
snprintf.CYGWIN1 ref: 000000010040B837

Strings

UDP: len=%zu : , xrefs: 000000010040B85B
TCP: len=%zu : , xrefs: 000000010040B7E8
S, xrefs: 000000010040B737
DROPPING delayed packet #%u, xrefs: 000000010040B3D6
sport=%u dport=%u flags=%s seq=%u ack_seq=%u, xrefs: 000000010040B7A8
%s => %s, xrefs: 000000010040B612, 000000010040B6C6
IP4: %s, xrefs: 000000010040B656
REPLAYING delayed packet #%u offset %zu, xrefs: 000000010040B3DC
REPLAY , xrefs: 000000010040B59A
%s proto=%s ttl=%u, xrefs: 000000010040B643, 000000010040B6F7
sport=%u dport=%u, xrefs: 000000010040B819
%s, xrefs: 000000010040B7D4, 000000010040B83F
SENDING delayed packet #%u modified, xrefs: 000000010040B3D8
IP6: %s, xrefs: 000000010040B70A

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: snprintf$inet_ntop
String ID: %s$%s => %s$%s proto=%s ttl=%u$DROPPING delayed packet #%u$IP4: %s$IP6: %s$REPLAY $REPLAYING delayed packet #%u offset %zu$S$SENDING delayed packet #%u modified$TCP: len=%zu : $UDP: len=%zu : $sport=%u dport=%u$sport=%u dport=%u flags=%s seq=%u ack_seq=%u
API String ID: 4097025303-3612502600
Opcode ID: a50d49379a57f0e449367f57fb983ca3956c21052ec36d33ee6f7e87b3cf7460
Instruction ID: 2d29004747f45bf199d7f65590a5f023b2faf940027544e41b4ebffb5247a386
Opcode Fuzzy Hash: a50d49379a57f0e449367f57fb983ca3956c21052ec36d33ee6f7e87b3cf7460
Instruction Fuzzy Hash: B8E1A2B22086C485EB76DB11E4503DAB7A1F789784F848015EFCC97B9ADBBCC585CB48

Function 0000000100415C6F Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 91stringCOMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
strchr.CYGWIN1 ref: 0000000100415CA6
strcmp.CYGWIN1 ref: 0000000100415CC3
strcmp.CYGWIN1 ref: 0000000100415CE4
strcmp.CYGWIN1 ref: 0000000100415D05
strcmp.CYGWIN1 ref: 0000000100415D22

Strings

badseq, xrefs: 0000000100415C76
hopbyhop2, xrefs: 0000000100415C8B
none, xrefs: 0000000100415D87
datanoack, xrefs: 0000000100415C7D
dpi-desync-fooling allowed values : none,md5sig,ts,badseq,badsum,datanoack,hopbyhop,hopbyhop2, xrefs: 0000000100415D9A
badsum, xrefs: 0000000100415CFB
md5sig, xrefs: 0000000100415CB9
hopbyhop, xrefs: 0000000100415C84

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$getopt_long_onlystrchr
String ID: badseq$badsum$datanoack$dpi-desync-fooling allowed values : none,md5sig,ts,badseq,badsum,datanoack,hopbyhop,hopbyhop2$hopbyhop$hopbyhop2$md5sig$none
API String ID: 63079263-1056601366
Opcode ID: 9a98f09394f3d11dd2afb8db7643a245b708397fcb87688244687927cd5a25ed
Instruction ID: b0ef50a67ba8a847819be9813cf3fd909d8563acd8fe9afbe3a8abc148b06058
Opcode Fuzzy Hash: 9a98f09394f3d11dd2afb8db7643a245b708397fcb87688244687927cd5a25ed
Instruction Fuzzy Hash: 96416B35314E82C5FA679B12A8487EA2394EBCD788F8045528FCAC66D5EBF8C1C4C70C

Function 00000001004051BB Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 113fileCOMMON

Download Yara Rule

APIs

fopen.CYGWIN1 ref: 00000001004051F0
fclose.CYGWIN1 ref: 0000000100405239
free.CYGWIN1 ref: 00000001004052A0

Strings

Not enough memory to store ipset : %s, xrefs: 000000010040528F, 0000000100405329
zlib decompression failed : result %d, xrefs: 00000001004052BC
Loading ipset %s, xrefs: 00000001004051D2
loading plain text list, xrefs: 00000001004052D0
Could not open %s, xrefs: 0000000100405200
Loaded %d ip/subnets from %s, xrefs: 000000010040534E
zlib compression detected. uncompressed size : %zu, xrefs: 0000000100405252

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: fclosefopenfree
String ID: Could not open %s$Loaded %d ip/subnets from %s$Loading ipset %s$Not enough memory to store ipset : %s$loading plain text list$zlib compression detected. uncompressed size : %zu$zlib decompression failed : result %d
API String ID: 27361309-2905724271
Opcode ID: 706d6acbe452bba3409b805eb15b970a7dd41bfa03135fb89b53add9e9cfc2fb
Instruction ID: c8d85abbc70837100a9ee0949ec6088a50c684cc74aef43265562cdf22f0c825
Opcode Fuzzy Hash: 706d6acbe452bba3409b805eb15b970a7dd41bfa03135fb89b53add9e9cfc2fb
Instruction Fuzzy Hash: 6441707131594180ED12EB62F8517EB5350FB8CBC8F401112BFCEAB696EEB8C589CB09

Function 00000001004167BD Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 91stringCOMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
strchr.CYGWIN1 ref: 0000000100416800
strcmp.CYGWIN1 ref: 0000000100416823
strcmp.CYGWIN1 ref: 0000000100416842
strcmp.CYGWIN1 ref: 000000010041685E
strcmp.CYGWIN1 ref: 000000010041687A

Strings

dht, xrefs: 00000001004167E5
http, xrefs: 0000000100416819
tls, xrefs: 00000001004167C4
unknown, xrefs: 00000001004168AC
Invalid l7 filter : %s, xrefs: 00000001004184B0
wireguard, xrefs: 00000001004167DE
quic, xrefs: 00000001004167D7

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$getopt_long_onlystrchr
String ID: Invalid l7 filter : %s$dht$http$quic$tls$unknown$wireguard
API String ID: 63079263-4090362409
Opcode ID: b07ea57ffeb69e7c29110cc45c0ddce2ffa6d22eabbfea5feb0cee39a7ddce1d
Instruction ID: 51ce180dd2b5e1ddbc7513a4e92364b09a7b267e1e9b601d33e718f78e978604
Opcode Fuzzy Hash: b07ea57ffeb69e7c29110cc45c0ddce2ffa6d22eabbfea5feb0cee39a7ddce1d
Instruction Fuzzy Hash: 71417876319A81C5FB22AB16A8047DB23E5F789784F8104128FC9CB395DBBCC485CB5D

Function 0000000100402671 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 113fileCOMMON

Download Yara Rule

APIs

fopen.CYGWIN1 ref: 00000001004026A6
fclose.CYGWIN1 ref: 00000001004026EF
free.CYGWIN1 ref: 0000000100402756

Strings

zlib decompression failed : result %d, xrefs: 0000000100402772
Loaded %d hosts from %s, xrefs: 0000000100402804
Not enough memory to store host list : %s, xrefs: 0000000100402745, 00000001004027DF
loading plain text list, xrefs: 0000000100402786
Could not open %s, xrefs: 00000001004026B6
zlib compression detected. uncompressed size : %zu, xrefs: 0000000100402708
Loading hostlist %s, xrefs: 0000000100402688

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: fclosefopenfree
String ID: Could not open %s$Loaded %d hosts from %s$Loading hostlist %s$Not enough memory to store host list : %s$loading plain text list$zlib compression detected. uncompressed size : %zu$zlib decompression failed : result %d
API String ID: 27361309-1465014974
Opcode ID: aded79b3d5e8a72d787c349b0f8f2cf5293c8863f122900b5fa2fc83c7a52fd2
Instruction ID: e90bd39acfb82bb5a68a53eb5591dc564c293e2d2fcd1990b824450526fd312d
Opcode Fuzzy Hash: aded79b3d5e8a72d787c349b0f8f2cf5293c8863f122900b5fa2fc83c7a52fd2
Instruction Fuzzy Hash: 75416D7631554090E923EB22F9557EA6350B78CBC8F500012BFCEAB6DADEF8C589D709

Function 0000000100402C01 Relevance: 24.1, APIs: 7, Strings: 9, Instructions: 99stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000100402BCF: atoi.CYGWIN1 ref: 0000000100402BEB

strcmp.CYGWIN1 ref: 0000000100402C59
strcmp.CYGWIN1 ref: 0000000100402C6C
strcmp.CYGWIN1 ref: 0000000100402C7F
strcmp.CYGWIN1 ref: 0000000100402C92
strcmp.CYGWIN1 ref: 0000000100402CA5
strcmp.CYGWIN1 ref: 0000000100402CB8
strcmp.CYGWIN1 ref: 0000000100402CCB

Strings

sld, xrefs: 0000000100402C75
midsld, xrefs: 0000000100402C88
sniext, xrefs: 0000000100402CC1
endhost, xrefs: 0000000100402C62
+, xrefs: 0000000100402C37
host, xrefs: 0000000100402C4F
method, xrefs: 0000000100402CAE
endsld, xrefs: 0000000100402C9B
-, xrefs: 0000000100402C3C

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$atoi
String ID: +$-$endhost$endsld$host$method$midsld$sld$sniext
API String ID: 2696919977-2684502022
Opcode ID: e340029523142096804286c676065eeb9928c61a923b65959656b6321b15cb9b
Instruction ID: 78dd1285190a31c1673b13fb546e8d5bb75c32c61881a5016860a077eb09daed
Opcode Fuzzy Hash: e340029523142096804286c676065eeb9928c61a923b65959656b6321b15cb9b
Instruction Fuzzy Hash: 8631A13231928094FAA7DB266A0D7E91791774E380F845041AFD2DB2C1EAF8C5C5E71D

Function 000000010040C699 Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 91COMMON

Download Yara Rule

APIs

random.CYGWIN1 ref: 000000010040C727
random.CYGWIN1 ref: 000000010040C73F
random.CYGWIN1 ref: 000000010040C755
random.CYGWIN1 ref: 000000010040C774
random.CYGWIN1 ref: 000000010040C799

Strings

@, xrefs: 000000010040C804
host, xrefs: 000000010040C6FD
@, xrefs: 000000010040C84A
@, xrefs: 000000010040C86B
GET / HTTP/1.1Host: www.iana.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, br, xrefs: 000000010040C7A5
n, xrefs: 000000010040C81F
@, xrefs: 000000010040C83F
nn, xrefs: 000000010040C816

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: random
String ID: @$@$@$@$GET / HTTP/1.1Host: www.iana.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, br$host$n$nn
API String ID: 373021397-173310969
Opcode ID: 66e8bf7f65e2874fdfc7e3e55328ca155b0098375b9dfee4123892ee20c2c5ac
Instruction ID: c55e43aff901bfe07755eb57282633cc232cb8b04714e29ecf49848270e8b5fa
Opcode Fuzzy Hash: 66e8bf7f65e2874fdfc7e3e55328ca155b0098375b9dfee4123892ee20c2c5ac
Instruction Fuzzy Hash: 534191B26097C084E3119F34E4483CA37A0F744B4CF594238CB992F3D5CBB9459AC7A9

Function 000000010040E215 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1 ref: 000000010040E256
snprintf.CYGWIN1 ref: 000000010040E2CE
snprintf.CYGWIN1 ref: 000000010040E343
strlen.CYGWIN1 ref: 000000010040E34F
strncat.CYGWIN1 ref: 000000010040E367
strlen.CYGWIN1 ref: 000000010040E36F
strncat.CYGWIN1 ref: 000000010040E383
strlen.CYGWIN1 ref: 000000010040E3A0

Strings

(%s.%s %s %u %s %s.%s %s %u), xrefs: 000000010040E328
or , xrefs: 000000010040E35A
(%s.%s %s %u), xrefs: 000000010040E2B6
and, xrefs: 000000010040E22A

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strlen$snprintfstrncat$strchr
String ID: or $(%s.%s %s %u %s %s.%s %s %u)$(%s.%s %s %u)$and
API String ID: 820610085-971046143
Opcode ID: 59c498f6e64bcc3b3c6f51535cb20d2729679efc678a72f48e93b743c5ba96b0
Instruction ID: 4afdd9bca827c01fe6ea5e73b6c1fb22ae677ff3d3221ab282c9e931199fcc45
Opcode Fuzzy Hash: 59c498f6e64bcc3b3c6f51535cb20d2729679efc678a72f48e93b743c5ba96b0
Instruction Fuzzy Hash: 8D419076314B8485EA22EB91B8407DA77E4B78D7C4FC44425AFC987B96DBBCC185CB08

Function 62803BBA Relevance: 18.3, APIs: 2, Strings: 10, Instructions: 311COMMON

Download Yara Rule

Strings

), xrefs: 62803D64
x, xrefs: 62803D3B
W, xrefs: 62803D80
%, xrefs: 62803D58
B, xrefs: 62803D79
5, xrefs: 62803D5F
', xrefs: 62803D51
8, xrefs: 62803D72
@, xrefs: 62803D6B
7, xrefs: 62803D4A

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID:
String ID: %$'$)$5$7$8$@$B$W$x
API String ID: 0-3463157474
Opcode ID: 39fa6f57beb15cf7b61f695c77a8a9d3b66f070ef46b54a2496afb7ca3296dd6
Instruction ID: 58adba552da937359b79d75c73f85f9f2c37ff3c248801e4172bb2133747ad6b
Opcode Fuzzy Hash: 39fa6f57beb15cf7b61f695c77a8a9d3b66f070ef46b54a2496afb7ca3296dd6
Instruction Fuzzy Hash: 7BB1E57B3043488BDB188F29DD60B8DB7A6F786B88F40D926DE4947B58D73CA941C741

Function 00000001004043A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 142COMMON

Download Yara Rule

APIs

time.CYGWIN1 ref: 00000001004043C1
printf.CYGWIN1 ref: 00000001004044D9
printf.CYGWIN1 ref: 0000000100404555
printf.CYGWIN1 ref: 00000001004045AF

Strings

CONNTRACK DUMP, xrefs: 00000001004043B3
seq0=%u rseq=%u pos_orig=%u ack0=%u rack=%u pos_reply=%u wsize_orig=%u:%d wsize_reply=%u:%d, xrefs: 000000010040454E
rseq=%u pos_orig=%u rack=%u pos_reply=%u, xrefs: 0000000100404566
req_retrans=%u cutoff=%u wss_cutoff=%u d_cutoff=%u hostname=%s l7proto=%s, xrefs: 000000010040458A
%s [%s]:%u => [%s]:%u : %s : t0=%llu last=t0+%llu now=last+%llu packets_orig=d%llu/n%llu packets_reply=d%llu/n%llu , xrefs: 00000001004044D2

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: printf$time
String ID: CONNTRACK DUMP$ req_retrans=%u cutoff=%u wss_cutoff=%u d_cutoff=%u hostname=%s l7proto=%s$%s [%s]:%u => [%s]:%u : %s : t0=%llu last=t0+%llu now=last+%llu packets_orig=d%llu/n%llu packets_reply=d%llu/n%llu $rseq=%u pos_orig=%u rack=%u pos_reply=%u$seq0=%u rseq=%u pos_orig=%u ack0=%u rack=%u pos_reply=%u wsize_orig=%u:%d wsize_reply=%u:%d
API String ID: 4003718446-1613998104
Opcode ID: a7d29545a2e94e2818f6464f0644b5259cd43e7af43cbf4fb20fcac47705c9ab
Instruction ID: 5825d1a70f74ad85d2bd44b603baac3c73665ea3291f1302247a80d72d984f68
Opcode Fuzzy Hash: a7d29545a2e94e2818f6464f0644b5259cd43e7af43cbf4fb20fcac47705c9ab
Instruction Fuzzy Hash: 3E619E72308A9086D766DF35A8507ED7BA0F389B98F040126EFC993B99DB78C495CB14

Function 0000000100415885 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 61stringfileCOMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
strncpy.CYGWIN1 ref: 00000001004158B3
fopen.CYGWIN1 ref: 00000001004158C9
__getreent.CYGWIN1 ref: 00000001004158D3
fprintf.CYGWIN1 ref: 00000001004158E6
strcmp.CYGWIN1 ref: 0000000100415910

Strings

syslog, xrefs: 0000000100415906
winws, xrefs: 0000000100415924
cannot create %s, xrefs: 00000001004158DB

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: __getreentfopenfprintfgetopt_long_onlystrcmpstrncpy
String ID: cannot create %s$syslog$winws
API String ID: 1627255982-3874907192
Opcode ID: d03ae6d41ab5c3cbbfcc5b55352798d461158a86d05f4aa2173e9e56e26246a6
Instruction ID: f206fed74e85e5322e163ced03da110f7b61fba9260840149a6f8c2712c9b6f2
Opcode Fuzzy Hash: d03ae6d41ab5c3cbbfcc5b55352798d461158a86d05f4aa2173e9e56e26246a6
Instruction Fuzzy Hash: 3A314AB5319A80C5FB639B21E8413DA2650A78D354F84510ADBCDC62D6DBFCC5C4C74E

Function 000000010040CA0D Relevance: 16.5, APIs: 13, Instructions: 291stringCOMMON

Download Yara Rule

APIs

malloc.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CA2B
malloc.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CA42
strlen.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CA73
strlen.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CAA0
malloc.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CACE
malloc.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CB19
free.CYGWIN1(?,?,?,?,?,?,FFFFDBFE), ref: 000000010040CB32
malloc.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CC0E
free.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CCFE
free.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CD84
free.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CD91
free.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CE1B
free.CYGWIN1(?,?,?,?,?,?,FFFFDBFE,?,00000001004025AC), ref: 000000010040CE23

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free$malloc$strlen
String ID:
API String ID: 3869476732-0
Opcode ID: a5b2e526108ca2e8932da697ba94fee52824e50b3bbc765321577bbfe0b0236f
Instruction ID: 4f84e2d9e01782f80922d44b53d8d59dba61cdbedf9e902bb40e6f7bae7c951a
Opcode Fuzzy Hash: a5b2e526108ca2e8932da697ba94fee52824e50b3bbc765321577bbfe0b0236f
Instruction Fuzzy Hash: 67C18072205B84C6EB56CF05E488B9D77A9F788BD4F168225EF8D97340DB78C480C784

Function 0000000100406EBA Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 156COMMON

Download Yara Rule

APIs

random.CYGWIN1 ref: 0000000100406EF7
random.CYGWIN1 ref: 0000000100408D4A

Strings

sending 1st ip fragment 0-%zu ip_payload_len=%zu : , xrefs: 0000000100406FF3
reinjecting original packet. len=%zu len_payload=%zu, xrefs: 0000000100408DAE
sending 2nd ip fragment %zu-%zu ip_payload_len=%zu : , xrefs: 0000000100407061
d$, xrefs: 0000000100406F65
d$, xrefs: 0000000100406F27
d$, xrefs: 0000000100406F33
@, xrefs: 0000000100408D80

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: random
String ID: @$d$$d$$d$$reinjecting original packet. len=%zu len_payload=%zu$sending 1st ip fragment 0-%zu ip_payload_len=%zu : $sending 2nd ip fragment %zu-%zu ip_payload_len=%zu :
API String ID: 373021397-1492700663
Opcode ID: b776a9db13e168845ac8c503a3847708f044b305fd61916e2ac252b6eb0320c1
Instruction ID: 7e9a3fc7ced878d277fa3ca410eae6d700dae6633faa11897459fcfb384e59fd
Opcode Fuzzy Hash: b776a9db13e168845ac8c503a3847708f044b305fd61916e2ac252b6eb0320c1
Instruction Fuzzy Hash: 6E614C76208BC084EB72DB21E5507DAB361F799B98F400116AFC9A778ACF78C595CB48

Function 628070AD Relevance: 15.2, APIs: 10, Instructions: 250memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 628070F9
HeapAlloc.KERNEL32 ref: 6280711F
SetLastError.KERNEL32 ref: 62807158
HeapAlloc.KERNEL32 ref: 62807767
HeapAlloc.KERNEL32 ref: 62807806
HeapAlloc.KERNEL32 ref: 6280789C
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: Heap$Alloc$ErrorLast$CreateDestroy
String ID:
API String ID: 1535032188-0
Opcode ID: afcffbac80661deb72d8f0f638888a9a4aa69ea87298f3819a387575282ecd90
Instruction ID: 797586a92ec0ade4f7c44b784ef0e1939facbe3ebd0a4d95136b2c901580d267
Opcode Fuzzy Hash: afcffbac80661deb72d8f0f638888a9a4aa69ea87298f3819a387575282ecd90
Instruction Fuzzy Hash: B1A1013A609790C9DB048F26EC2476D7BA1F389B88F51842ADE8D4BB54DF3DC652CB50

Function 62805595 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 628055BB
HeapCreate.KERNEL32 ref: 628055D8
SetLastError.KERNEL32 ref: 628055F5
HeapDestroy.KERNEL32 ref: 628057E4

Strings

Unknown error, xrefs: 628057FC
@WinDiv_, xrefs: 62805678

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorHeapLast$CreateDestroy
String ID: @WinDiv_$Unknown error
API String ID: 3476120825-3055293904
Opcode ID: 4820a5e2d4bd694b683701461aec7d77b5cb124f544ab0e531e737f7392d34d2
Instruction ID: 19d83b6d142fbbe27c242e48e3be3fc7607e4b4ec95e8aae3157dbb300e03304
Opcode Fuzzy Hash: 4820a5e2d4bd694b683701461aec7d77b5cb124f544ab0e531e737f7392d34d2
Instruction Fuzzy Hash: A651D56A3096908AEB158B66EC7076AA752F7C5FDCF049821DE8A07B58DF3DC146C720

Function 00000001004164E1 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 52fileCOMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
fopen.CYGWIN1 ref: 0000000100416512
fclose.CYGWIN1 ref: 0000000100416531

Strings

only one auto hostlist per profile is supported, xrefs: 00000001004164F5
a+b, xrefs: 0000000100416508
gzipped auto hostlists are not supported, xrefs: 000000010041653B
cannot create %s, xrefs: 0000000100416626
failed to register hostlist '%s', xrefs: 0000000100416568

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: fclosefopengetopt_long_only
String ID: a+b$cannot create %s$failed to register hostlist '%s'$gzipped auto hostlists are not supported$only one auto hostlist per profile is supported
API String ID: 1528811869-805540096
Opcode ID: 2435e1cdebc6ce33ab42e10095a68ab5402b1f3c0c1f2ac3f21e3a7c4a399cad
Instruction ID: c613c535dbf4f2d21230624480880d7e242ed5d99f31ab232cbb9f1f42500581
Opcode Fuzzy Hash: 2435e1cdebc6ce33ab42e10095a68ab5402b1f3c0c1f2ac3f21e3a7c4a399cad
Instruction Fuzzy Hash: BA213E71704A8180FA27D765E4543EA23A0AB8C744F4545158FCEC26E9EFF8C5C8D78D

Function 0000000100415F42 Relevance: 13.5, APIs: 3, Strings: 6, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strcmp.CYGWIN1 ref: 0000000100415F80
strcmp.CYGWIN1 ref: 0000000100415F93
strcmp.CYGWIN1 ref: 0000000100415FA6

Strings

sniext, xrefs: 0000000100415F89
Too much splits. max splits: %u, xrefs: 0000000100415EE2
WARNING ! --dpi-desync-split-tls is deprecated. use --dpi-desync-split-pos with markers., xrefs: 0000000100415F47
sni, xrefs: 0000000100415F67
Invalid argument for dpi-desync-split-tls, xrefs: 0000000100415FAF
snisld, xrefs: 0000000100415F9C

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp
String ID: Invalid argument for dpi-desync-split-tls$Too much splits. max splits: %u$WARNING ! --dpi-desync-split-tls is deprecated. use --dpi-desync-split-pos with markers.$sni$sniext$snisld
API String ID: 1004003707-418629710
Opcode ID: a3a48bb14c94d0d220296d19f4efa16b76be9c5d4435fdb52436ed979a981605
Instruction ID: 7afa56facf2fb4e1e999a957398de4cf56287e420970220ce519e66bb1dbbb8d
Opcode Fuzzy Hash: a3a48bb14c94d0d220296d19f4efa16b76be9c5d4435fdb52436ed979a981605
Instruction Fuzzy Hash: B211A1B5315A41C2F653DB11C4907EA2361EB8C344F801022DBCAC72D2EAF8C5C9C31E

Function 000000010040EB6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61COMMON

Download Yara Rule

APIs

inet_ntop.CYGWIN1 ref: 000000010040EBBE
snprintf.CYGWIN1 ref: 000000010040EBD4
snprintf.CYGWIN1 ref: 000000010040EC1F
snprintf.CYGWIN1 ref: 000000010040EC38

Strings

UNKNOWN_FAMILY_%d, xrefs: 000000010040EBC5
%s:%u, xrefs: 000000010040EC07
[%s]:%u, xrefs: 000000010040EBEE

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: snprintf$inet_ntop
String ID: %s:%u$UNKNOWN_FAMILY_%d$[%s]:%u
API String ID: 4097025303-3267429161
Opcode ID: 0d0c50a46f591f9e596777e10b6f9fe84cb201202d9245f9af66f69ee83cd6ef
Instruction ID: 24a29b6384b2c6113f55fda1e6361adad48871778795b7a3e76de91ad19c3b94
Opcode Fuzzy Hash: 0d0c50a46f591f9e596777e10b6f9fe84cb201202d9245f9af66f69ee83cd6ef
Instruction Fuzzy Hash: 4211D67630815085F322EB52E4017E96660E38DB84FC48852AFC9AB7C6C6BDCAC7C758

Function 000000010040E860 Relevance: 12.1, APIs: 8, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strlen.CYGWIN1 ref: 000000010040E898
__locale_ctype_ptr.CYGWIN1 ref: 000000010040E8BB
toupper.CYGWIN1 ref: 000000010040E8C3
__locale_ctype_ptr.CYGWIN1 ref: 000000010040E8CC
toupper.CYGWIN1 ref: 000000010040E8D6
strlen.CYGWIN1 ref: 000000010040E90A
__locale_ctype_ptr.CYGWIN1 ref: 000000010040E979
tolower.CYGWIN1 ref: 000000010040E982

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: __locale_ctype_ptr$strlentoupper$tolower
String ID:
API String ID: 785350804-0
Opcode ID: ede18609bb91d55dfdf24672b73baf5a3f5029f1db9aa4142ba860dea4fa7aa9
Instruction ID: 1ab9834b8d101fa99354b7bfc6b989bcfeaeb966ada062a844be3fb0f9506ed7
Opcode Fuzzy Hash: ede18609bb91d55dfdf24672b73baf5a3f5029f1db9aa4142ba860dea4fa7aa9
Instruction Fuzzy Hash: EA3148B370A48449F973FA2394003EA6690A74D7E4F4C4E61BFE9977D2E5BCC4E19208

Function 62807B08 Relevance: 12.0, APIs: 8, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 62807B29
CreateEventW.KERNEL32 ref: 62807B47
TlsSetValue.KERNEL32 ref: 62807B5B
TlsGetValue.KERNEL32 ref: 62807B69
CloseHandle.KERNEL32 ref: 62807B77
TlsFree.KERNEL32 ref: 62807B83
TlsGetValue.KERNEL32 ref: 62807B91
CloseHandle.KERNEL32 ref: 62807BA4

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: Value$CloseHandle$AllocCreateEventFree
String ID:
API String ID: 1661931588-0
Opcode ID: 4501a9c33608d06a443231906f9769801fbd448db2e45c8e1185e1c7aeca21dc
Instruction ID: 552c71bec83dced25da9f52c38d8366355f06d2891f8db5625a8eb5ab87f8dcc
Opcode Fuzzy Hash: 4501a9c33608d06a443231906f9769801fbd448db2e45c8e1185e1c7aeca21dc
Instruction Fuzzy Hash: 4911E1387539028AFB089B21AC79B557263BBB5705F10D429C81A0B7A4DF3E557AC704

Function 0000000100403515 Relevance: 11.6, APIs: 9, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bfdfe8af00986a8e53d9c8feee677b5eee7b4cf57dae6f78b578761c5459b9
Instruction ID: 127bb60cf6f28ebd7b5829de9f72fb2f7077a37f3a6d0102eae228537028b787
Opcode Fuzzy Hash: 07bfdfe8af00986a8e53d9c8feee677b5eee7b4cf57dae6f78b578761c5459b9
Instruction Fuzzy Hash: 96F19E72205B8086EB62CF15E444BDE7BA8F788B84F058025EFCA97794DF78C594CB08

Function 0000000100415AB6 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1 ref: 0000000100415AD0
strchr.CYGWIN1 ref: 0000000100415AEC

Strings

invalid dpi-desync mode, xrefs: 0000000100415B6B
invalid desync combo : %s+%s, xrefs: 0000000100415BD0
invalid desync combo : %s+%s+%s, xrefs: 0000000100415B82

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strchr
String ID: invalid desync combo : %s+%s$invalid desync combo : %s+%s+%s$invalid dpi-desync mode
API String ID: 2830005266-2774606042
Opcode ID: aadb021944f7129dec8c2441cbe84133ee4c19f1df102050542fa5a18f5afb42
Instruction ID: ad23ac26ba42e6b999a14c1c619f751aa6c21d0f7320afb36ffb4f5a573baa2b
Opcode Fuzzy Hash: aadb021944f7129dec8c2441cbe84133ee4c19f1df102050542fa5a18f5afb42
Instruction Fuzzy Hash: A941AE32708B80C1FA63EB6195403EE66A0E788B84F440122DFD9D7BD5DAF8D9C4938D

Function 000000010040B9EC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

inet_ntop.CYGWIN1 ref: 000000010040BA41
inet_ntop.CYGWIN1 ref: 000000010040BA83

Strings

negative, xrefs: 000000010040BAB1
ipset check error !!!!!!!! ipv4=%p ipv6=%p, xrefs: 000000010040BACC
positive, xrefs: 000000010040BAA2
ipset check for %s : %s, xrefs: 000000010040BABB

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: inet_ntop
String ID: ipset check error !!!!!!!! ipv4=%p ipv6=%p$ipset check for %s : %s$negative$positive
API String ID: 448242623-1037045159
Opcode ID: 38d863a5ab2af79bd6fa9a9986f2768178e8032121576041884ec9c82d729d17
Instruction ID: 23c294d378dec4fe2c169fa46ccba8f91ac439e545127ae23f943059ecf521ab
Opcode Fuzzy Hash: 38d863a5ab2af79bd6fa9a9986f2768178e8032121576041884ec9c82d729d17
Instruction Fuzzy Hash: BF21D4B130524050FE67D722A8157E61241FB4DBC8F8840096FCAEB692EBFC89C4DB8D

Function 000000010040C4D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63fileCOMMON

Download Yara Rule

APIs

fopen.CYGWIN1 ref: 000000010040C52F
time.CYGWIN1 ref: 000000010040C548
vfprintf.CYGWIN1 ref: 000000010040C5B3
fclose.CYGWIN1 ref: 000000010040C5CB

Strings

%02d.%02d.%04d %02d:%02d:%02d, xrefs: 000000010040C566
: , xrefs: 000000010040C59E

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: fclosefopentimevfprintf
String ID: : $%02d.%02d.%04d %02d:%02d:%02d
API String ID: 2047210264-2217611448
Opcode ID: 2eda35e412fcd57d303996165a41ab2f16e17958a8b6fc058c79e60e9cb94a85
Instruction ID: b9b4b336359ab27423a01558d3dc65a4ec4e6a74784cf463f73bceb11e60ed97
Opcode Fuzzy Hash: 2eda35e412fcd57d303996165a41ab2f16e17958a8b6fc058c79e60e9cb94a85
Instruction Fuzzy Hash: 87215E7670468096E762DB25F8407CBB7A0F789794F804115EFC98779ADEBCD588CB08

Function 0000000100416AC1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

strlen.CYGWIN1 ref: 0000000100416AD5

Part of subcall function 000000010040E215: strchr.CYGWIN1 ref: 000000010040E256
Part of subcall function 000000010040E215: snprintf.CYGWIN1 ref: 000000010040E2CE
Part of subcall function 000000010040E215: snprintf.CYGWIN1 ref: 000000010040E343
Part of subcall function 000000010040E215: strlen.CYGWIN1 ref: 000000010040E34F
Part of subcall function 000000010040E215: strncat.CYGWIN1 ref: 000000010040E367
Part of subcall function 000000010040E215: strlen.CYGWIN1 ref: 000000010040E36F
Part of subcall function 000000010040E215: strncat.CYGWIN1 ref: 000000010040E383
Part of subcall function 000000010040E215: strlen.CYGWIN1 ref: 000000010040E3A0

Strings

bad value for --wf-tcp, xrefs: 0000000100416B09
tcp, xrefs: 0000000100416AC8
SrcPort, xrefs: 0000000100416AF2
DstPort, xrefs: 0000000100416B20

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strlen$snprintfstrncat$strchr
String ID: DstPort$SrcPort$bad value for --wf-tcp$tcp
API String ID: 820610085-98671597
Opcode ID: 4efd0d46cc5a5d0f5d03ab81b660578def143b3a15410e16e68e5f19e95119f9
Instruction ID: 065a163ab936b482327ccda01b717ac8844ead3a7df11443b917a1b637171391
Opcode Fuzzy Hash: 4efd0d46cc5a5d0f5d03ab81b660578def143b3a15410e16e68e5f19e95119f9
Instruction Fuzzy Hash: B8110A75308A81D5FA22DB61E4403EA6361F7CC784F8005469FC9D36AACBBCC5C9D649

Function 0000000100416B39 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 43stringCOMMON

Download Yara Rule

APIs

strlen.CYGWIN1 ref: 0000000100416B4D

Part of subcall function 000000010040E215: strchr.CYGWIN1 ref: 000000010040E256
Part of subcall function 000000010040E215: snprintf.CYGWIN1 ref: 000000010040E2CE
Part of subcall function 000000010040E215: snprintf.CYGWIN1 ref: 000000010040E343
Part of subcall function 000000010040E215: strlen.CYGWIN1 ref: 000000010040E34F
Part of subcall function 000000010040E215: strncat.CYGWIN1 ref: 000000010040E367
Part of subcall function 000000010040E215: strlen.CYGWIN1 ref: 000000010040E36F
Part of subcall function 000000010040E215: strncat.CYGWIN1 ref: 000000010040E383
Part of subcall function 000000010040E215: strlen.CYGWIN1 ref: 000000010040E3A0

Strings

udp, xrefs: 0000000100416B40
bad value for --wf-udp, xrefs: 0000000100416B81
SrcPort, xrefs: 0000000100416B6A
DstPort, xrefs: 0000000100416B98

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strlen$snprintfstrncat$strchr
String ID: DstPort$SrcPort$bad value for --wf-udp$udp
API String ID: 820610085-1114593549
Opcode ID: e54a30bb09766521db2cbd9cefb1a3bbae3274b0d1a8c702b4744f155c0e5f09
Instruction ID: 395c025b2fc915927e3e824c62e701780d9f258deef3f81d17b7ce25cbb3d360
Opcode Fuzzy Hash: e54a30bb09766521db2cbd9cefb1a3bbae3274b0d1a8c702b4744f155c0e5f09
Instruction Fuzzy Hash: 93113A75308A81C0FA22DB61E4403EA6360B78C784F800546DFC9D36AACBBCC589D64D

Function 0000000100415EBF Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

strcmp.CYGWIN1 ref: 0000000100415F0A
strcmp.CYGWIN1 ref: 0000000100415F1D

Strings

Too much splits. max splits: %u, xrefs: 0000000100415EE2
Invalid argument for dpi-desync-split-http-req, xrefs: 0000000100415F2A
host, xrefs: 0000000100415F13
method, xrefs: 0000000100415EF1
WARNING ! --dpi-desync-split-http-req is deprecated. use --dpi-desync-split-pos with markers., xrefs: 0000000100415EC4

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp
String ID: Invalid argument for dpi-desync-split-http-req$Too much splits. max splits: %u$WARNING ! --dpi-desync-split-http-req is deprecated. use --dpi-desync-split-pos with markers.$host$method
API String ID: 1004003707-3446196663
Opcode ID: 7b42666011e102857eaf99f2562f7ae9d3a0525648e15da2346e3b7d925b5e4f
Instruction ID: e8efbe90bc4cd152da63ac804f116776a095c5ead12eca09d65b30587e9c7fc2
Opcode Fuzzy Hash: 7b42666011e102857eaf99f2562f7ae9d3a0525648e15da2346e3b7d925b5e4f
Instruction Fuzzy Hash: D6119A75319A42D2F662DB15C4807ED2361EB8C340F900022EBCAC72D2EAF8C4C9E31E

Function 0000000100403E2D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 0000000100403ADE: free.CYGWIN1 ref: 0000000100403B3C
Part of subcall function 0000000100403ADE: free.CYGWIN1 ref: 0000000100403B4F
Part of subcall function 0000000100403ADE: free.CYGWIN1 ref: 0000000100403C1D
Part of subcall function 0000000100403ADE: free.CYGWIN1 ref: 0000000100403C68

printf.CYGWIN1 ref: 0000000100403EC7
exit.CYGWIN1 ref: 0000000100403ED1

Strings

@<config_file>|$<config_file>; read file for options. must be the only argument. other options are ignored. --debug=0|1|syslog|@<filename> --dry-run; verify parameters and exit with code 0 if successful --comment=any_text --daemon; daemonize, xrefs: 0000000100403E41
<, xrefs: 0000000100403EAF
<, xrefs: 0000000100403EBF
, xrefs: 0000000100403E6F

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free$exitprintf
String ID: $ @<config_file>|$<config_file>; read file for options. must be the only argument. other options are ignored. --debug=0|1|syslog|@<filename> --dry-run; verify parameters and exit with code 0 if successful --comment=any_text --daemon; daemonize$<$<
API String ID: 3785167389-496044971
Opcode ID: 0d6c20aeb9de4b7c4cf817f1e60d0ec5f81c7b8d11df95700fff5af86002f019
Instruction ID: 0a240bb29a337673b5d2b241aec639ca82130305cc13d15fcd68b82b4bc9b667
Opcode Fuzzy Hash: 0d6c20aeb9de4b7c4cf817f1e60d0ec5f81c7b8d11df95700fff5af86002f019
Instruction Fuzzy Hash: D8016BB2618280CBF3629F10E05878ABEA4F385348F505108E3C55ABD9C7FEC28ACF44

Function 0000000100403ADE Relevance: 10.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

free.CYGWIN1 ref: 0000000100403B3C
free.CYGWIN1 ref: 0000000100403B4F
free.CYGWIN1 ref: 0000000100403C1D
free.CYGWIN1 ref: 0000000100403C68
free.CYGWIN1 ref: 0000000100403C9F
free.CYGWIN1 ref: 0000000100403CB1
free.CYGWIN1 ref: 0000000100403CE8
free.CYGWIN1 ref: 0000000100403CFA

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 387dec531326c625f5bdeaf27c3992719d53003dfc55c429ab27b8fcc7c4028c
Instruction ID: be4fa97af2cd310ebdfbf6fe0519064745c93f28cf8fc9bf228c1ca2f11b8ed2
Opcode Fuzzy Hash: 387dec531326c625f5bdeaf27c3992719d53003dfc55c429ab27b8fcc7c4028c
Instruction Fuzzy Hash: 1B51E8B2305A4081EA16DF06E498BE927A8FB5CBC0F458516EF8EA7391DFB4C5D4C308

Function 62805A48 Relevance: 9.2, APIs: 6, Instructions: 175memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 62805AEE
HeapAlloc.KERNEL32 ref: 62805B0D
SetLastError.KERNEL32 ref: 62805B65
GetLastError.KERNEL32 ref: 62806FC5
HeapDestroy.KERNEL32 ref: 62806FD2
SetLastError.KERNEL32 ref: 62806FDA

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorHeapLast$AllocCreateDestroy
String ID:
API String ID: 4240246171-0
Opcode ID: 3086edc1e57baa38dce55b070a5b4d17c71a95a36381c508e99d5566b9154e39
Instruction ID: 0d35c37bca4e826fd7a18dc866095619323b1ecdaaad6af93f61823616b14bc3
Opcode Fuzzy Hash: 3086edc1e57baa38dce55b070a5b4d17c71a95a36381c508e99d5566b9154e39
Instruction Fuzzy Hash: 2C71A27A209B9486EB218B25EC6439EB7A5F786780F044426DECC43B68DF3DD595CB10

Function 000000010040D0DB Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

time.CYGWIN1 ref: 000000010040D0EA
time.CYGWIN1 ref: 000000010040D101
free.CYGWIN1 ref: 000000010040D131
free.CYGWIN1 ref: 000000010040D157
free.CYGWIN1 ref: 000000010040D163
free.CYGWIN1 ref: 000000010040D20A

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free$time
String ID:
API String ID: 3693300059-0
Opcode ID: 9440ada1b9a44eec9294e649983f87ee7cd835bfdfbcd823a8f47fe10caaebbb
Instruction ID: 805262ddbe93b43a68a8bd6fe2905c4965a64600d53d58188da5ec2dac14ecfa
Opcode Fuzzy Hash: 9440ada1b9a44eec9294e649983f87ee7cd835bfdfbcd823a8f47fe10caaebbb
Instruction Fuzzy Hash: E44136B2B01A4481EA2ADB86E484BA923A4F79CFC0F055526EF8D97395CF74C8D4C348

Function 0000000100402885 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strlen.CYGWIN1 ref: 00000001004028B5
memcmp.CYGWIN1 ref: 0000000100402925
strchr.CYGWIN1 ref: 0000000100402966

Strings

negative, xrefs: 0000000100402895
positive, xrefs: 0000000100402942
hostlist check for %s : %s, xrefs: 000000010040289C

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: memcmpstrchrstrlen
String ID: hostlist check for %s : %s$negative$positive
API String ID: 1471168757-2640740507
Opcode ID: 928f300305f2c8cfca96b635eb2568a5e9b5251af6d15c2d6c13190a38df4275
Instruction ID: a8cd41da6ecad310da63aa4911028882d153c1defa413c5e643d4510108a62ea
Opcode Fuzzy Hash: 928f300305f2c8cfca96b635eb2568a5e9b5251af6d15c2d6c13190a38df4275
Instruction Fuzzy Hash: CA31D5B370164081FE67DE12AA087E96790B75CBD4F485421AFC9BB3D5EAF8C8C5C204

Function 62805A6B Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 62805AEE
HeapAlloc.KERNEL32 ref: 62805B0D
SetLastError.KERNEL32 ref: 62805B65
GetLastError.KERNEL32 ref: 62806FC5
HeapDestroy.KERNEL32 ref: 62806FD2
SetLastError.KERNEL32 ref: 62806FDA

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorHeapLast$AllocCreateDestroy
String ID:
API String ID: 4240246171-0
Opcode ID: 255764760d3deb068d4b4095eaa6fb07f720333c92bb49658eee1fcfeb61e6e0
Instruction ID: 55be2dcf52238c56ea2c66002a31d05df265517997380bf07996fd35035c89d2
Opcode Fuzzy Hash: 255764760d3deb068d4b4095eaa6fb07f720333c92bb49658eee1fcfeb61e6e0
Instruction Fuzzy Hash: DD11E23634AF4586E7518B25FC6879AA3A1F785790F00542ADE8D43BA4DF3DC5AACB00

Function 62805A5D Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 62805AEE
HeapAlloc.KERNEL32 ref: 62805B0D
SetLastError.KERNEL32 ref: 62805B65
GetLastError.KERNEL32 ref: 62806FC5
HeapDestroy.KERNEL32 ref: 62806FD2
SetLastError.KERNEL32 ref: 62806FDA

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorHeapLast$AllocCreateDestroy
String ID:
API String ID: 4240246171-0
Opcode ID: f5a4bbec4a5797cc30762b1f4a5cb3b338218699ac3ac74ef421c0687d2e679b
Instruction ID: 85229e379188a7bf86e61f6decab3ea106ca24b93beed73fa5f6ef89c44ccfc4
Opcode Fuzzy Hash: f5a4bbec4a5797cc30762b1f4a5cb3b338218699ac3ac74ef421c0687d2e679b
Instruction Fuzzy Hash: 2B11043634AF4586FB518B21FD6879AA3A1F785750F00542ADE8D03B94DF3DC5AACB00

Function 62805A79 Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 62805AEE
HeapAlloc.KERNEL32 ref: 62805B0D
SetLastError.KERNEL32 ref: 62805B65
GetLastError.KERNEL32 ref: 62806FC5
HeapDestroy.KERNEL32 ref: 62806FD2
SetLastError.KERNEL32 ref: 62806FDA

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorHeapLast$AllocCreateDestroy
String ID:
API String ID: 4240246171-0
Opcode ID: 459f1b28afa95ec6122c029ebef17c1488537bc38f70c44307bb0982a0e91193
Instruction ID: 6c67fca755831f23b0c5f2bcbc9f3152f69598856f0e4cf60f4d2cf2f907b59b
Opcode Fuzzy Hash: 459f1b28afa95ec6122c029ebef17c1488537bc38f70c44307bb0982a0e91193
Instruction Fuzzy Hash: 0711E23634AF4586F7518B61FD2479AA3A1F784790F005429DE8D43B94DF3DC5A6CB00

Function 0000000100416605 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 17filestringCOMMON

Download Yara Rule

APIs

fopen.CYGWIN1 ref: 0000000100416616
fclose.CYGWIN1 ref: 0000000100416632
strncpy.CYGWIN1 ref: 0000000100416647

Strings

cannot create %s, xrefs: 0000000100416626
a+t, xrefs: 000000010041660C

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: fclosefopenstrncpy
String ID: a+t$cannot create %s
API String ID: 3689200629-1868720483
Opcode ID: 1928d1a557bb66e96ce902b7c07de23628d889bbb6c167a33508b98b3ea0632d
Instruction ID: c6e67c818d16d9059d1cfdea1396a5229353a3be1da15ba41fd1f912f0693b48
Opcode Fuzzy Hash: 1928d1a557bb66e96ce902b7c07de23628d889bbb6c167a33508b98b3ea0632d
Instruction Fuzzy Hash: 65F0C9B5311901D0EB03D726D4503D923616B9CB84F8440068BCDC62A5EEECC5C5C759

Function 000000010040D3E0 Relevance: 7.6, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

free.CYGWIN1(?,?,?,0000000100403CF7), ref: 000000010040D432
free.CYGWIN1(?,?,?,0000000100403CF7), ref: 000000010040D43E
free.CYGWIN1(?,?,?,0000000100403CF7), ref: 000000010040D4DC
free.CYGWIN1(?,?,?,0000000100403CF7), ref: 000000010040D4FE
free.CYGWIN1(?,?,?,0000000100403CF7), ref: 000000010040D50B
free.CYGWIN1(?,?,?,0000000100403CF7), ref: 000000010040D51B

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2f149234b4b87ff6fd7abe78b9cf64a6bd69adc9a15e2a8bbd3ebce50e039bc7
Instruction ID: 27fef7587bcaa6d152bf5ad949055bff90e0b5399f590a4c1e9dd5f924a059aa
Opcode Fuzzy Hash: 2f149234b4b87ff6fd7abe78b9cf64a6bd69adc9a15e2a8bbd3ebce50e039bc7
Instruction Fuzzy Hash: 505104B6A01B4481EE26CF86D484BA977A4F798FD4F0A8112EF8D97354CB74D8C5C348

Function 62801A5A Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 62801A84
CreateEventW.KERNEL32 ref: 62801A9C
TlsSetValue.KERNEL32 ref: 62801ABA
GetLastError.KERNEL32 ref: 62801B00
GetOverlappedResult.KERNEL32 ref: 62801B1E

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: Value$CreateErrorEventLastOverlappedResult
String ID:
API String ID: 3582216666-0
Opcode ID: 3350b02c2218abb8aa7a7111008629335e2f8612ce9e6d42d93db695a761ce82
Instruction ID: 45a111b8c203b74d01a10a89de86d8a5ff93d4c2e5b57fb6d96017cb97c12e18
Opcode Fuzzy Hash: 3350b02c2218abb8aa7a7111008629335e2f8612ce9e6d42d93db695a761ce82
Instruction Fuzzy Hash: B621F326715A908EE7008B37FC14B4AA6A1B758BDCF448425AE0D87754EF3DC066C700

Function 0000000100402990 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1 ref: 00000001004029C9
strcmp.CYGWIN1 ref: 00000001004029E2
strcmp.CYGWIN1 ref: 00000001004029F6

Strings

ipv6, xrefs: 00000001004029A5
ipv4, xrefs: 000000010040299E

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$strchr
String ID: ipv4$ipv6
API String ID: 2423949151-982188191
Opcode ID: 0ccd8d8d7c26f474aebf2dbb71ae8f5ce223a82e03ca73367c1d1d17cfbc41e2
Instruction ID: 029eeb6f0a85fb114a5afce6c19b7adb445520b996f1f2132db62caa0e844ef5
Opcode Fuzzy Hash: 0ccd8d8d7c26f474aebf2dbb71ae8f5ce223a82e03ca73367c1d1d17cfbc41e2
Instruction Fuzzy Hash: 3D1192323096C094FB279A266E087E66A80275E7D8F484051EFC4DB3C2EAFC84C2D719

Function 0000000100402B48 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strchr.CYGWIN1 ref: 0000000100402B62
atoi.CYGWIN1 ref: 0000000100402B7A
atoi.CYGWIN1 ref: 0000000100402BA2

Strings

bad wsize, xrefs: 0000000100402B7F
bad wscale, xrefs: 0000000100402BAE

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: atoi$strchr
String ID: bad wscale$bad wsize
API String ID: 1805639725-2831209145
Opcode ID: 741a7cbcc023e53fedcb7a48b2fbe4a137affa827daeccd65baf8879027976e8
Instruction ID: 7bfad8707d9143302f3d708924a89aebdd704d8b8cd1c08fee7b88e75b059c4c
Opcode Fuzzy Hash: 741a7cbcc023e53fedcb7a48b2fbe4a137affa827daeccd65baf8879027976e8
Instruction Fuzzy Hash: 6E01D63132518050F653EF21A8953EA2760BB9D344F984062FFC8E67C2C6F899C1C309

Function 00000001004022F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

fread.CYGWIN1 ref: 0000000100402376
realloc.CYGWIN1 ref: 00000001004023B2
free.CYGWIN1 ref: 000000010040244E

Strings

1.3.1, xrefs: 0000000100402344

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: freadfreerealloc
String ID: 1.3.1
API String ID: 2644717162-1719332089
Opcode ID: 901dd05452b92488c48d36c4dd3ca3cecbc2a3513ce9fbfaeddf5de313b5396d
Instruction ID: 90e68500247259c2e63114467770cfecb4e1147bea89bac37f24c747b559f63b
Opcode Fuzzy Hash: 901dd05452b92488c48d36c4dd3ca3cecbc2a3513ce9fbfaeddf5de313b5396d
Instruction Fuzzy Hash: F041937270565085FB23DA32E9543DA6291BB88BD8F548121FFC9D77C5DAFCC5828308

Function 000000010040ED16 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

sscanf.CYGWIN1(?,?,?,?,?,?,?,?,?,?,0000003C,?,?,?,00000000,00000001004102E2), ref: 000000010040ED51
WinDivertSend.WINDIVERT ref: 000000010040ED9E
GetLastError.KERNEL32 ref: 000000010040EDAA

Strings

%u.%u, xrefs: 000000010040ED38

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: DivertErrorLastSendsscanf
String ID: %u.%u
API String ID: 3438740822-1772960121
Opcode ID: 012a7f1878b6af35f00d4ef89332821c95cda89a4f864d889529e1d806124103
Instruction ID: 19fec4e734dae088eb856f579cbc29e4bdf204fe3e22b28a2e365217bd8f9141
Opcode Fuzzy Hash: 012a7f1878b6af35f00d4ef89332821c95cda89a4f864d889529e1d806124103
Instruction Fuzzy Hash: 1E11A37371598491E7129F26A800BC96761B78DBB4F849722EFA5C37E4DAB9C184C704

Function 0000000100416C5F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
strlen.CYGWIN1 ref: 0000000100416C73
strchr.CYGWIN1 ref: 0000000100416C91

Strings

strlist_add failed, xrefs: 0000000100416CBA

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: getopt_long_onlystrchrstrlen
String ID: strlist_add failed
API String ID: 1113628358-2880459749
Opcode ID: 90c9358c5be8872cf17268945333900967b4223e8599b2d53e68fdc0ed5fc80a
Instruction ID: d9f5c2b113eb9b54fd9328c742195e50073b5837bb5b53512fa301cc6fffee40
Opcode Fuzzy Hash: 90c9358c5be8872cf17268945333900967b4223e8599b2d53e68fdc0ed5fc80a
Instruction Fuzzy Hash: 7F116D75308A81C5FA23DB61A1403EA6390AB8C784F8445559FC9937D6EABCC8C99748

Function 0000000100416CD4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

strlen.CYGWIN1 ref: 0000000100416CE1
strchr.CYGWIN1 ref: 0000000100416CFF

Strings

strlist_add failed, xrefs: 0000000100416CBA

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strchrstrlen
String ID: strlist_add failed
API String ID: 986617436-2880459749
Opcode ID: eb5b22cc8ef192a9d54e5b214a337d7eda5ff48703b0413ff07930037a2195f8
Instruction ID: 3044ced79602e5693393275d38abb57a1d5450de216fb5fee62e59f89c8969e4
Opcode Fuzzy Hash: eb5b22cc8ef192a9d54e5b214a337d7eda5ff48703b0413ff07930037a2195f8
Instruction Fuzzy Hash: 4A113A75309A80C5FA62DB61E0503EA62A0EB8C744F8445559BCAC77D6DBBCC8C8D748

Function 00000001004160C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

sscanf.CYGWIN1 ref: 00000001004160D9

Strings

dpi-desync-ipfrag-pos-tcp must be multiple of 8, xrefs: 0000000100416108
dpi-desync-ipfrag-pos-tcp must be within 1..%u range, xrefs: 00000001004160F7

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: sscanf
String ID: dpi-desync-ipfrag-pos-tcp must be multiple of 8$dpi-desync-ipfrag-pos-tcp must be within 1..%u range
API String ID: 3173990253-3525500505
Opcode ID: df376354834c5d0d3c30ca522d51644055aaaec9c3ba0f5516699d1a7e48617c
Instruction ID: 40dbbc08e65374d2e8f21b910ae13a65840bddca9ea1aa86293685a9ba1b0fcd
Opcode Fuzzy Hash: df376354834c5d0d3c30ca522d51644055aaaec9c3ba0f5516699d1a7e48617c
Instruction Fuzzy Hash: 17110C71308A81D5F662DB54E4847ED63A4E78C340F4142229BD9C2AE9DBB8C5C5D789

Function 0000000100416114 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

sscanf.CYGWIN1 ref: 000000010041612A

Strings

dpi-desync-ipfrag-pos-udp must be within 1..%u range, xrefs: 0000000100416148
dpi-desync-ipfrag-pos-udp must be multiple of 8, xrefs: 0000000100416161

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: sscanf
String ID: dpi-desync-ipfrag-pos-udp must be multiple of 8$dpi-desync-ipfrag-pos-udp must be within 1..%u range
API String ID: 3173990253-1566524755
Opcode ID: 2cc3e1d401092d92a908c79465dd869c29a0ac20da0ab5dde9663df9a4f6f7fa
Instruction ID: be8fa79a3e36fe38588ddd34dd4f936fb97508599c2b9c00b745d728ef92f60a
Opcode Fuzzy Hash: 2cc3e1d401092d92a908c79465dd869c29a0ac20da0ab5dde9663df9a4f6f7fa
Instruction Fuzzy Hash: 50116D72308A82D5FA62DB10E4843ED63A1E78C340F8005129BD9C3AE9DBF8C5C5D789

Function 00000001004159F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
sscanf.CYGWIN1 ref: 0000000100415A1E

Strings

%u:%u:%u:%u, xrefs: 00000001004159F7
invalid ctrack-timeouts value, xrefs: 0000000100415A2C

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: getopt_long_onlysscanf
String ID: %u:%u:%u:%u$invalid ctrack-timeouts value
API String ID: 2290067915-2136278816
Opcode ID: 6fe23acf76e94b7f0709ff60e1e7d2b7c414f5ca6155101ba21a25b919ab022f
Instruction ID: 86bfd4888261853098c38c4c603889094d2a45557ddce93481068009b6e9b309
Opcode Fuzzy Hash: 6fe23acf76e94b7f0709ff60e1e7d2b7c414f5ca6155101ba21a25b919ab022f
Instruction Fuzzy Hash: 8401E576309F85D5FA22DB60E0843DA63A0E78C354F8046129BCD827A9DBB8C5C8D749

Function 0000000100416A54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
sscanf.CYGWIN1 ref: 0000000100416A75

Strings

bad value for --wf-iface, xrefs: 0000000100416A82
%u.%u, xrefs: 0000000100416A6B

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: getopt_long_onlysscanf
String ID: %u.%u$bad value for --wf-iface
API String ID: 2290067915-1761728649
Opcode ID: aa82579f57ea90012605a919960cadc7ca7445e4381b9ee58b34636b77b445ba
Instruction ID: 9263806f15e96a1f70cafc8a02684b5851e70431676e352d63523954193d38b6
Opcode Fuzzy Hash: aa82579f57ea90012605a919960cadc7ca7445e4381b9ee58b34636b77b445ba
Instruction Fuzzy Hash: 4301FF72308BC6D5FA329B51E4403DD6360E78C344F8005129BDE82AE9DBF8D5C5D749

Function 0000000100404118 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

random.CYGWIN1 ref: 00000001004041F0
random.CYGWIN1 ref: 00000001004041F8
random.CYGWIN1 ref: 0000000100404200
random.CYGWIN1 ref: 0000000100404208

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: random
String ID:
API String ID: 373021397-0
Opcode ID: 1f04c05ca3f857f20663dd7c6b0699ab1bec71dc9a4847ba4d258557e334040b
Instruction ID: 123cbe65681a6bd1093e87fd5c736edf75b47b89e4e30ae3cac8e1dc91ce8ec4
Opcode Fuzzy Hash: 1f04c05ca3f857f20663dd7c6b0699ab1bec71dc9a4847ba4d258557e334040b
Instruction Fuzzy Hash: 114127B36042C089E76ACF35D50139ABBA1F7987A8F08C208EF959B7D9D378C485CB54

Function 000000010040F7D6 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

time.CYGWIN1 ref: 000000010040F7E1
free.CYGWIN1 ref: 000000010040F8BE
free.CYGWIN1 ref: 000000010040F8D1
free.CYGWIN1 ref: 000000010040F989

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free$time
String ID:
API String ID: 3693300059-0
Opcode ID: 4b176ff9d6e7b5f7705bdefdbf7a6e188e8b6589fe7cf2e09f9cbc1581795002
Instruction ID: 82cd4396b1314db7e8e9697ebd665ab4240e5a183973f54a447774a64f37db6d
Opcode Fuzzy Hash: 4b176ff9d6e7b5f7705bdefdbf7a6e188e8b6589fe7cf2e09f9cbc1581795002
Instruction Fuzzy Hash: F9515DB2601B8081EB66EF51D048BD92365F798B84F588132EF8DA7B45DF70D4D9C358

Function 628071B8 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 08b05c88c6ef6e43525b274ad77ffeb36d1076c2341f0a30507d8ca344bfcf89
Instruction ID: ab69c933918153a313176fac004bc0982fe6ff5de68c7cc56bd3aca36d8773d5
Opcode Fuzzy Hash: 08b05c88c6ef6e43525b274ad77ffeb36d1076c2341f0a30507d8ca344bfcf89
Instruction Fuzzy Hash: 9F21F8366063808EEB05CF25EC6879D7B92E745BD8F4488258E5A477C4DF3DC545CB40

Function 0000000100404616 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

%u-%u%c, xrefs: 000000010040466A
%u%c, xrefs: 00000001004046B2

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID:
String ID: %u%c$%u-%u%c
API String ID: 0-3274832161
Opcode ID: 495d624cda78138e3f1ca6252d43fd1ee4ee19d9ce14a974af713b18c6686f44
Instruction ID: b7bec9074186953f63f866ca595fa1b0c9e2f57f4fb42522ec861ed7b592fe23
Opcode Fuzzy Hash: 495d624cda78138e3f1ca6252d43fd1ee4ee19d9ce14a974af713b18c6686f44
Instruction Fuzzy Hash: 3521D7B5514A8095EB22DB24E0403ED67A2E7EB744F609411FBC4D7A89EABFC5C5CB08

Function 000000010040EC47 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0000000100403330: free.CYGWIN1 ref: 0000000100403340

malloc.CYGWIN1 ref: 000000010040EC8B

Strings

reassemble init failed. out of memory, xrefs: 000000010040EC9C
unexpected large payload for reassemble: size=%zu, xrefs: 000000010040ECFB
starting reassemble. now we have %zu/%zu, xrefs: 000000010040ECE1

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: freemalloc
String ID: reassemble init failed. out of memory$starting reassemble. now we have %zu/%zu$unexpected large payload for reassemble: size=%zu
API String ID: 3061335427-1110488854
Opcode ID: 0920ea3ccb615079bc0ae18105f6003e42a57dec6cac5d0e0268630066f0b59c
Instruction ID: b83036e869674dde1346bc972d36c99800fb4053e6e61c4b7ea8882ad83cec06
Opcode Fuzzy Hash: 0920ea3ccb615079bc0ae18105f6003e42a57dec6cac5d0e0268630066f0b59c
Instruction Fuzzy Hash: 22119132301A8098F616EF22F8507DA2691B79DB98FC84035EF899B386DBB484D5C308

Function 62807289 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 08b642e3ccace5d03f01b15a64f0246926609f4c20413b7109c9469873d77576
Instruction ID: 10184b9677f90f047b27b67eb7dcfc60aaaccf75116cc22e199e65fa10ae2a25
Opcode Fuzzy Hash: 08b642e3ccace5d03f01b15a64f0246926609f4c20413b7109c9469873d77576
Instruction Fuzzy Hash: 5211C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 62807294 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 2fab96370536040c0027ab4245a31bfa589e5783180f55f86c6046730e297b45
Instruction ID: c3461bc971c5d25ce070cfd1d65d51d5798eb9fe3ee8ed30735c8358236af707
Opcode Fuzzy Hash: 2fab96370536040c0027ab4245a31bfa589e5783180f55f86c6046730e297b45
Instruction Fuzzy Hash: 8B11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280729F Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: d4e48a2b1e4d741e7982c23fac564022433da7ff8e8eb6e04360d6fd7b68b608
Instruction ID: 8cbe3b40ccda9e0f888f31bd6a2531f1b86fa973c78b2181a2af6c47dd8f6d60
Opcode Fuzzy Hash: d4e48a2b1e4d741e7982c23fac564022433da7ff8e8eb6e04360d6fd7b68b608
Instruction Fuzzy Hash: D211C43664A2408FE705CF65FC1879E7AA1E755794F404426DE4547B90CF3DC546CF40

Function 628072AA Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: ea9a6d65741629d19d5c83466823a0469ab8033f548b849806347f6c533c6f98
Instruction ID: 636c70a636cabaaec29f6ceb31c0e79ddc9c4f30e0ea5442707a9faafe7ec14f
Opcode Fuzzy Hash: ea9a6d65741629d19d5c83466823a0469ab8033f548b849806347f6c533c6f98
Instruction Fuzzy Hash: 07119D3664A2408FEB05CF65FC28B9EBAA1E799794F4044269E4687B90CF3DC546CF40

Function 628072B2 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 04d24bb8cf3ac483217d9913617cf78e06e6752c6515e8f6629d6cc273366dff
Instruction ID: 636267705cb495aedabe180a05d7a756f4d07d0dc2d73b3a7d3fc056582125eb
Opcode Fuzzy Hash: 04d24bb8cf3ac483217d9913617cf78e06e6752c6515e8f6629d6cc273366dff
Instruction Fuzzy Hash: 2511BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628072BD Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: a90026d4024d00e4131ac91812905b849f2daae7ef3b77898cf68542447e727a
Instruction ID: 61dceb551f11f8acba7a8d625512b0c100c4a765ab359fee061fa5dd847b9f0c
Opcode Fuzzy Hash: a90026d4024d00e4131ac91812905b849f2daae7ef3b77898cf68542447e727a
Instruction Fuzzy Hash: CD11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B94CF3DC546CF40

Function 628072C8 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 6396990f41faddc6662a6e3650ca7f922a80c2ac0ceb1918c4a0ed2e9fb9d485
Instruction ID: 40f5eaa99090f99dbc2844c975a72b7cbba8ac5d7a38374c83d3239445ceec4d
Opcode Fuzzy Hash: 6396990f41faddc6662a6e3650ca7f922a80c2ac0ceb1918c4a0ed2e9fb9d485
Instruction Fuzzy Hash: B311C13664A2408FEB05CF65FC28B9EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628072D3 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: edb0a7a91d814f270d9fe969629742c4689d05d274695d8ce9459c501214cb45
Instruction ID: 3151f6b7a7aa32eb9723b8378887d03d8fbad139ed431b20096444839416fca4
Opcode Fuzzy Hash: edb0a7a91d814f270d9fe969629742c4689d05d274695d8ce9459c501214cb45
Instruction Fuzzy Hash: 5211C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628072DE Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 46700d88497587615ffb65d70fa83d8732340043a60b84e44cfdc55b1a1313a1
Instruction ID: 25233d9e77d06a85168d477d467dac649b48f1b1b4ed9398bd5a499bb6a899c9
Opcode Fuzzy Hash: 46700d88497587615ffb65d70fa83d8732340043a60b84e44cfdc55b1a1313a1
Instruction Fuzzy Hash: 3D11C4366462408FE705CF65FC1879E7AA1E795794F404426DE4547B90CF3DC546CF40

Function 628072E9 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 1235203dcac0ef9a4994fc0a0c0e40c8b8c6150582f4ae9d64583b1004a5ddf0
Instruction ID: 57b29bc9232a018e6c26230d9b7c8ddaa2662c670e498ff6955fac348abbf109
Opcode Fuzzy Hash: 1235203dcac0ef9a4994fc0a0c0e40c8b8c6150582f4ae9d64583b1004a5ddf0
Instruction Fuzzy Hash: 1311C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628072F4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 0642aae805947e7e4ba04b6b7ffc846f44527ed74400c0aaa39908ad6428eced
Instruction ID: 7684f788d0ece0d61fe182abe9bb55082c3634b7a03b985d7b889034a3b7e82b
Opcode Fuzzy Hash: 0642aae805947e7e4ba04b6b7ffc846f44527ed74400c0aaa39908ad6428eced
Instruction Fuzzy Hash: 5611BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628072FF Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 53d1237dee9908e1b67405373d75db924d6dca3d14d748cb95155b6c4b467bd9
Instruction ID: 542707c7f44194ad4eed8595f110829714dc0e8ee62865f32a45a1c69f605721
Opcode Fuzzy Hash: 53d1237dee9908e1b67405373d75db924d6dca3d14d748cb95155b6c4b467bd9
Instruction Fuzzy Hash: 1411C13664A2408FEB05CF65FC28B9EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807205 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: ea56660e321b22b2b355bbc4756b43d046b7b05f440ac4f366a25e62ae9ff312
Instruction ID: e4a5adf0c1f2abe19caef90f7f3d6b4fc410b6bf99937d2674ae1dfb4eff2494
Opcode Fuzzy Hash: ea56660e321b22b2b355bbc4756b43d046b7b05f440ac4f366a25e62ae9ff312
Instruction Fuzzy Hash: EF11C4366462408FE705CF65FC2875E7AA1E755794F404426DE4547B90CF3DC546CF40

Function 62807210 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 3f6a8504d302f89c5fb6dec078a4c9b60745100610939dada767d10d0a7097bf
Instruction ID: 002b5a4e012002b62cd4ea9f0c531795aeab1d621ae74e449a3f6a8bfb65e76c
Opcode Fuzzy Hash: 3f6a8504d302f89c5fb6dec078a4c9b60745100610939dada767d10d0a7097bf
Instruction Fuzzy Hash: FD11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 6280721B Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 045d51adc100e2a5a102bea9837955856d29654141255bf975d3883e235bae3c
Instruction ID: d5acb06c8e10382c352d94463a023e6b0d749ed82b8209a06aaaf7673216b6cc
Opcode Fuzzy Hash: 045d51adc100e2a5a102bea9837955856d29654141255bf975d3883e235bae3c
Instruction Fuzzy Hash: 2311C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807226 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 570461dc85fc0c868c466565c72c384ec9fa0d80376098708ce8156ba5d1a3da
Instruction ID: 9e97b5bea80023786cbc45034227ef3e220ee256a52c8fd30550a261b39314e2
Opcode Fuzzy Hash: 570461dc85fc0c868c466565c72c384ec9fa0d80376098708ce8156ba5d1a3da
Instruction Fuzzy Hash: A411BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 62807231 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: f5720d1e34f9aee9044ee288b94d1d6b64f7cf6e56c2185adac6488d5ea36987
Instruction ID: c4afccd6c898180cd7f91abe853731fdc0652644c7129fa2f9c3769e83f279c9
Opcode Fuzzy Hash: f5720d1e34f9aee9044ee288b94d1d6b64f7cf6e56c2185adac6488d5ea36987
Instruction Fuzzy Hash: B511BF3A64A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280723C Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: c99429068b1ce0381c042ee5c7f3615531c5c2c46e62f23dbed414f16db830a9
Instruction ID: df44c416e6c1e1d5b08f52f7c18794f0084ae810fb36b606e6eea772a27e57b8
Opcode Fuzzy Hash: c99429068b1ce0381c042ee5c7f3615531c5c2c46e62f23dbed414f16db830a9
Instruction Fuzzy Hash: 3C11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807247 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 8b081670b59c51bfae882a8130475e4fdf9ff4a09b7ac7b8ddf5add175dc9b81
Instruction ID: 2f7d9394315e5a742f8f01ada5cd5135b503ce7c0667cc34ea31b78636e5479c
Opcode Fuzzy Hash: 8b081670b59c51bfae882a8130475e4fdf9ff4a09b7ac7b8ddf5add175dc9b81
Instruction Fuzzy Hash: 5811C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 62807252 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 869052007470d29f24aabfd87fe45d260fa41f0f5782633238d55c76ef84d8e5
Instruction ID: c2373b2ebe143863335cf733a99ad505512505bf09fab3b9bb0c0513ed463334
Opcode Fuzzy Hash: 869052007470d29f24aabfd87fe45d260fa41f0f5782633238d55c76ef84d8e5
Instruction Fuzzy Hash: 9B119D3664A2408FEB05CF65FC2879EBAA1E799794F4048269E4687B90CF3DC546CF40

Function 6280725D Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 87aff3d0723127e5f59230ff9a134e977b693bd5742830d1c009b32dfbdcb42b
Instruction ID: 808ac26092e492fec3eae9ec88d2cbd38857c0baa44ef76c5a1073be2211c996
Opcode Fuzzy Hash: 87aff3d0723127e5f59230ff9a134e977b693bd5742830d1c009b32dfbdcb42b
Instruction Fuzzy Hash: 4A11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 62807268 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 273138e6d2489c6e37141a09242833116ad50f84550a851ba0486038979d7c32
Instruction ID: 75eff12199cdee6525b475908bcdf2910efc21c486c40f04fb663594752d84e5
Opcode Fuzzy Hash: 273138e6d2489c6e37141a09242833116ad50f84550a851ba0486038979d7c32
Instruction Fuzzy Hash: 3111BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 62807273 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 9e54355d0016f66f404e76b804c8a90ac5195a9c4c0bfbb34337223b04d036b3
Instruction ID: e55037a776f314913f69f4c9179d681af0519e0a18712b69bc74c3259cf966e8
Opcode Fuzzy Hash: 9e54355d0016f66f404e76b804c8a90ac5195a9c4c0bfbb34337223b04d036b3
Instruction Fuzzy Hash: 8111BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 6280727E Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: d2300626ff86320825cdbeed6da22424359b989b428f1b63775c169d38ed0565
Instruction ID: 69f546a9ac2d47496dc89ba9e027a8eb93e3c94e3f1b47b20f8ea146c4b27014
Opcode Fuzzy Hash: d2300626ff86320825cdbeed6da22424359b989b428f1b63775c169d38ed0565
Instruction Fuzzy Hash: DF11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 62807383 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: dfac81adaf58f576bfa858308cd76f9566b019da6b3532dcd26c381428f3be70
Instruction ID: dce7924812e95000559dfb38561310594e0ea36ba25ef0f2ed9a5b1fcd055a41
Opcode Fuzzy Hash: dfac81adaf58f576bfa858308cd76f9566b019da6b3532dcd26c381428f3be70
Instruction Fuzzy Hash: F911C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280738E Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: b72c10392856c7db5f7acc5b3204e7b960c815a3d8c511a357f99e2cd4bc7685
Instruction ID: 365e2604f76de28c4adf7981ac8e9826d254da33a3b53a2b37fee0de3023170a
Opcode Fuzzy Hash: b72c10392856c7db5f7acc5b3204e7b960c815a3d8c511a357f99e2cd4bc7685
Instruction Fuzzy Hash: E411C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807399 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 26c7ad8a38f597904a900e5374118e6315c031c9a1d21f59a6b05a80cac0a57c
Instruction ID: ce2d42eb713b989deb11c51f7f8e0ec2b429081f1c41e53010799b0da6bd3b2e
Opcode Fuzzy Hash: 26c7ad8a38f597904a900e5374118e6315c031c9a1d21f59a6b05a80cac0a57c
Instruction Fuzzy Hash: BD11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC946CF40

Function 628073A4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: b1936df71be4d249b83918c10d0d1a6e5f1ef4ff4bf2cf06c00c49980e0ec6a3
Instruction ID: 3abf6ad61a6245b6d2a99443e54da43bf1df51187efbe283285ee2a665777e9b
Opcode Fuzzy Hash: b1936df71be4d249b83918c10d0d1a6e5f1ef4ff4bf2cf06c00c49980e0ec6a3
Instruction Fuzzy Hash: 0611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC946CF40

Function 628073AF Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: ba583fd6cd73b74a5070b77e642d565cca76d7c5eb37d76e22e2cdc8b4c450de
Instruction ID: 896e00b8d97d7ba217ed15b663ffe910f34daf8f0ee2adf7699c41ba6816cf0a
Opcode Fuzzy Hash: ba583fd6cd73b74a5070b77e642d565cca76d7c5eb37d76e22e2cdc8b4c450de
Instruction Fuzzy Hash: 1E11C13A64A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628073BA Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 4eb972a7178eca3eeb82d00a55083d0c76afe54015980cece7e0d02e14b6d9cb
Instruction ID: 31a1c44df5b63cab3da1f5a661b172e13d0b05e893e4de7cf649ba692a2fb81b
Opcode Fuzzy Hash: 4eb972a7178eca3eeb82d00a55083d0c76afe54015980cece7e0d02e14b6d9cb
Instruction Fuzzy Hash: 6611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628073C5 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 1ffe3dd8c79ef131d7fdd77177bfd4aff0bd7dd66bd991510a5be2f19c3000e0
Instruction ID: 0b4277503a7898e4bb27dc9bb0d00052fa720054ea7332a5e2b712a74e23e29f
Opcode Fuzzy Hash: 1ffe3dd8c79ef131d7fdd77177bfd4aff0bd7dd66bd991510a5be2f19c3000e0
Instruction Fuzzy Hash: 7811C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC586CF40

Function 628073D0 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 93c662eb937665d5288f3171413dddc53c45577d37466af36d9b36d124a1dfdb
Instruction ID: 56824efafa28f27da36ae73475e5791cf664c842732c6711d505a2f852492390
Opcode Fuzzy Hash: 93c662eb937665d5288f3171413dddc53c45577d37466af36d9b36d124a1dfdb
Instruction Fuzzy Hash: 3D11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90DF3DC546CF40

Function 628073DB Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 0ea27139499c16c565d534c9e55c89027db5b0e213fd1ad5a516ccfef21b7671
Instruction ID: 3bd81d2591f3a2ee6ea6e4941815ff7dfabf50380b1a29d402bba4830f489d8b
Opcode Fuzzy Hash: 0ea27139499c16c565d534c9e55c89027db5b0e213fd1ad5a516ccfef21b7671
Instruction Fuzzy Hash: AD11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC586CF40

Function 628073E6 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 0fc9b0d84f6c75e4e8be031bf36a5164ed5b073f7f4112db6be71c87b7f4d47f
Instruction ID: 517b58f1f7bea3cf36f0ae6381b7272952c73e88a44553c6823b44498a8aa471
Opcode Fuzzy Hash: 0fc9b0d84f6c75e4e8be031bf36a5164ed5b073f7f4112db6be71c87b7f4d47f
Instruction Fuzzy Hash: EF11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 628073F1 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 0deca75bdb2d9bab6186c5cf72a9da04bc85794467f52ee99b8e0bdaef40b229
Instruction ID: bc986202ba7feae595024b8a708a56e21becbf8f5a54b30fd07ef091a0ce90db
Opcode Fuzzy Hash: 0deca75bdb2d9bab6186c5cf72a9da04bc85794467f52ee99b8e0bdaef40b229
Instruction Fuzzy Hash: 5A11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90DF3DC546CF40

Function 628073FC Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: a193d9d5ebceff8b7a0b8ed900eebb8bfa9272c5c7dda51f91a60b46f988c101
Instruction ID: 968014d72f417d69687102a41f55a0c0347e02b6044544b5783b10b8edf77512
Opcode Fuzzy Hash: a193d9d5ebceff8b7a0b8ed900eebb8bfa9272c5c7dda51f91a60b46f988c101
Instruction Fuzzy Hash: DE11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC946CF40

Function 6280730A Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 41041a8b24bdec71a485dfc310c278db16a8e08eb783e66c2f350fe025522aed
Instruction ID: d8e0cbdc3bdab57752d835545d25c9eac3689bce5f2281968e05c6550418683f
Opcode Fuzzy Hash: 41041a8b24bdec71a485dfc310c278db16a8e08eb783e66c2f350fe025522aed
Instruction Fuzzy Hash: 9611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807315 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 717ea5f279b5ba2fa33c77bab999a89ca4be83789b2223ed595926c1eff51279
Instruction ID: af637a3612c1abf0371f5b35934cf8dd49d4fd14d4d9b03781b05a925a2bacc4
Opcode Fuzzy Hash: 717ea5f279b5ba2fa33c77bab999a89ca4be83789b2223ed595926c1eff51279
Instruction Fuzzy Hash: 4F11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC586CF40

Function 62807320 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: fcf12fc4a893ad1a3eb19c84c32c9e1d2315d6fdd4261dc0c2a448954ac53a45
Instruction ID: 29bfef900a1bcf93a4636ae0d387ae900c9833e81f9802bb706714c8ad9047cb
Opcode Fuzzy Hash: fcf12fc4a893ad1a3eb19c84c32c9e1d2315d6fdd4261dc0c2a448954ac53a45
Instruction Fuzzy Hash: D611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280732B Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 70d64e96a35199e89e0b87986f98ab117820998d65b717b72fa3fd49e69d8334
Instruction ID: 8d61a74ea94b0df9265b7cd7dbe1eeaf4570086a7d80bd886c2ebfb4c352f995
Opcode Fuzzy Hash: 70d64e96a35199e89e0b87986f98ab117820998d65b717b72fa3fd49e69d8334
Instruction Fuzzy Hash: FE11C13A64A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807336 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: cf39c92eebc7052250cb7b55a5496ddf853a3763f4957c88cdca934395028ad5
Instruction ID: c0dc125bcf158a3bc4d31faae25d4a315e4900da7f8db25b1b9160c117511fa7
Opcode Fuzzy Hash: cf39c92eebc7052250cb7b55a5496ddf853a3763f4957c88cdca934395028ad5
Instruction Fuzzy Hash: 1211C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807341 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 05e9ec4ef89ccea38574d79414121eb41393912e2a373659fc17e94524b47375
Instruction ID: b0895bddcd11542a68186ec80284c239b07f68f24f4f7451cf6a62d0dc8666e0
Opcode Fuzzy Hash: 05e9ec4ef89ccea38574d79414121eb41393912e2a373659fc17e94524b47375
Instruction Fuzzy Hash: EF11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280734C Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: ccc0e1497c9379fce6c7ce45482eec2be0553fbacc7066a97f6ba8c040a0e3f5
Instruction ID: be1a8445c7bf4b210e3aa43ae8512c62d538f8426c3edb976635cecf9cf55e7f
Opcode Fuzzy Hash: ccc0e1497c9379fce6c7ce45482eec2be0553fbacc7066a97f6ba8c040a0e3f5
Instruction Fuzzy Hash: 6411C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807357 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 8592739047b3c74a1cb8032f0545894db454ab2d9e81d9c8c84e03a90c71382a
Instruction ID: 7e98fdf9af85dc47791a0cfa2b7044993a8e70cd4e0fa1c52fee72693e6729a9
Opcode Fuzzy Hash: 8592739047b3c74a1cb8032f0545894db454ab2d9e81d9c8c84e03a90c71382a
Instruction Fuzzy Hash: 5411C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807362 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 02114b2ca721ce173d168d0edbf951150fc30a05f7a5e5d9ca2ebb15eb78d666
Instruction ID: 7be6e874750051b18ba196adfbc7377afab43b009182a669b09129b01aabb1af
Opcode Fuzzy Hash: 02114b2ca721ce173d168d0edbf951150fc30a05f7a5e5d9ca2ebb15eb78d666
Instruction Fuzzy Hash: 9211BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280736D Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 4305915d855355c3ec40f73376a46021562ab9db415131cd43ec0185176e858a
Instruction ID: 1bf7b0d88fb8d46363dbb1e067d954bf91357828ebad3afeb9a20e559c85967b
Opcode Fuzzy Hash: 4305915d855355c3ec40f73376a46021562ab9db415131cd43ec0185176e858a
Instruction Fuzzy Hash: 2D11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807378 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 5d756f674c2921f3b08fedf8a79bd076b2d391e152edb47e1006700b8c60dd97
Instruction ID: 6c845ff0d046de1ecde4e82fa2238155bef71af5486524b1d0cc0a53fe80c2ff
Opcode Fuzzy Hash: 5d756f674c2921f3b08fedf8a79bd076b2d391e152edb47e1006700b8c60dd97
Instruction Fuzzy Hash: DB11C13664A2408FEB05CF65FC28B9EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807480 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 4788458342aed52357edaa3d6bbb75b7c3c427777ea2a5562094f95349287aae
Instruction ID: b092e9691bea23355ec573ed2a7a50a9c09fbea9b6393bfd5b728d79d67eb897
Opcode Fuzzy Hash: 4788458342aed52357edaa3d6bbb75b7c3c427777ea2a5562094f95349287aae
Instruction Fuzzy Hash: 7311C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280748B Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: e7e2e25557d08df0ce88b26940422eb22326984010b791606d988f72d3af2b43
Instruction ID: 17bf85d88bc8166e7223f42dc5200bd09686b02b787ecca2ca7ce766b646fe68
Opcode Fuzzy Hash: e7e2e25557d08df0ce88b26940422eb22326984010b791606d988f72d3af2b43
Instruction Fuzzy Hash: 3C11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807496 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 80a7a30b32d252d2fb554e6abbc92eccbc3552124290899ad3ec9a9f32f30381
Instruction ID: 1db1de007efdb298a528a17d8daaa64e1929a01b900d4676396347f07184c9df
Opcode Fuzzy Hash: 80a7a30b32d252d2fb554e6abbc92eccbc3552124290899ad3ec9a9f32f30381
Instruction Fuzzy Hash: B711BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628074A1 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 0e3b713fd2ef46126ef343ca798ebacb60b62475a83bb7e38173a1d87376f848
Instruction ID: bd83345aff205ce6b1cd680efa811f7652d7049418d47b86dcf831764b39c4ff
Opcode Fuzzy Hash: 0e3b713fd2ef46126ef343ca798ebacb60b62475a83bb7e38173a1d87376f848
Instruction Fuzzy Hash: BD11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628074AC Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: c148859c84261f463590c0d4b38c9a99a78559889e72c803541bcadd9db3afb4
Instruction ID: e768d943c97a5981892c5780d08ee9acf69553a9ed8a6f8607c984819691e5c0
Opcode Fuzzy Hash: c148859c84261f463590c0d4b38c9a99a78559889e72c803541bcadd9db3afb4
Instruction Fuzzy Hash: D611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE468BB90CF3DC546CF40

Function 628074B4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 1d10047eff9d511899728fd8ce09bbbcaac4019707a9da985e516cbe486d1d70
Instruction ID: 891d4bd87993f8e766bbbc5062a8831bc93424ccc2b10c5490a764a5dcc4351d
Opcode Fuzzy Hash: 1d10047eff9d511899728fd8ce09bbbcaac4019707a9da985e516cbe486d1d70
Instruction Fuzzy Hash: C511C13664A2408FEB05CF65FC28B9EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628074BC Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 2919398b0d46d57324456ad200d4c3f57cd30e175f4668bda3ac7b19319bc572
Instruction ID: 9760a4ed2d22de53f0739cfdc2c8356c0ebb6b8ff1fbb844d88ae1b2a5fd9b36
Opcode Fuzzy Hash: 2919398b0d46d57324456ad200d4c3f57cd30e175f4668bda3ac7b19319bc572
Instruction Fuzzy Hash: 0711C13A64A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628074C4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: b1c1422996a8730b8c98d59b59fa0a9a9cfbaa8973cc962b0f390f39d47aa68a
Instruction ID: 1812be6cf1aaa8176fde86b6a6259daf15d8ddb65c141b96620591f343ffc98a
Opcode Fuzzy Hash: b1c1422996a8730b8c98d59b59fa0a9a9cfbaa8973cc962b0f390f39d47aa68a
Instruction Fuzzy Hash: A511BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628074CC Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 35ae871305eb61c9af96c9e3f592104ff1439847c822266a9e73923da1314842
Instruction ID: cec06353798fa2081ab2a748f196d382a099512192b1f3066443f0cb44dd7542
Opcode Fuzzy Hash: 35ae871305eb61c9af96c9e3f592104ff1439847c822266a9e73923da1314842
Instruction Fuzzy Hash: FA11C4366462408FE705CF65FC1875E7AA1E755794F404426DE4547B90CF3DC546CF40

Function 628074D4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 21c6382821cff5ba6e6904c19459f489d4dd412af43f4679f54d5ea0ab3f5cca
Instruction ID: 601c45179205b5153ddda27da7b9668de86cfd050fe100bd3d7c1beda9e2ee41
Opcode Fuzzy Hash: 21c6382821cff5ba6e6904c19459f489d4dd412af43f4679f54d5ea0ab3f5cca
Instruction Fuzzy Hash: 1511C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 628074DC Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: df5eb54a6c7160c714dd223ed6c95f01a910a47b6907cc64124a7fdb19850ca0
Instruction ID: 29b2c593d25a4adb1462de36a2e3d0b0e42f0ac4d88e62e53ad7d7c6c419e3c5
Opcode Fuzzy Hash: df5eb54a6c7160c714dd223ed6c95f01a910a47b6907cc64124a7fdb19850ca0
Instruction Fuzzy Hash: 4911BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 628074E4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 9007188af473143e614b26d1f046a7438ccbbcb8b876e81a89a69db9e6bcc53c
Instruction ID: f2b3652453b475bd777e13b7087cb57ab7e79479ee20220b65d260ee94916287
Opcode Fuzzy Hash: 9007188af473143e614b26d1f046a7438ccbbcb8b876e81a89a69db9e6bcc53c
Instruction Fuzzy Hash: 7011C4366462408FE705CF65FC1875E7AA1E755794F404426DE4547B90CF3DC546CF40

Function 628074EC Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 53bf87ce9ece503ce9407a2b94f444139ddc53861c76e8a9da8321d0fb698cc9
Instruction ID: a3249e0e19023de3f4d15ff2f54f0c3aac092d4e02f683cf1bb39897a17befcf
Opcode Fuzzy Hash: 53bf87ce9ece503ce9407a2b94f444139ddc53861c76e8a9da8321d0fb698cc9
Instruction Fuzzy Hash: DB11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628074F4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 4dc4d2b98820ccd76d1e33ccc5a9aeae12c377061c2788a9c338190b19c0373d
Instruction ID: 91e7005c1db63ce591fa209d2c32f7530f839473179ecdc1a05cffa14c591e6d
Opcode Fuzzy Hash: 4dc4d2b98820ccd76d1e33ccc5a9aeae12c377061c2788a9c338190b19c0373d
Instruction Fuzzy Hash: 8E11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628074FC Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 4f86ebdd51a8e816c7b2fa2906c44a2313b0db0d962a28e7a6f417fe32bb0950
Instruction ID: c9c0dba77c6615c0d536e42be5d708f243ac48bb99ecbb4b00898e1cf7f6af00
Opcode Fuzzy Hash: 4f86ebdd51a8e816c7b2fa2906c44a2313b0db0d962a28e7a6f417fe32bb0950
Instruction Fuzzy Hash: 8911C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807407 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 77975c5e659b6fb5dd764b1cdace6ad4703e09dccc6ee0a9a11cf2a680e41209
Instruction ID: 458c061c11a28db75d2ed34ad05a23c6b651214e31456ecbe007698447a62c6f
Opcode Fuzzy Hash: 77975c5e659b6fb5dd764b1cdace6ad4703e09dccc6ee0a9a11cf2a680e41209
Instruction Fuzzy Hash: 5311C13A64A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807412 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 3947ff53078dcc41515b639beee4273990ddc49cf6689e97a876aeccee7d5ff6
Instruction ID: e633e6fa1d3963e3d2e61fb0372666dbb8d730692526f14edb3bded60aeb3aaf
Opcode Fuzzy Hash: 3947ff53078dcc41515b639beee4273990ddc49cf6689e97a876aeccee7d5ff6
Instruction Fuzzy Hash: 8C11C13664A2408FEB05CF65FC28B9EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280741D Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 94efb20f6e2a48a0ed8347537b490d43143164a17939abfd5af622d0384e40fb
Instruction ID: a5d7e82caf78275833410c49fe3e156b9cc9f0fd69c337114295c8071424fc93
Opcode Fuzzy Hash: 94efb20f6e2a48a0ed8347537b490d43143164a17939abfd5af622d0384e40fb
Instruction Fuzzy Hash: A011C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807428 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: b3af5541842567cb9a9c3b78bc68715dc861ff6f2732194a688b8c526d8f6a68
Instruction ID: db9adbfc1d5af765925990c0b8f34ef25e7bc8d72101590d7b5f75c5f29cf47d
Opcode Fuzzy Hash: b3af5541842567cb9a9c3b78bc68715dc861ff6f2732194a688b8c526d8f6a68
Instruction Fuzzy Hash: C011C13664A2408FEB05CF65FC28B9EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807433 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: f2a46fd31fe61cc3561286855f37b978cc680bfe7b12b2b11cd2ef299ca56798
Instruction ID: ddbd358d18d024fed919e442a8d8a817dd87634e89bb6fb6b5432c089b4b456d
Opcode Fuzzy Hash: f2a46fd31fe61cc3561286855f37b978cc680bfe7b12b2b11cd2ef299ca56798
Instruction Fuzzy Hash: 2A11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280743E Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: aa76f99ea0a43a3d782ef8e53063fd4d1b389f506d709475453d99839676844b
Instruction ID: 7552edda894bb9ed0344dea5802f7a8c93f8aca8e7b738176c237e29c0e67792
Opcode Fuzzy Hash: aa76f99ea0a43a3d782ef8e53063fd4d1b389f506d709475453d99839676844b
Instruction Fuzzy Hash: FD11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807449 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 76fb85030454bd80ffddf1c261e2ca34364f22495f05fb52fbb3cced0b98eb70
Instruction ID: 96ea4ff2ef2872560b49f04a9952ff1179003d25c5e629e6520812c00accc9dd
Opcode Fuzzy Hash: 76fb85030454bd80ffddf1c261e2ca34364f22495f05fb52fbb3cced0b98eb70
Instruction Fuzzy Hash: 6E11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90DF3DC546CF40

Function 62807454 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 0840daa46ef383147d6ead1fa3d491300ceb60bb44745764f5efab26f4d3fa1e
Instruction ID: e72faecd3c84072da4bac7df2bfe2ce7fefe2baa1cc341a10351175184e3668e
Opcode Fuzzy Hash: 0840daa46ef383147d6ead1fa3d491300ceb60bb44745764f5efab26f4d3fa1e
Instruction Fuzzy Hash: 6A11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280745F Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: b4b218c6b29eea6e9a70915a383441c0b648ca871caf00b5bc4748826ced217a
Instruction ID: 0725e159efb299e67ed286b32abfc2435d558f4fcc8b30a378f757deb55c9fd3
Opcode Fuzzy Hash: b4b218c6b29eea6e9a70915a383441c0b648ca871caf00b5bc4748826ced217a
Instruction Fuzzy Hash: AA11C13A64A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280746A Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 2fd0700834d2727cff01e8e93df2432d262ad7f5579f77dfc2533b2bb40c18b1
Instruction ID: 20223b0a72f4cfe05d7d8ee72ec4b48a73af1ad7e57d6fc95618e79915b2f25c
Opcode Fuzzy Hash: 2fd0700834d2727cff01e8e93df2432d262ad7f5579f77dfc2533b2bb40c18b1
Instruction Fuzzy Hash: A611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807475 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 8bf5b1fb09899d16a8795fbe946318058c8aaa221c41b5652a78744cb25f10ac
Instruction ID: 572fc0b82033a58afb0a6908a1bbbee126343248444a060b358d4c6af9fceb1f
Opcode Fuzzy Hash: 8bf5b1fb09899d16a8795fbe946318058c8aaa221c41b5652a78744cb25f10ac
Instruction Fuzzy Hash: 9611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628071C3 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: f19d8e7fac685a31926d7fea2c73f860faf687763b274542087a63e4ad78051d
Instruction ID: 1e58400efd78800d035a41a706921debe0d927ab885efdb30b7dd7eac8df136b
Opcode Fuzzy Hash: f19d8e7fac685a31926d7fea2c73f860faf687763b274542087a63e4ad78051d
Instruction Fuzzy Hash: 4111C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628071CE Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 9a66e2d6ea0fac42e9e2ca3e4904b03e6eaaca2f63c1f4271d36193887fca038
Instruction ID: 8b0ade51f478335328b1fc2d6d0b60e14ff69ddcc56993388836694f3397e89d
Opcode Fuzzy Hash: 9a66e2d6ea0fac42e9e2ca3e4904b03e6eaaca2f63c1f4271d36193887fca038
Instruction Fuzzy Hash: 3811C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628071D9 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: e354f12f50ae72bb79f7d9a692ed77d4b7792f95f528bf0b78c9708a924ab368
Instruction ID: 4ab61f4321ef711189628768964523ca63bce1cfaf7fb2c09eff6d66100c44b0
Opcode Fuzzy Hash: e354f12f50ae72bb79f7d9a692ed77d4b7792f95f528bf0b78c9708a924ab368
Instruction Fuzzy Hash: 5511C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 628071E4 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: a6eb2038e20b3dd837f9e206d45d3c7a78c76cb8d5eb0ece6651f47363a4a3d9
Instruction ID: d324c27463967b6f65e99ba6c160b0b6703e99793ad7331fd08b43752728ec77
Opcode Fuzzy Hash: a6eb2038e20b3dd837f9e206d45d3c7a78c76cb8d5eb0ece6651f47363a4a3d9
Instruction Fuzzy Hash: AA11BF3664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 628071EF Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 2637eb5b9f3003b7a9492e94e4597a132c2130ec5090e06659a42d3fd340b808
Instruction ID: 310991cc5baf3dcdef9dd5ea9db3bfaf23057f9bb046c4487c509f8de775458a
Opcode Fuzzy Hash: 2637eb5b9f3003b7a9492e94e4597a132c2130ec5090e06659a42d3fd340b808
Instruction Fuzzy Hash: 1C11C43664A2408FE705CF65FC1879E7AA1E755794F404426DE4547B90CF3DC546CF40

Function 628071FA Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: f79656b54cf89edf92b189361cc9fd0d15ffcb7dc5e650f59cd446ef91ec6129
Instruction ID: 70b2ab285a332c9bf77a12ffc4a9b96377926138e5fc306239b45bc179cf0222
Opcode Fuzzy Hash: f79656b54cf89edf92b189361cc9fd0d15ffcb7dc5e650f59cd446ef91ec6129
Instruction Fuzzy Hash: 8611C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 62807504 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 1641ca4694be968f5c2a4daa0dbf72c9250bad443eff0d0cc3f33c367c401b3d
Instruction ID: 51940d0773c75f70f0b6b94e7b5f83fa7aed8f3fdf2afdf8fc4622ec55299def
Opcode Fuzzy Hash: 1641ca4694be968f5c2a4daa0dbf72c9250bad443eff0d0cc3f33c367c401b3d
Instruction Fuzzy Hash: FE11C13A64A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280750C Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 0f439efa9114d0de58bbe7937e2981b79dc3e844b56075d66109d9f08af1d5e1
Instruction ID: 3e2cc778b6a36e0b882c2512fe4a20c9ca9bf0ee19fa220daa437a67a86ea1c4
Opcode Fuzzy Hash: 0f439efa9114d0de58bbe7937e2981b79dc3e844b56075d66109d9f08af1d5e1
Instruction Fuzzy Hash: 0911C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807514 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 5f0d0602c0258cb50be03a9eece64c5061dd8c3e3d0670c81f4a9152eab8a882
Instruction ID: 9bb9293561167665194ce223bbcb5036e3ee370c8d20bec716659111e11e7a93
Opcode Fuzzy Hash: 5f0d0602c0258cb50be03a9eece64c5061dd8c3e3d0670c81f4a9152eab8a882
Instruction Fuzzy Hash: 5A11C13664A6408FEB05CF65FC28B9EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 6280751C Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 950aeb02792e61338f8c6bcc4b71a25650e37b882db677cc51e66c22951264fc
Instruction ID: e71699ff7aec19708b0ea055a340727b45b8e75d247d44cf1cfa3e5852f64f3e
Opcode Fuzzy Hash: 950aeb02792e61338f8c6bcc4b71a25650e37b882db677cc51e66c22951264fc
Instruction Fuzzy Hash: 6C11C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4687B90CF3DC546CF40

Function 62807524 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 4ae8b75392f7a9e019186b95d1cfc6d9304f9071b0fba173954ea3deacf607cb
Instruction ID: 3fae14af8724e631455a033ec65acef2b319a048469159f3a8ca1d812fd662a8
Opcode Fuzzy Hash: 4ae8b75392f7a9e019186b95d1cfc6d9304f9071b0fba173954ea3deacf607cb
Instruction Fuzzy Hash: 0111C13664A2408FEB05CF65FC2879EBAA1E799794F404826DE4A87B90CF3DC546CF40

Function 6280752C Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Part of subcall function 62801882: HeapAlloc.KERNEL32 ref: 62801899

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 425ce1010b3bb9bef6dce0c5299dfe0d4fdd65df51bfa9159bc79adc665f1a82
Instruction ID: 4c9585a8290df608621931c74443642a881369a406a128390a3b76f2e9091384
Opcode Fuzzy Hash: 425ce1010b3bb9bef6dce0c5299dfe0d4fdd65df51bfa9159bc79adc665f1a82
Instruction Fuzzy Hash: 5A11C1366062408FEB05CF65FC1875E7AA1E799794F404426DE4587B80CF3DC546CF40

Function 62807623 Relevance: 6.0, APIs: 4, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 628018D6: HeapAlloc.KERNEL32 ref: 628018FB

SetLastError.KERNEL32 ref: 62807158
GetLastError.KERNEL32 ref: 6280799C
HeapDestroy.KERNEL32 ref: 628079A7
SetLastError.KERNEL32 ref: 628079AF

Memory Dump Source

Source File: 00000008.00000002.4496579434.0000000062801000.00000020.00000001.01000000.0000000B.sdmp, Offset: 62800000, based on PE: true

Associated: 00000008.00000002.4496554997.0000000062800000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496606180.000000006280A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496631076.0000000062810000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496655921.0000000062811000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000008.00000002.4496680649.0000000062812000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_62800000_winws.jbxd

Similarity

API ID: ErrorLast$Heap$AllocDestroy
String ID:
API String ID: 1997314470-0
Opcode ID: 1fa2511e7d53fe2d9b19daa4be34ef3d418c8e28a51dfd9b3095b9915e31a0f3
Instruction ID: 65e57110b1e4481e3766939c423e7c89ab1b8d0e0863acb58c11168f4c1c5696
Opcode Fuzzy Hash: 1fa2511e7d53fe2d9b19daa4be34ef3d418c8e28a51dfd9b3095b9915e31a0f3
Instruction Fuzzy Hash: 5E116B27606A0185D70A9B64ED283A93352FB95B58F544532CE8A57780DF3CC5D2C340

Function 0000000100410386 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00000001004103D7
SetServiceStatus.ADVAPI32 ref: 00000001004103F6

Part of subcall function 00000001004153F0: strdup.CYGWIN1(0002CC70,?,?,?,?,?,?,?,0000000100410410), ref: 0000000100415428
Part of subcall function 00000001004153F0: free.CYGWIN1(0002CC70,?,?,?,?,?,?,?,0000000100410410), ref: 000000010041545A
Part of subcall function 00000001004153F0: StartServiceCtrlDispatcherA.ADVAPI32 ref: 00000001004154BC
Part of subcall function 00000001004153F0: time.CYGWIN1 ref: 0000000100415540
Part of subcall function 00000001004153F0: srandom.CYGWIN1 ref: 0000000100415547
Part of subcall function 00000001004153F0: printf.CYGWIN1 ref: 00000001004155CC

Strings

winws, xrefs: 0000000100410392

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: Service$Ctrl$DispatcherHandlerRegisterStartStatusfreeprintfsrandomstrduptime
String ID: winws
API String ID: 2322017329-549804758
Opcode ID: 476b2b4dc119e876daf17c9be5b2ca06381a044346d479301b83282e62c6db83
Instruction ID: 0d8fdb1939848b8b6823928fcb46b5b17e10baa4d9d1b0faeb4667c3218e73df
Opcode Fuzzy Hash: 476b2b4dc119e876daf17c9be5b2ca06381a044346d479301b83282e62c6db83
Instruction Fuzzy Hash: 6B11B075701A468AEA02CB46F9963C533A0BB4C794FC41525CE9EC7761DBFC81E4C74A

Function 0000000100416A13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833

Part of subcall function 000000010040E3D3: strcmp.CYGWIN1 ref: 000000010040E407
Part of subcall function 000000010040E3D3: strcmp.CYGWIN1 ref: 000000010040E441

Strings

failed to register anonymous ipset, xrefs: 0000000100416969
failed to add subnets to anonymous ipset, xrefs: 0000000100416998

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$getopt_long_only
String ID: failed to add subnets to anonymous ipset$failed to register anonymous ipset
API String ID: 2055870349-4191557652
Opcode ID: 672e8c56c4919eaa9e51217ffa979554bc8ae0de97ad3c1b781e31317cf28f2b
Instruction ID: 16597433aac9127452220076d20d55426292f9d3ffd0519c1890026c0c1eaa81
Opcode Fuzzy Hash: 672e8c56c4919eaa9e51217ffa979554bc8ae0de97ad3c1b781e31317cf28f2b
Instruction Fuzzy Hash: 30112E72308B85C5FA76DB11E0803EA63A0E7CC340F8005129BDED26E9DBF8C5C4D649

Function 00000001004164A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833

Part of subcall function 000000010040E4C6: strcmp.CYGWIN1 ref: 000000010040E4FA
Part of subcall function 000000010040E4C6: strcmp.CYGWIN1 ref: 000000010040E534

Strings

failed to register anonymous hostlist, xrefs: 0000000100416440
failed to add domains to anonymous hostlist, xrefs: 000000010041646F

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$getopt_long_only
String ID: failed to add domains to anonymous hostlist$failed to register anonymous hostlist
API String ID: 2055870349-2182304750
Opcode ID: 786875244f867227d87faa085f81fe052a1da529026bc9b5d5aedcd5f2dfae09
Instruction ID: d448c72f497b50f6ef5906c6b1beb03d45969e1c30c241699234c90eaa8339e3
Opcode Fuzzy Hash: 786875244f867227d87faa085f81fe052a1da529026bc9b5d5aedcd5f2dfae09
Instruction Fuzzy Hash: 07112772318B81D0FA76DB11E4803EA63A0EB8C344F8145129BDEC26E9DFB8C4C8D748

Function 00000001004168F3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833

Strings

cannot access ipset file '%s', xrefs: 00000001004169D9
failed to register ipset '%s', xrefs: 0000000100416A04

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: getopt_long_only
String ID: cannot access ipset file '%s'$failed to register ipset '%s'
API String ID: 2809067281-4259740314
Opcode ID: 68620cd6fef1e89707e9056875f2918d714fc364a23909ac59669ac93f9e0838
Instruction ID: 3709e952bb766e11d7f077a1b176a2e733337833341d069fbb27b1634539f17d
Opcode Fuzzy Hash: 68620cd6fef1e89707e9056875f2918d714fc364a23909ac59669ac93f9e0838
Instruction Fuzzy Hash: A0112AB2319B80C1FA66DB11E4843EA63A1AB8C780F444616DBCD836E9DBB8C5C4C748

Function 0000000100416410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833

Part of subcall function 000000010040E4C6: strcmp.CYGWIN1 ref: 000000010040E4FA
Part of subcall function 000000010040E4C6: strcmp.CYGWIN1 ref: 000000010040E534

Strings

failed to register anonymous hostlist, xrefs: 0000000100416440
failed to add domains to anonymous hostlist, xrefs: 000000010041646F

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$getopt_long_only
String ID: failed to add domains to anonymous hostlist$failed to register anonymous hostlist
API String ID: 2055870349-2182304750
Opcode ID: a479d6d7733487113f2dc022e1d7cd05ab1d6426f731b61533dba5523ddad4b7
Instruction ID: 5db7045abc3e58e4313716bae8fe9a898e9b11f069ddb0911da5c7655dd3ef9a
Opcode Fuzzy Hash: a479d6d7733487113f2dc022e1d7cd05ab1d6426f731b61533dba5523ddad4b7
Instruction Fuzzy Hash: 9211FA72318B81D4FA76DB25E4813E963A0E78C354F8146129BCD836E9DFB8C5C8D64D

Function 0000000100416939 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833

Part of subcall function 000000010040E3D3: strcmp.CYGWIN1 ref: 000000010040E407
Part of subcall function 000000010040E3D3: strcmp.CYGWIN1 ref: 000000010040E441

Strings

failed to register anonymous ipset, xrefs: 0000000100416969
failed to add subnets to anonymous ipset, xrefs: 0000000100416998

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: strcmp$getopt_long_only
String ID: failed to add subnets to anonymous ipset$failed to register anonymous ipset
API String ID: 2055870349-4191557652
Opcode ID: 953dcb280c02cd14db8b1e466107dff7a6ae4ab6772096bc28c02d233017e9aa
Instruction ID: d8b689447ca708f12f686609cfe217935fe58e03263224b489fdf2a94a869a67
Opcode Fuzzy Hash: 953dcb280c02cd14db8b1e466107dff7a6ae4ab6772096bc28c02d233017e9aa
Instruction Fuzzy Hash: AC11E872318B8591FA76DB21E0803EA63A0E78C350F4145129BCD826EADFF8C5C8D749

Function 00000001004169A4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833

Strings

cannot access ipset file '%s', xrefs: 00000001004169D9
failed to register ipset '%s', xrefs: 0000000100416A04

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: getopt_long_only
String ID: cannot access ipset file '%s'$failed to register ipset '%s'
API String ID: 2809067281-4259740314
Opcode ID: a90a87283c5cd0018cec39440ceecf05652ae0d637ae2d96bdb5222d614eea51
Instruction ID: fca8ee98e4096d78b7f84bf11389a7a890c692d1ed5f38d371e2404573dad636
Opcode Fuzzy Hash: a90a87283c5cd0018cec39440ceecf05652ae0d637ae2d96bdb5222d614eea51
Instruction Fuzzy Hash: D6110CB2319B81D1FE66DB15E4847EA63A0AB8C780F444616DFCD836E9DBB8C5C4C748

Function 0000000100415FE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34stringCOMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
strcmp.CYGWIN1 ref: 0000000100415FF5
free.CYGWIN1 ref: 00000001004173C7
wordfree.CYGWIN1 ref: 00000001004173E4
snprintf.CYGWIN1 ref: 0000000100417492

Strings

Invalid argument for dpi-desync-split-seqovl, xrefs: 000000010041602F

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: freegetopt_long_onlysnprintfstrcmpwordfree
String ID: Invalid argument for dpi-desync-split-seqovl
API String ID: 4203090585-2286669930
Opcode ID: 1de416e22c9809c4a1b050c498dec20d7a6fadbf773060b48bbafa38e7d3bda9
Instruction ID: 92bc21df9a1fd5df8364c9d377b1ae82f2bb3533fbfdbe35a1e5d7cb43cfaf71
Opcode Fuzzy Hash: 1de416e22c9809c4a1b050c498dec20d7a6fadbf773060b48bbafa38e7d3bda9
Instruction Fuzzy Hash: CA01E976318B81D4FA629B11D4847EA63A0EB8C394F8005129BCA836E6DBF8D5C8D749

Function 00000001004162FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
sscanf.CYGWIN1 ref: 0000000100416318

Strings

dpi-desync-udplen-increment must be integer within -32768..32767 range, xrefs: 0000000100416339

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: getopt_long_onlysscanf
String ID: dpi-desync-udplen-increment must be integer within -32768..32767 range
API String ID: 2290067915-3112098338
Opcode ID: cd0fcc6df88fc02e4e1c61df77e741757a483f92325cda55c005dc4158f532ad
Instruction ID: 1e700d3040613d28b0435db088d90fb4fed27e2f516c1e1d5eac3bbc607ac45c
Opcode Fuzzy Hash: cd0fcc6df88fc02e4e1c61df77e741757a483f92325cda55c005dc4158f532ad
Instruction Fuzzy Hash: DF014F72308A82D5FA72DB54E4847ED63A0E78C344F4005229BDDC26E6DBB8C5C8D74D

Function 0000000100415DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
sscanf.CYGWIN1 ref: 0000000100415DC4

Strings

dpi-desync-repeats must be within 1..20, xrefs: 0000000100415DDD

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: getopt_long_onlysscanf
String ID: dpi-desync-repeats must be within 1..20
API String ID: 2290067915-1300967456
Opcode ID: 561cc74415cc94ae1b924fd81a667da0fd66025e81ee51feffb64c811012b49d
Instruction ID: a0a0194e63c17712b165deda61cf96be0d7790836d104148da93475af1fc1870
Opcode Fuzzy Hash: 561cc74415cc94ae1b924fd81a667da0fd66025e81ee51feffb64c811012b49d
Instruction Fuzzy Hash: 89014B72308A86D5FA32AB54E4847EE63A0E78C350F8006129BDDC36E5DBB8C5C8C749

Function 00000001004165D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
atoi.CYGWIN1 ref: 00000001004165DD

Strings

auto hostlist fail threshold must be within 2..10, xrefs: 00000001004165F9

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: atoigetopt_long_only
String ID: auto hostlist fail threshold must be within 2..10
API String ID: 2619539373-3726801509
Opcode ID: 18ada647ffdf1e754ed214c0e5b145259b5642efea6c4ee6ff61a14063a8b664
Instruction ID: 7284aac397f7a073eb5a5a2c9eeef5448d1059f0ba3c0955b906b593b13b6eac
Opcode Fuzzy Hash: 18ada647ffdf1e754ed214c0e5b145259b5642efea6c4ee6ff61a14063a8b664
Instruction Fuzzy Hash: 19013CB2308A81C5F672DB21E0843EE63A0E7CC350F4006129BDEC26E9CBB8C5C4D749

Function 0000000100416574 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
atoi.CYGWIN1 ref: 000000010041657E

Strings

auto hostlist fail threshold must be within 1..20, xrefs: 0000000100416599

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: atoigetopt_long_only
String ID: auto hostlist fail threshold must be within 1..20
API String ID: 2619539373-1525724818
Opcode ID: 6b52ab2d5493a7c491e6b87e1f995e6544179193490abed0a3798850203563c8
Instruction ID: b9403d4c9cf81ef4b5163d230b1ecdce3e0987801384cb257799ccf6de2f4691
Opcode Fuzzy Hash: 6b52ab2d5493a7c491e6b87e1f995e6544179193490abed0a3798850203563c8
Instruction Fuzzy Hash: DD013CB2308A91C5F672DB21E0843EE63A0E7CC350F4006129BDAC26E5CBB8C5C4D649

Function 00000001004165A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

getopt_long_only.CYGWIN1 ref: 0000000100415833
atoi.CYGWIN1 ref: 00000001004165AF

Strings

auto hostlist fail time is not valid, xrefs: 00000001004165C7

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: atoigetopt_long_only
String ID: auto hostlist fail time is not valid
API String ID: 2619539373-98721781
Opcode ID: 05cea0ae013ee2e2a5b1e13b1f86d53e1d8b4d64f95fa8a7ea14a3e6f58bcf30
Instruction ID: 77f888dd4d4e1fd3f23607731c67ede90b0a61412d1d0beebf301a13f9f68e67
Opcode Fuzzy Hash: 05cea0ae013ee2e2a5b1e13b1f86d53e1d8b4d64f95fa8a7ea14a3e6f58bcf30
Instruction Fuzzy Hash: 8EF0FFB6308B81C5F672DB61E4843EA63A0E7CC350F4005129BDDC26E5DBB8C5C4D749

Function 000000010040FDB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12stringCOMMON

Download Yara Rule

APIs

__errno.CYGWIN1 ref: 000000010040FDBF
strerror.CYGWIN1 ref: 000000010040FDC6

Strings

%s: %s, xrefs: 000000010040FDCE

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: __errnostrerror
String ID: %s: %s
API String ID: 2863085932-482213395
Opcode ID: 64154a943ba3bcd28173d34179569b290002e6cffad84d2947bbe6ded1ffc661
Instruction ID: a59d4b7fb9b8c371f71f7542f6cdfdfccc9a1020a66831221790cb2b9321e952
Opcode Fuzzy Hash: 64154a943ba3bcd28173d34179569b290002e6cffad84d2947bbe6ded1ffc661
Instruction Fuzzy Hash: 22D012B071414081E116E7A2B0927EA2291A38D790F4010149B999B783C96895C5C748

Function 000000010040C891 Relevance: 5.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 000000010040BF77: free.CYGWIN1(?,?,?,000000010040C8A8,?,?,?,0000000100403C65), ref: 000000010040BF9F

Part of subcall function 000000010040BFAC: free.CYGWIN1(?,?,?,000000010040C8D8,?,?,?,0000000100403C65), ref: 000000010040BFD4

free.CYGWIN1(?,?,?,0000000100403C65), ref: 000000010040C8FD

Part of subcall function 0000000100414A00: inet_pton.CYGWIN1 ref: 000000010042C580

free.CYGWIN1(?,?,?,0000000100403C65), ref: 000000010040C927
free.CYGWIN1(?,?,?,0000000100403C65), ref: 000000010040C937
free.CYGWIN1(?,?,?,0000000100403C65), ref: 000000010040C9EE

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free$inet_pton
String ID:
API String ID: 515857537-0
Opcode ID: 1ef0c4226e6ee84600fa1b93141faddcebd235ec1adbd493e62886cefaa40bcc
Instruction ID: cd1d1411ac879ac9dc620ffb9202f29505bb0a283d4911a963402ecf3791c9bf
Opcode Fuzzy Hash: 1ef0c4226e6ee84600fa1b93141faddcebd235ec1adbd493e62886cefaa40bcc
Instruction Fuzzy Hash: 594106B2601A40C0EA16DF15E484BE92364F798F80F494236EF8DA7395DF70C8D5C398

Function 000000010040E4C6 Relevance: 5.1, APIs: 4, Instructions: 82stringCOMMON

Download Yara Rule

APIs

strcmp.CYGWIN1 ref: 000000010040E4FA
strcmp.CYGWIN1 ref: 000000010040E534
malloc.CYGWIN1 ref: 000000010040E55C
malloc.CYGWIN1 ref: 000000010040E58B

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: mallocstrcmp
String ID:
API String ID: 343855240-0
Opcode ID: fd3a63c06a2b229aa874dea32e1c292f27d2cc7dab7d9c1968c2fcca87c227ab
Instruction ID: 6003e84aa98a21e5e7c26d2ff31328c6637ed1ba2f88f679e9d384b4126dc685
Opcode Fuzzy Hash: fd3a63c06a2b229aa874dea32e1c292f27d2cc7dab7d9c1968c2fcca87c227ab
Instruction Fuzzy Hash: 8E315472302B0094FE5BDB57A9507E812A1AB88FC4F498C25AF9997781FBB4C4A1C308

Function 000000010040E3D3 Relevance: 5.1, APIs: 4, Instructions: 82stringCOMMON

Download Yara Rule

APIs

strcmp.CYGWIN1 ref: 000000010040E407
strcmp.CYGWIN1 ref: 000000010040E441
malloc.CYGWIN1 ref: 000000010040E469
malloc.CYGWIN1 ref: 000000010040E498

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: mallocstrcmp
String ID:
API String ID: 343855240-0
Opcode ID: f246d06f5b8e7f93a6c91a8c131d2cfa4f647d5d526f75ee17372c352a473c0a
Instruction ID: 7685119d70c582c9b13c1db7deab70104aec40b98099c12ea744c9c24f5c3dd9
Opcode Fuzzy Hash: f246d06f5b8e7f93a6c91a8c131d2cfa4f647d5d526f75ee17372c352a473c0a
Instruction Fuzzy Hash: 9C315572301B1080FE5BEB1395107E92295AB8CFC0F598825AF9D9B785EFB8C4A1C358

Function 000000010040CE3B Relevance: 5.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

free.CYGWIN1(?,?,?,00000001004025BC), ref: 000000010040CE5B

Part of subcall function 0000000100414A00: inet_pton.CYGWIN1 ref: 000000010042C580

free.CYGWIN1(?,?,?,00000001004025BC), ref: 000000010040CE81
free.CYGWIN1(?,?,?,00000001004025BC), ref: 000000010040CE8D
free.CYGWIN1(?,?,?,00000001004025BC), ref: 000000010040CF34

Memory Dump Source

Source File: 00000008.00000002.4496738377.0000000100401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 0000000100400000, based on PE: true

Associated: 00000008.00000002.4496705927.0000000100400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496767075.0000000100419000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.000000010041A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496807600.0000000100425000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496860531.000000010042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496901782.000000010042D000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4496927571.000000010042E000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_100400000_winws.jbxd

Similarity

API ID: free$inet_pton
String ID:
API String ID: 515857537-0
Opcode ID: c52b6cf0c0d0242c2f11683fe4b0fd1277c94b0eefa93fce953cc4b416ba4f06
Instruction ID: 1dd78476a76bbfb116e1c94f28a3edfe781ae8be79ef69e80fee0ad8c26275ae
Opcode Fuzzy Hash: c52b6cf0c0d0242c2f11683fe4b0fd1277c94b0eefa93fce953cc4b416ba4f06
Instruction Fuzzy Hash: 5F31E3B2701A44C1EA26DB06E0947A973A4F798FC0F099626EF8D97794CF74C8D1D384

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Command: Command Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5dFLJyS86S.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g5pr2tm.u0e.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2y53av2.wey.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W7DM9BFLGQYKYOPG3GMN.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Desktop\bin\WinDivert.dll

C:\Users\user\Desktop\bin\WinDivert64.sys

C:\Users\user\Desktop\bin\winws.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Chrome Cache Entry: 81

Windows Analysis Report
5dFLJyS86S.ps1

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre